From 1ac70afcc1f7d6d2738a34308810719b0976d29f Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Tue, 25 May 2010 19:01:36 +0000 Subject: [svn-upgrade] Integrating new upstream version, strongswan (4.4.0) --- src/libcharon/encoding/payloads/cert_payload.c | 340 +++++++++++++++++++++++++ 1 file changed, 340 insertions(+) create mode 100644 src/libcharon/encoding/payloads/cert_payload.c (limited to 'src/libcharon/encoding/payloads/cert_payload.c') diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c new file mode 100644 index 000000000..6dd3141f0 --- /dev/null +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -0,0 +1,340 @@ +/* + * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005 Jan Hutter + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include + +#include "cert_payload.h" + +ENUM(cert_encoding_names, ENC_PKCS7_WRAPPED_X509, ENC_OCSP_CONTENT, + "ENC_PKCS7_WRAPPED_X509", + "ENC_PGP", + "ENC_DNS_SIGNED_KEY", + "ENC_X509_SIGNATURE", + "ENC_X509_KEY_EXCHANGE", + "ENC_KERBEROS_TOKENS", + "ENC_CRL", + "ENC_ARL", + "ENC_SPKI", + "ENC_X509_ATTRIBUTE", + "ENC_RAW_RSA_KEY", + "ENC_X509_HASH_AND_URL", + "ENC_X509_HASH_AND_URL_BUNDLE", + "ENC_OCSP_CONTENT", +); + +typedef struct private_cert_payload_t private_cert_payload_t; + +/** + * Private data of an cert_payload_t object. + * + */ +struct private_cert_payload_t { + /** + * Public cert_payload_t interface. + */ + cert_payload_t public; + + /** + * Next payload type. + */ + u_int8_t next_payload; + + /** + * Critical flag. + */ + bool critical; + + /** + * Length of this payload. + */ + u_int16_t payload_length; + + /** + * Encoding of the CERT Data. + */ + u_int8_t encoding; + + /** + * The contained cert data value. + */ + chunk_t data; + + /** + * TRUE if the "Hash and URL" data is invalid + */ + bool invalid_hash_and_url; +}; + +/** + * Encoding rules to parse or generate a CERT payload + * + * The defined offsets are the positions in a object of type + * private_cert_payload_t. + * + */ +encoding_rule_t cert_payload_encodings[] = { + /* 1 Byte next payload type, stored in the field next_payload */ + { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, + /* the critical bit */ + { FLAG, offsetof(private_cert_payload_t, critical) }, + /* 7 Bit reserved bits, nowhere stored */ + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + { RESERVED_BIT, 0 }, + /* Length of the whole payload*/ + { PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)}, + /* 1 Byte CERT type*/ + { U_INT_8, offsetof(private_cert_payload_t, encoding) }, + /* some cert data bytes, length is defined in PAYLOAD_LENGTH */ + { CERT_DATA, offsetof(private_cert_payload_t, data) } +}; + +/* + 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! Next Payload !C! RESERVED ! Payload Length ! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + ! Cert Encoding ! ! + +-+-+-+-+-+-+-+-+ ! + ~ Certificate Data ~ + ! ! + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +*/ + +/** + * Implementation of payload_t.verify. + */ +static status_t verify(private_cert_payload_t *this) +{ + if (this->encoding == ENC_X509_HASH_AND_URL || + this->encoding == ENC_X509_HASH_AND_URL_BUNDLE) + { + /* coarse verification of "Hash and URL" encoded certificates */ + if (this->data.len <= 20) + { + DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore", + this->data.len); + this->invalid_hash_and_url = TRUE; + return SUCCESS; + } + + int i = 20; /* skipping the hash */ + for (; i < this->data.len; ++i) + { + if (this->data.ptr[i] == '\0') + { + /* null terminated, fine */ + return SUCCESS; + } + else if (!isprint(this->data.ptr[i])) + { + DBG1(DBG_ENC, "non printable characters in url of hash-and-url" + " encoded certificate payload, ignore"); + this->invalid_hash_and_url = TRUE; + return SUCCESS; + } + } + + /* URL is not null terminated, correct that */ + chunk_t data = chunk_alloc(this->data.len + 1); + memcpy(data.ptr, this->data.ptr, this->data.len); + data.ptr[this->data.len] = '\0'; + chunk_free(&this->data); + this->data = data; + } + return SUCCESS; +} + +/** + * Implementation of cert_payload_t.get_encoding_rules. + */ +static void get_encoding_rules(private_cert_payload_t *this, + encoding_rule_t **rules, size_t *rule_count) +{ + *rules = cert_payload_encodings; + *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t); +} + +/** + * Implementation of payload_t.get_type. + */ +static payload_type_t get_payload_type(private_cert_payload_t *this) +{ + return CERTIFICATE; +} + +/** + * Implementation of payload_t.get_next_type. + */ +static payload_type_t get_next_type(private_cert_payload_t *this) +{ + return this->next_payload; +} + +/** + * Implementation of payload_t.set_next_type. + */ +static void set_next_type(private_cert_payload_t *this,payload_type_t type) +{ + this->next_payload = type; +} + +/** + * Implementation of payload_t.get_length. + */ +static size_t get_length(private_cert_payload_t *this) +{ + return this->payload_length; +} + +/** + * Implementation of cert_payload_t.get_cert_encoding. + */ +static cert_encoding_t get_cert_encoding(private_cert_payload_t *this) +{ + return this->encoding; +} + +/** + * Implementation of cert_payload_t.get_cert. + */ +static certificate_t *get_cert(private_cert_payload_t *this) +{ + if (this->encoding != ENC_X509_SIGNATURE) + { + return NULL; + } + return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, this->data, + BUILD_END); +} + +/** + * Implementation of cert_payload_t.get_hash. + */ +static chunk_t get_hash(private_cert_payload_t *this) +{ + chunk_t hash = chunk_empty; + if ((this->encoding != ENC_X509_HASH_AND_URL && + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->invalid_hash_and_url) + { + return hash; + } + hash.ptr = this->data.ptr; + hash.len = 20; + return hash; +} + +/** + * Implementation of cert_payload_t.get_url. + */ +static char *get_url(private_cert_payload_t *this) +{ + if ((this->encoding != ENC_X509_HASH_AND_URL && + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->invalid_hash_and_url) + { + return NULL; + } + return (char*)this->data.ptr + 20; +} + +/** + * Implementation of payload_t.destroy and cert_payload_t.destroy. + */ +static void destroy(private_cert_payload_t *this) +{ + chunk_free(&this->data); + free(this); +} + +/* + * Described in header + */ +cert_payload_t *cert_payload_create() +{ + private_cert_payload_t *this = malloc_thing(private_cert_payload_t); + + this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; + this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules; + this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; + this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; + this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; + this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; + this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; + + this->public.destroy = (void (*) (cert_payload_t*))destroy; + this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert; + this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding; + this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash; + this->public.get_url = (char* (*) (cert_payload_t*))get_url; + + this->critical = FALSE; + this->next_payload = NO_PAYLOAD; + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH; + this->data = chunk_empty; + this->encoding = 0; + this->invalid_hash_and_url = FALSE; + + return &this->public; +} + +/* + * Described in header + */ +cert_payload_t *cert_payload_create_from_cert(certificate_t *cert) +{ + private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create(); + + switch (cert->get_type(cert)) + { + case CERT_X509: + this->encoding = ENC_X509_SIGNATURE; + break; + default: + DBG1(DBG_ENC, "embedding %N certificate in payload failed", + certificate_type_names, cert->get_type(cert)); + free(this); + return NULL; + } + this->data = cert->get_encoding(cert); + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; + return &this->public; +} + +/* + * Described in header + */ +cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url) +{ + private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create(); + + this->encoding = ENC_X509_HASH_AND_URL; + this->data = chunk_cat("cc", hash, chunk_create(url, strlen(url))); + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; + return &this->public; +} + -- cgit v1.2.3 From b8064f4099997a9e2179f3ad4ace605f5ccac3a1 Mon Sep 17 00:00:00 2001 From: Rene Mayrhofer Date: Mon, 9 Aug 2010 08:09:54 +0000 Subject: [svn-upgrade] new version strongswan (4.4.1) --- Android.mk | 17 +- Android.mk.in | 15 +- Makefile.am | 5 +- Makefile.in | 50 +- NEWS | 49 + aclocal.m4 | 10 +- config.guess | 58 +- config.sub | 15 +- configure | 565 +++++-- configure.in | 65 +- ltmain.sh | 8 +- m4/config/libtool.m4 | 13 +- m4/config/ltversion.m4 | 10 +- scripts/Makefile.in | 2 +- scripts/key2keyid.c | 16 +- scripts/keyid2sql.c | 4 +- src/Makefile.in | 6 +- src/_copyright/Makefile.in | 2 +- src/_updown/Makefile.in | 2 +- src/_updown/_updown.in | 13 + src/_updown_espmark/Makefile.in | 2 +- src/_updown_espmark/_updown_espmark | 13 + src/charon/Makefile.in | 2 +- src/charon/charon.c | 61 +- src/checksum/Makefile.am | 1 + src/checksum/Makefile.in | 7 +- src/checksum/checksum_builder.c | 3 + src/dumm/Makefile.in | 2 +- src/include/Makefile.in | 2 +- src/include/linux/xfrm.h | 39 +- src/ipsec/Makefile.am | 11 +- src/ipsec/Makefile.in | 13 +- src/ipsec/ipsec.8 | 373 ++--- src/ipsec/ipsec.8.in | 302 ++++ src/libcharon/Android.mk | 17 +- src/libcharon/Makefile.am | 34 +- src/libcharon/Makefile.in | 251 ++- src/libcharon/bus/bus.c | 212 ++- src/libcharon/bus/bus.h | 42 +- src/libcharon/bus/listeners/file_logger.c | 32 +- src/libcharon/bus/listeners/file_logger.h | 7 +- src/libcharon/bus/listeners/listener.h | 19 +- src/libcharon/bus/listeners/sys_logger.c | 1 + src/libcharon/bus/listeners/sys_logger.h | 2 - src/libcharon/config/auth_cfg.c | 768 --------- src/libcharon/config/auth_cfg.h | 201 --- src/libcharon/config/child_cfg.c | 58 +- src/libcharon/config/child_cfg.h | 34 +- src/libcharon/config/peer_cfg.h | 2 +- src/libcharon/credentials/credential_manager.c | 1681 -------------------- src/libcharon/credentials/credential_manager.h | 203 --- src/libcharon/credentials/credential_set.h | 108 -- src/libcharon/credentials/sets/auth_cfg_wrapper.c | 223 --- src/libcharon/credentials/sets/auth_cfg_wrapper.h | 53 - src/libcharon/credentials/sets/cert_cache.c | 390 ----- src/libcharon/credentials/sets/cert_cache.h | 71 - .../credentials/sets/ocsp_response_wrapper.c | 147 -- .../credentials/sets/ocsp_response_wrapper.h | 53 - src/libcharon/daemon.c | 60 +- src/libcharon/daemon.h | 12 - src/libcharon/encoding/message.c | 34 + src/libcharon/encoding/payloads/cert_payload.c | 7 +- src/libcharon/kernel/kernel_interface.c | 36 +- src/libcharon/kernel/kernel_interface.h | 26 +- src/libcharon/kernel/kernel_ipsec.h | 26 +- src/libcharon/network/receiver.c | 51 +- src/libcharon/network/sender.c | 41 +- src/libcharon/plugins/addrblock/Makefile.am | 18 + src/libcharon/plugins/addrblock/Makefile.in | 592 +++++++ src/libcharon/plugins/addrblock/addrblock_narrow.c | 154 ++ src/libcharon/plugins/addrblock/addrblock_narrow.h | 49 + src/libcharon/plugins/addrblock/addrblock_plugin.c | 72 + src/libcharon/plugins/addrblock/addrblock_plugin.h | 42 + .../plugins/addrblock/addrblock_validator.c | 124 ++ .../plugins/addrblock/addrblock_validator.h | 49 + src/libcharon/plugins/android/Makefile.am | 5 +- src/libcharon/plugins/android/Makefile.in | 13 +- src/libcharon/plugins/android/android_creds.c | 294 ++++ src/libcharon/plugins/android/android_creds.h | 73 + src/libcharon/plugins/android/android_handler.c | 4 +- src/libcharon/plugins/android/android_logger.c | 96 ++ src/libcharon/plugins/android/android_logger.h | 52 + src/libcharon/plugins/android/android_plugin.c | 41 +- src/libcharon/plugins/android/android_service.c | 385 +++++ src/libcharon/plugins/android/android_service.h | 54 + src/libcharon/plugins/dhcp/Makefile.in | 2 +- src/libcharon/plugins/dhcp/dhcp_provider.c | 3 +- src/libcharon/plugins/eap_aka/Makefile.in | 2 +- src/libcharon/plugins/eap_aka/eap_aka_peer.c | 1 - src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 2 +- .../plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c | 3 +- src/libcharon/plugins/eap_gtc/Makefile.in | 2 +- src/libcharon/plugins/eap_gtc/eap_gtc.c | 4 +- src/libcharon/plugins/eap_identity/Makefile.in | 2 +- src/libcharon/plugins/eap_md5/Makefile.in | 2 +- src/libcharon/plugins/eap_md5/eap_md5.c | 3 +- src/libcharon/plugins/eap_mschapv2/Makefile.in | 2 +- src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c | 8 +- src/libcharon/plugins/eap_radius/Makefile.am | 2 + src/libcharon/plugins/eap_radius/Makefile.in | 9 +- src/libcharon/plugins/eap_radius/eap_radius.c | 131 +- .../plugins/eap_radius/eap_radius_plugin.c | 150 +- .../plugins/eap_radius/eap_radius_plugin.h | 8 + src/libcharon/plugins/eap_radius/radius_client.c | 464 +----- src/libcharon/plugins/eap_radius/radius_client.h | 34 +- src/libcharon/plugins/eap_radius/radius_message.c | 123 +- src/libcharon/plugins/eap_radius/radius_server.c | 212 +++ src/libcharon/plugins/eap_radius/radius_server.h | 88 + src/libcharon/plugins/eap_radius/radius_socket.c | 309 ++++ src/libcharon/plugins/eap_radius/radius_socket.h | 74 + src/libcharon/plugins/eap_sim/Makefile.in | 2 +- src/libcharon/plugins/eap_sim/eap_sim_peer.c | 1 - src/libcharon/plugins/eap_sim_file/Makefile.in | 2 +- .../plugins/eap_simaka_pseudonym/Makefile.in | 2 +- .../plugins/eap_simaka_reauth/Makefile.in | 2 +- src/libcharon/plugins/eap_simaka_sql/Makefile.am | 18 + src/libcharon/plugins/eap_simaka_sql/Makefile.in | 592 +++++++ .../plugins/eap_simaka_sql/eap_simaka_sql_card.c | 177 +++ .../plugins/eap_simaka_sql/eap_simaka_sql_card.h | 54 + .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.c | 100 ++ .../plugins/eap_simaka_sql/eap_simaka_sql_plugin.h | 42 + .../eap_simaka_sql/eap_simaka_sql_provider.c | 180 +++ .../eap_simaka_sql/eap_simaka_sql_provider.h | 54 + src/libcharon/plugins/farp/Makefile.in | 2 +- src/libcharon/plugins/farp/farp_spoofer.c | 4 +- src/libcharon/plugins/ha/Makefile.am | 4 +- src/libcharon/plugins/ha/Makefile.in | 11 +- src/libcharon/plugins/ha/ha_attribute.c | 364 +++++ src/libcharon/plugins/ha/ha_attribute.h | 60 + src/libcharon/plugins/ha/ha_cache.c | 362 +++++ src/libcharon/plugins/ha/ha_cache.h | 78 + src/libcharon/plugins/ha/ha_child.c | 84 +- src/libcharon/plugins/ha/ha_child.h | 12 +- src/libcharon/plugins/ha/ha_ctl.c | 26 +- src/libcharon/plugins/ha/ha_ctl.h | 6 +- src/libcharon/plugins/ha/ha_dispatcher.c | 209 ++- src/libcharon/plugins/ha/ha_dispatcher.h | 11 +- src/libcharon/plugins/ha/ha_ike.c | 101 +- src/libcharon/plugins/ha/ha_ike.h | 11 +- src/libcharon/plugins/ha/ha_kernel.c | 96 +- src/libcharon/plugins/ha/ha_kernel.h | 28 +- src/libcharon/plugins/ha/ha_message.c | 102 +- src/libcharon/plugins/ha/ha_message.h | 26 +- src/libcharon/plugins/ha/ha_plugin.c | 45 +- src/libcharon/plugins/ha/ha_plugin.h | 2 +- src/libcharon/plugins/ha/ha_segments.c | 220 +-- src/libcharon/plugins/ha/ha_segments.h | 23 +- src/libcharon/plugins/ha/ha_socket.c | 58 +- src/libcharon/plugins/ha/ha_socket.h | 4 +- src/libcharon/plugins/ha/ha_tunnel.c | 78 +- src/libcharon/plugins/ha/ha_tunnel.h | 2 +- src/libcharon/plugins/kernel_klips/Makefile.in | 2 +- .../plugins/kernel_klips/kernel_klips_ipsec.c | 27 +- src/libcharon/plugins/kernel_netlink/Makefile.in | 2 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 323 +++- src/libcharon/plugins/kernel_pfkey/Makefile.in | 2 +- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 125 +- src/libcharon/plugins/kernel_pfroute/Makefile.in | 2 +- src/libcharon/plugins/load_tester/Makefile.in | 2 +- .../plugins/load_tester/load_tester_config.c | 5 +- .../plugins/load_tester/load_tester_ipsec.c | 154 +- .../plugins/load_tester/load_tester_plugin.c | 4 +- src/libcharon/plugins/medcli/Makefile.in | 2 +- src/libcharon/plugins/medcli/medcli_config.c | 8 +- src/libcharon/plugins/medcli/medcli_plugin.c | 4 +- src/libcharon/plugins/medsrv/Makefile.in | 2 +- src/libcharon/plugins/medsrv/medsrv_plugin.c | 4 +- src/libcharon/plugins/nm/Makefile.in | 2 +- src/libcharon/plugins/nm/nm_plugin.c | 4 +- src/libcharon/plugins/nm/nm_service.c | 3 +- src/libcharon/plugins/resolve/Makefile.am | 18 - src/libcharon/plugins/resolve/Makefile.in | 591 ------- src/libcharon/plugins/resolve/resolve_handler.c | 251 --- src/libcharon/plugins/resolve/resolve_handler.h | 49 - src/libcharon/plugins/resolve/resolve_plugin.c | 62 - src/libcharon/plugins/resolve/resolve_plugin.h | 42 - src/libcharon/plugins/smp/Makefile.in | 2 +- src/libcharon/plugins/socket_default/Makefile.in | 2 +- src/libcharon/plugins/socket_dynamic/Makefile.in | 2 +- src/libcharon/plugins/socket_raw/Makefile.in | 2 +- .../plugins/socket_raw/socket_raw_socket.c | 14 +- src/libcharon/plugins/sql/Makefile.in | 2 +- src/libcharon/plugins/sql/sql_config.c | 2 +- src/libcharon/plugins/sql/sql_plugin.c | 4 +- src/libcharon/plugins/stroke/Makefile.in | 2 +- src/libcharon/plugins/stroke/stroke_ca.c | 23 +- src/libcharon/plugins/stroke/stroke_config.c | 22 +- src/libcharon/plugins/stroke/stroke_control.c | 5 + src/libcharon/plugins/stroke/stroke_cred.c | 10 +- src/libcharon/plugins/stroke/stroke_list.c | 59 +- src/libcharon/plugins/stroke/stroke_socket.c | 11 +- src/libcharon/plugins/uci/Makefile.in | 2 +- src/libcharon/plugins/uci/uci_config.c | 3 +- src/libcharon/plugins/uci/uci_plugin.c | 4 +- src/libcharon/plugins/unit_tester/Makefile.am | 3 +- src/libcharon/plugins/unit_tester/Makefile.in | 15 +- src/libcharon/plugins/unit_tester/tests.h | 1 + .../plugins/unit_tester/tests/test_auth_info.c | 2 +- .../plugins/unit_tester/tests/test_hashtable.c | 111 ++ .../plugins/unit_tester/tests/test_med_db.c | 6 +- src/libcharon/plugins/updown/Makefile.in | 2 +- src/libcharon/plugins/updown/updown_listener.c | 71 +- src/libcharon/sa/authenticators/authenticator.c | 7 - src/libcharon/sa/authenticators/authenticator.h | 24 +- src/libcharon/sa/authenticators/eap/eap_method.c | 38 - src/libcharon/sa/authenticators/eap/eap_method.h | 30 - .../sa/authenticators/eap_authenticator.c | 30 +- .../sa/authenticators/psk_authenticator.c | 7 +- .../sa/authenticators/pubkey_authenticator.c | 7 +- src/libcharon/sa/child_sa.c | 138 +- src/libcharon/sa/child_sa.h | 28 + src/libcharon/sa/ike_sa.c | 726 ++++----- src/libcharon/sa/ike_sa.h | 12 +- src/libcharon/sa/ike_sa_manager.c | 34 +- src/libcharon/sa/task_manager.c | 139 +- src/libcharon/sa/task_manager.h | 21 + src/libcharon/sa/tasks/child_create.c | 111 +- src/libcharon/sa/tasks/child_delete.c | 4 +- src/libcharon/sa/tasks/child_rekey.c | 95 +- src/libcharon/sa/tasks/ike_auth.c | 12 +- src/libcharon/sa/tasks/ike_cert_post.c | 10 +- src/libcharon/sa/tasks/ike_cert_pre.c | 14 +- src/libcharon/sa/tasks/ike_config.c | 4 +- src/libcharon/sa/tasks/ike_init.c | 1 + src/libcharon/sa/trap_manager.c | 2 +- src/libfast/Makefile.in | 2 +- src/libfast/request.c | 9 + src/libfast/request.h | 9 + src/libfreeswan/Makefile.in | 2 +- src/libhydra/Makefile.am | 7 + src/libhydra/Makefile.in | 21 +- src/libhydra/attributes/attribute_manager.c | 11 +- src/libhydra/attributes/attribute_manager.h | 3 +- src/libhydra/attributes/attribute_provider.h | 3 +- src/libhydra/attributes/attributes.c | 73 +- src/libhydra/attributes/attributes.h | 66 +- src/libhydra/attributes/mem_pool.c | 13 +- src/libhydra/plugins/attr/Makefile.in | 2 +- src/libhydra/plugins/attr/attr_provider.c | 36 +- src/libhydra/plugins/attr_sql/Makefile.am | 6 +- src/libhydra/plugins/attr_sql/Makefile.in | 18 +- src/libhydra/plugins/attr_sql/pool.c | 325 ++-- src/libhydra/plugins/attr_sql/pool_attributes.c | 715 +++++++++ src/libhydra/plugins/attr_sql/pool_attributes.h | 65 + src/libhydra/plugins/attr_sql/pool_usage.c | 127 ++ src/libhydra/plugins/attr_sql/pool_usage.h | 26 + src/libhydra/plugins/attr_sql/sql_attribute.c | 117 +- src/libhydra/plugins/resolve/Makefile.am | 18 + src/libhydra/plugins/resolve/Makefile.in | 591 +++++++ src/libhydra/plugins/resolve/resolve_handler.c | 252 +++ src/libhydra/plugins/resolve/resolve_handler.h | 49 + src/libhydra/plugins/resolve/resolve_plugin.c | 62 + src/libhydra/plugins/resolve/resolve_plugin.h | 42 + src/libsimaka/Makefile.in | 2 +- src/libstrongswan/Android.mk | 12 +- src/libstrongswan/Makefile.am | 15 +- src/libstrongswan/Makefile.in | 167 +- src/libstrongswan/asn1/asn1.c | 8 +- src/libstrongswan/chunk.c | 63 + src/libstrongswan/chunk.h | 12 + src/libstrongswan/credentials/auth_cfg.c | 830 ++++++++++ src/libstrongswan/credentials/auth_cfg.h | 255 +++ src/libstrongswan/credentials/builder.c | 1 + src/libstrongswan/credentials/builder.h | 2 + src/libstrongswan/credentials/cert_validator.h | 51 + .../credentials/certificates/certificate.c | 22 + .../credentials/certificates/certificate.h | 26 +- src/libstrongswan/credentials/certificates/crl.c | 28 + src/libstrongswan/credentials/certificates/crl.h | 10 +- src/libstrongswan/credentials/certificates/x509.h | 1 - src/libstrongswan/credentials/cred_encoding.c | 300 ++++ src/libstrongswan/credentials/cred_encoding.h | 224 +++ src/libstrongswan/credentials/credential_manager.c | 1097 +++++++++++++ src/libstrongswan/credentials/credential_manager.h | 270 ++++ src/libstrongswan/credentials/credential_set.h | 108 ++ .../credentials/ietf_attributes/ietf_attributes.c | 13 +- src/libstrongswan/credentials/keys/key_encoding.c | 299 ---- src/libstrongswan/credentials/keys/key_encoding.h | 203 --- src/libstrongswan/credentials/keys/private_key.c | 12 +- src/libstrongswan/credentials/keys/private_key.h | 9 +- src/libstrongswan/credentials/keys/public_key.c | 8 +- src/libstrongswan/credentials/keys/public_key.h | 11 +- .../credentials/sets/auth_cfg_wrapper.c | 223 +++ .../credentials/sets/auth_cfg_wrapper.h | 53 + src/libstrongswan/credentials/sets/cert_cache.c | 389 +++++ src/libstrongswan/credentials/sets/cert_cache.h | 71 + .../credentials/sets/ocsp_response_wrapper.c | 146 ++ .../credentials/sets/ocsp_response_wrapper.h | 53 + src/libstrongswan/library.c | 22 +- src/libstrongswan/library.h | 15 +- src/libstrongswan/plugins/aes/Makefile.in | 2 +- src/libstrongswan/plugins/agent/Makefile.in | 2 +- .../plugins/agent/agent_private_key.c | 10 +- src/libstrongswan/plugins/blowfish/Makefile.in | 2 +- src/libstrongswan/plugins/curl/Makefile.in | 2 +- src/libstrongswan/plugins/des/Makefile.in | 2 +- src/libstrongswan/plugins/dnskey/Makefile.in | 2 +- src/libstrongswan/plugins/fips_prf/Makefile.in | 2 +- src/libstrongswan/plugins/gcrypt/Makefile.am | 2 +- src/libstrongswan/plugins/gcrypt/Makefile.in | 4 +- .../plugins/gcrypt/gcrypt_rsa_private_key.c | 22 +- .../plugins/gcrypt/gcrypt_rsa_public_key.c | 16 +- src/libstrongswan/plugins/gmp/Makefile.in | 2 +- .../plugins/gmp/gmp_rsa_private_key.c | 20 +- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 12 +- src/libstrongswan/plugins/hmac/Makefile.in | 2 +- src/libstrongswan/plugins/ldap/Makefile.in | 2 +- src/libstrongswan/plugins/md4/Makefile.in | 2 +- src/libstrongswan/plugins/md5/Makefile.in | 2 +- src/libstrongswan/plugins/mysql/Makefile.in | 2 +- src/libstrongswan/plugins/openssl/Makefile.am | 4 +- src/libstrongswan/plugins/openssl/Makefile.in | 10 +- src/libstrongswan/plugins/openssl/openssl_crl.c | 530 ++++++ src/libstrongswan/plugins/openssl/openssl_crl.h | 48 + .../plugins/openssl/openssl_ec_diffie_hellman.c | 6 + .../plugins/openssl/openssl_ec_private_key.c | 27 +- .../plugins/openssl/openssl_ec_public_key.c | 31 +- src/libstrongswan/plugins/openssl/openssl_plugin.c | 36 +- .../plugins/openssl/openssl_rsa_private_key.c | 28 +- .../plugins/openssl/openssl_rsa_public_key.c | 44 +- .../plugins/openssl/openssl_sha1_prf.h | 2 +- src/libstrongswan/plugins/openssl/openssl_util.c | 83 +- src/libstrongswan/plugins/openssl/openssl_util.h | 56 +- src/libstrongswan/plugins/openssl/openssl_x509.c | 871 ++++++++++ src/libstrongswan/plugins/openssl/openssl_x509.h | 50 + src/libstrongswan/plugins/padlock/Makefile.in | 2 +- src/libstrongswan/plugins/pem/Makefile.in | 2 +- src/libstrongswan/plugins/pem/pem_builder.c | 2 +- src/libstrongswan/plugins/pem/pem_encoder.c | 73 +- src/libstrongswan/plugins/pem/pem_encoder.h | 4 +- src/libstrongswan/plugins/pgp/Makefile.in | 2 +- src/libstrongswan/plugins/pgp/pgp_cert.c | 38 +- src/libstrongswan/plugins/pgp/pgp_encoder.c | 10 +- src/libstrongswan/plugins/pgp/pgp_encoder.h | 4 +- src/libstrongswan/plugins/pkcs1/Makefile.in | 2 +- src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c | 30 +- src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h | 4 +- src/libstrongswan/plugins/plugin_loader.c | 3 +- src/libstrongswan/plugins/pubkey/Makefile.in | 2 +- src/libstrongswan/plugins/pubkey/pubkey_cert.c | 28 +- src/libstrongswan/plugins/random/Makefile.in | 2 +- src/libstrongswan/plugins/revocation/Makefile.am | 16 + src/libstrongswan/plugins/revocation/Makefile.in | 588 +++++++ .../plugins/revocation/revocation_plugin.c | 61 + .../plugins/revocation/revocation_plugin.h | 42 + .../plugins/revocation/revocation_validator.c | 587 +++++++ .../plugins/revocation/revocation_validator.h | 49 + src/libstrongswan/plugins/sha1/Makefile.in | 2 +- src/libstrongswan/plugins/sha2/Makefile.in | 2 +- src/libstrongswan/plugins/sqlite/Makefile.in | 2 +- src/libstrongswan/plugins/test_vectors/Makefile.in | 2 +- src/libstrongswan/plugins/x509/Makefile.in | 2 +- src/libstrongswan/plugins/x509/x509_ac.c | 42 +- src/libstrongswan/plugins/x509/x509_cert.c | 56 +- src/libstrongswan/plugins/x509/x509_crl.c | 366 +++-- src/libstrongswan/plugins/x509/x509_crl.h | 9 + src/libstrongswan/plugins/x509/x509_ocsp_request.c | 28 +- .../plugins/x509/x509_ocsp_response.c | 42 +- src/libstrongswan/plugins/x509/x509_pkcs10.c | 33 +- src/libstrongswan/plugins/x509/x509_plugin.c | 4 + src/libstrongswan/plugins/xcbc/Makefile.in | 2 +- src/libstrongswan/threading/lock_profiler.h | 2 +- src/libstrongswan/utils/backtrace.c | 42 +- src/libstrongswan/utils/backtrace.h | 5 +- src/libstrongswan/utils/hashtable.c | 135 +- src/libstrongswan/utils/hashtable.h | 14 +- src/libstrongswan/utils/identification.c | 16 +- src/libstrongswan/utils/identification.h | 5 - src/libstrongswan/utils/leak_detective.c | 61 +- src/libstrongswan/utils/leak_detective.h | 9 + src/manager/Makefile.in | 2 +- src/medsrv/Makefile.in | 2 +- src/medsrv/controller/peer_controller.c | 4 +- src/openac/Makefile.in | 2 +- src/openac/openac.c | 10 +- src/pki/Makefile.am | 2 + src/pki/Makefile.in | 37 +- src/pki/command.c | 2 +- src/pki/commands/gen.c | 4 +- src/pki/commands/issue.c | 21 +- src/pki/commands/keyid.c | 12 +- src/pki/commands/print.c | 368 +++++ src/pki/commands/pub.c | 4 +- src/pki/commands/req.c | 13 +- src/pki/commands/self.c | 33 +- src/pki/commands/signcrl.c | 382 +++++ src/pki/pki.c | 53 +- src/pki/pki.h | 2 +- src/pluto/Makefile.am | 30 +- src/pluto/Makefile.in | 286 +++- src/pluto/ac.c | 2 +- src/pluto/certs.c | 4 +- src/pluto/connections.c | 73 +- src/pluto/connections.h | 13 +- src/pluto/constants.h | 39 - src/pluto/crl.c | 14 +- src/pluto/demux.c | 2 +- src/pluto/demux.h | 7 +- src/pluto/dnskey.c | 2 +- src/pluto/ipsec.secrets.5 | 214 +-- src/pluto/ipsec.secrets.5.in | 175 ++ src/pluto/ipsec_doi.c | 78 +- src/pluto/kernel.c | 24 +- src/pluto/keys.c | 465 +++--- src/pluto/keys.h | 17 +- src/pluto/modecfg.c | 1378 ++++++++-------- src/pluto/modecfg.h | 37 +- src/pluto/ocsp.c | 18 +- src/pluto/pkcs7.c | 5 +- src/pluto/plugins/xauth/Makefile.am | 15 + src/pluto/plugins/xauth/Makefile.in | 577 +++++++ src/pluto/plugins/xauth/xauth_default_provider.c | 66 + src/pluto/plugins/xauth/xauth_default_provider.h | 33 + src/pluto/plugins/xauth/xauth_default_verifier.c | 74 + src/pluto/plugins/xauth/xauth_default_verifier.h | 33 + src/pluto/plugins/xauth/xauth_plugin.c | 43 + src/pluto/plugins/xauth/xauth_plugin.h | 42 + src/pluto/pluto.c | 71 + src/pluto/pluto.h | 69 + src/pluto/plutomain.c | 63 +- src/pluto/rcv_whack.c | 1 + src/pluto/state.h | 5 + src/pluto/x509.c | 8 +- src/pluto/x509.h | 2 + src/pluto/xauth.c | 77 - src/pluto/xauth.h | 48 - src/pluto/xauth/xauth_manager.c | 127 ++ src/pluto/xauth/xauth_manager.h | 80 + src/pluto/xauth/xauth_provider.h | 56 + src/pluto/xauth/xauth_verifier.h | 56 + src/scepclient/Makefile.in | 2 +- src/scepclient/scep.c | 2 +- src/scepclient/scepclient.c | 15 +- src/starter/Makefile.am | 12 +- src/starter/Makefile.in | 14 +- src/starter/args.c | 5 + src/starter/cmp.c | 4 + src/starter/confread.c | 55 + src/starter/confread.h | 11 + src/starter/ipsec.conf.5 | 311 ++-- src/starter/ipsec.conf.5.in | 1330 ++++++++++++++++ src/starter/keywords.c | 256 +-- src/starter/keywords.h | 7 +- src/starter/keywords.txt | 5 + src/starter/starter.c | 16 + src/starter/starterstroke.c | 5 + src/starter/starterwhack.c | 7 + src/stroke/Makefile.in | 2 +- src/stroke/stroke_msg.h | 5 + src/strongswan.conf | 15 +- src/whack/Makefile.in | 2 +- src/whack/whack.c | 1 + src/whack/whack.h | 56 +- testing/INSTALL | 11 +- testing/Makefile.in | 2 +- testing/hosts/default/etc/ipsec.d/tables.sql | 18 +- .../winnetou/etc/openssl/research/carolReq.pem | 17 - .../hosts/winnetou/etc/openssl/research/index.txt | 3 +- .../winnetou/etc/openssl/research/index.txt.old | 5 +- .../winnetou/etc/openssl/research/newcerts/07.pem | 88 + testing/hosts/winnetou/etc/openssl/research/serial | 2 +- .../hosts/winnetou/etc/openssl/research/serial.old | 2 +- testing/hosts/winnetou/etc/openssl/sales/index.txt | 3 +- .../hosts/winnetou/etc/openssl/sales/index.txt.old | 3 +- .../winnetou/etc/openssl/sales/newcerts/06.pem | 88 + testing/hosts/winnetou/etc/openssl/sales/serial | 2 +- .../hosts/winnetou/etc/openssl/sales/serial.old | 2 +- testing/scripts/build-umlrootfs | 5 + testing/testing.conf | 3 +- .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../ike/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../ike/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../rw_v1-net_v2/hosts/moon/etc/strongswan.conf | 2 +- .../ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf | 2 +- testing/tests/ike2/description.txt | 6 - testing/tests/ike2/evaltest.dat | 8 - testing/tests/ike2/hosts/bob/etc/hosts | 70 - testing/tests/ike2/hosts/moon/etc/ipsec.conf | 25 - testing/tests/ike2/hosts/moon/etc/nat_updown | 152 -- testing/tests/ike2/hosts/moon/etc/strongswan.conf | 6 - testing/tests/ike2/hosts/sun/etc/ipsec.conf | 25 - testing/tests/ike2/hosts/sun/etc/strongswan.conf | 6 - testing/tests/ike2/posttest.dat | 5 - testing/tests/ike2/pretest.dat | 9 - testing/tests/ike2/test.conf | 21 - testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat | 2 + testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat | 2 + testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat | 2 + testing/tests/ikev1/ip-pool-db-push/evaltest.dat | 9 +- .../hosts/carol/etc/strongswan.conf | 8 +- .../ip-pool-db-push/hosts/dave/etc/strongswan.conf | 8 +- testing/tests/ikev1/ip-pool-db-push/pretest.dat | 6 +- testing/tests/ikev1/ip-pool-db/evaltest.dat | 9 +- .../ip-pool-db/hosts/carol/etc/strongswan.conf | 8 +- .../ip-pool-db/hosts/dave/etc/strongswan.conf | 8 +- testing/tests/ikev1/ip-pool-db/pretest.dat | 7 +- .../mode-config-multiple/hosts/moon/etc/ipsec.conf | 6 +- testing/tests/ikev1/mode-config-push/evaltest.dat | 2 + .../mode-config-push/hosts/carol/etc/ipsec.conf | 1 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/moon/etc/strongswan.conf | 13 + testing/tests/ikev1/mode-config/evaltest.dat | 4 +- .../mode-config/hosts/carol/etc/strongswan.conf | 11 + .../mode-config/hosts/dave/etc/strongswan.conf | 11 + .../ikev1/mode-config/hosts/moon/etc/ipsec.conf | 1 + .../mode-config/hosts/moon/etc/strongswan.conf | 2 +- .../etc/ipsec.d/cacerts/research_by_salesCert.pem | 20 +- .../etc/ipsec.d/cacerts/sales_by_researchCert.pem | 22 +- .../ikev1/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../ikev1/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../ikev1/xauth-id-psk-mode-config/description.txt | 11 + .../ikev1/xauth-id-psk-mode-config/evaltest.dat | 16 + .../hosts/carol/etc/ipsec.conf | 25 + .../hosts/carol/etc/ipsec.secrets | 9 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/dave/etc/ipsec.conf | 25 + .../hosts/dave/etc/ipsec.secrets | 5 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/moon/etc/ipsec.conf | 24 + .../hosts/moon/etc/ipsec.secrets | 7 + .../hosts/moon/etc/strongswan.conf | 11 + .../ikev1/xauth-id-psk-mode-config/posttest.dat | 8 + .../ikev1/xauth-id-psk-mode-config/pretest.dat | 12 + .../tests/ikev1/xauth-id-psk-mode-config/test.conf | 21 + testing/tests/ikev1/xauth-id-psk/description.txt | 9 + testing/tests/ikev1/xauth-id-psk/evaltest.dat | 14 + .../ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf | 22 + .../xauth-id-psk/hosts/carol/etc/ipsec.secrets | 5 + .../xauth-id-psk/hosts/carol/etc/strongswan.conf | 11 + .../ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf | 22 + .../xauth-id-psk/hosts/dave/etc/ipsec.secrets | 5 + .../xauth-id-psk/hosts/dave/etc/strongswan.conf | 11 + .../ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf | 22 + .../xauth-id-psk/hosts/moon/etc/ipsec.secrets | 7 + .../xauth-id-psk/hosts/moon/etc/strongswan.conf | 11 + testing/tests/ikev1/xauth-id-psk/posttest.dat | 6 + testing/tests/ikev1/xauth-id-psk/pretest.dat | 12 + testing/tests/ikev1/xauth-id-psk/test.conf | 21 + testing/tests/ikev1/xauth-id-rsa/description.txt | 10 + testing/tests/ikev1/xauth-id-rsa/evaltest.dat | 14 + .../ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf | 25 + .../xauth-id-rsa/hosts/carol/etc/ipsec.secrets | 5 + .../xauth-id-rsa/hosts/carol/etc/strongswan.conf | 11 + .../ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf | 25 + .../xauth-id-rsa/hosts/dave/etc/ipsec.secrets | 5 + .../xauth-id-rsa/hosts/dave/etc/strongswan.conf | 11 + .../ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf | 24 + .../xauth-id-rsa/hosts/moon/etc/ipsec.secrets | 7 + .../xauth-id-rsa/hosts/moon/etc/strongswan.conf | 11 + testing/tests/ikev1/xauth-id-rsa/posttest.dat | 6 + testing/tests/ikev1/xauth-id-rsa/pretest.dat | 9 + testing/tests/ikev1/xauth-id-rsa/test.conf | 21 + .../ikev1/xauth-psk-mode-config/description.txt | 11 - .../tests/ikev1/xauth-psk-mode-config/evaltest.dat | 18 - .../hosts/carol/etc/ipsec.conf | 24 - .../hosts/carol/etc/ipsec.secrets | 9 - .../hosts/carol/etc/strongswan.conf | 11 - .../hosts/dave/etc/ipsec.conf | 24 - .../hosts/dave/etc/ipsec.secrets | 5 - .../hosts/dave/etc/strongswan.conf | 11 - .../hosts/moon/etc/ipsec.conf | 29 - .../hosts/moon/etc/ipsec.secrets | 7 - .../hosts/moon/etc/strongswan.conf | 11 - .../tests/ikev1/xauth-psk-mode-config/posttest.dat | 8 - .../tests/ikev1/xauth-psk-mode-config/pretest.dat | 12 - .../tests/ikev1/xauth-psk-mode-config/test.conf | 21 - testing/tests/ikev1/xauth-psk/evaltest.dat | 2 + .../ikev1/xauth-psk/hosts/carol/etc/ipsec.conf | 2 + .../ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets | 2 +- .../xauth-psk/hosts/carol/etc/strongswan.conf | 2 +- .../ikev1/xauth-psk/hosts/dave/etc/ipsec.conf | 2 + .../ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets | 2 +- .../ikev1/xauth-psk/hosts/dave/etc/strongswan.conf | 2 +- .../ikev1/xauth-psk/hosts/moon/etc/ipsec.conf | 1 + .../ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets | 6 +- .../ikev1/xauth-psk/hosts/moon/etc/strongswan.conf | 2 +- .../xauth-rsa-fail/hosts/carol/etc/ipsec.secrets | 2 +- .../xauth-rsa-fail/hosts/carol/etc/strongswan.conf | 11 + .../xauth-rsa-fail/hosts/moon/etc/ipsec.secrets | 2 +- .../xauth-rsa-fail/hosts/moon/etc/strongswan.conf | 11 + .../hosts/carol/etc/ipsec.secrets | 2 +- .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/dave/etc/ipsec.secrets | 2 +- .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/moon/etc/ipsec.secrets | 4 +- .../hosts/moon/etc/strongswan.conf | 11 + .../xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 11 + .../xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf | 2 +- .../hosts/moon/etc/ipsec.secrets | 2 +- .../hosts/moon/etc/strongswan.conf | 11 + testing/tests/ikev1/xauth-rsa/description.txt | 4 +- testing/tests/ikev1/xauth-rsa/evaltest.dat | 2 + .../ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets | 2 +- .../xauth-rsa/hosts/carol/etc/strongswan.conf | 11 + .../ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets | 2 +- .../ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf | 11 + .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf | 2 +- .../ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets | 4 +- .../ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf | 11 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../alg-3des-md5/hosts/carol/etc/strongswan.conf | 2 +- .../alg-3des-md5/hosts/moon/etc/strongswan.conf | 2 +- .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf | 2 +- .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/carol/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/dave/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha256-96/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha256-96/hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha256/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha256/hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha384/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha384/hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha512/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha512/hosts/moon/etc/strongswan.conf | 2 +- .../any-interface/hosts/alice/etc/strongswan.conf | 2 +- .../any-interface/hosts/bob/etc/strongswan.conf | 2 +- .../any-interface/hosts/moon/etc/strongswan.conf | 2 +- .../any-interface/hosts/sun/etc/strongswan.conf | 2 +- .../ikev2/compress/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/compress/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../config-payload/hosts/carol/etc/strongswan.conf | 2 +- .../config-payload/hosts/dave/etc/strongswan.conf | 2 +- .../config-payload/hosts/moon/etc/strongswan.conf | 2 +- .../crl-from-cache/hosts/carol/etc/strongswan.conf | 2 +- .../crl-from-cache/hosts/moon/etc/strongswan.conf | 2 +- .../ikev2/crl-ldap/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/crl-ldap/hosts/moon/etc/strongswan.conf | 2 +- .../crl-revoked/hosts/carol/etc/strongswan.conf | 2 +- .../crl-revoked/hosts/moon/etc/strongswan.conf | 2 +- .../crl-to-cache/hosts/carol/etc/strongswan.conf | 2 +- .../crl-to-cache/hosts/moon/etc/strongswan.conf | 2 +- .../default-keys/hosts/carol/etc/strongswan.conf | 4 +- .../default-keys/hosts/moon/etc/strongswan.conf | 4 +- .../dhcp-dynamic/hosts/carol/etc/strongswan.conf | 2 +- .../dhcp-dynamic/hosts/dave/etc/strongswan.conf | 2 +- .../dhcp-dynamic/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../dhcp-static-mac/hosts/dave/etc/strongswan.conf | 2 +- .../dhcp-static-mac/hosts/moon/etc/strongswan.conf | 2 +- .../double-nat-net/hosts/alice/etc/strongswan.conf | 2 +- .../double-nat-net/hosts/bob/etc/strongswan.conf | 2 +- .../double-nat/hosts/alice/etc/strongswan.conf | 2 +- .../ikev2/double-nat/hosts/bob/etc/strongswan.conf | 2 +- .../dpd-clear/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/dpd-clear/hosts/moon/etc/strongswan.conf | 2 +- .../ikev2/dpd-hold/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/dpd-hold/hosts/moon/etc/strongswan.conf | 2 +- .../dpd-restart/hosts/carol/etc/strongswan.conf | 2 +- .../dpd-restart/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat | 2 + .../hosts/carol/etc/strongswan.conf | 2 +- .../esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat | 2 + .../hosts/carol/etc/strongswan.conf | 2 +- .../esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat | 2 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../esp-alg-null/hosts/carol/etc/strongswan.conf | 2 +- .../esp-alg-null/hosts/moon/etc/strongswan.conf | 2 +- .../ikev2/farp/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/farp/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/farp/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- .../force-udp-encaps/hosts/sun/etc/strongswan.conf | 2 +- .../host2host-cert/hosts/moon/etc/strongswan.conf | 2 +- .../host2host-cert/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +- .../ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +- .../ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-pool-db/pretest.dat | 6 +- .../ip-pool-wish/hosts/carol/etc/strongswan.conf | 2 +- .../ip-pool-wish/hosts/dave/etc/strongswan.conf | 2 +- .../ip-pool-wish/hosts/moon/etc/strongswan.conf | 2 +- .../ikev2/ip-pool/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/ip-pool/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/ip-pool/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-two-pools-db/evaltest.dat | 4 + .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../ip-two-pools-db/hosts/dave/etc/strongswan.conf | 2 +- .../ip-two-pools-db/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/venus/etc/strongswan.conf | 2 +- testing/tests/ikev2/ip-two-pools-db/posttest.dat | 3 + testing/tests/ikev2/ip-two-pools-db/pretest.dat | 4 + .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../ip-two-pools/hosts/alice/etc/strongswan.conf | 2 +- .../ip-two-pools/hosts/carol/etc/strongswan.conf | 2 +- .../ip-two-pools/hosts/moon/etc/strongswan.conf | 2 +- .../mobike-nat/hosts/alice/etc/strongswan.conf | 2 +- .../ikev2/mobike-nat/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../ikev2/mobike/hosts/alice/etc/strongswan.conf | 2 +- .../ikev2/mobike/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../etc/ipsec.d/cacerts/research_by_salesCert.pem | 20 +- .../etc/ipsec.d/cacerts/sales_by_researchCert.pem | 22 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/carol/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/dave/etc/strongswan.conf | 2 +- .../multi-level-ca/hosts/moon/etc/strongswan.conf | 2 +- .../nat-one-rw/hosts/alice/etc/strongswan.conf | 2 +- .../ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf | 2 +- .../tests/ikev2/nat-two-rw-mark/description.txt | 16 + testing/tests/ikev2/nat-two-rw-mark/evaltest.dat | 16 + .../nat-two-rw-mark/hosts/alice/etc/ipsec.conf | 25 + .../hosts/alice/etc/strongswan.conf | 5 + .../ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf | 35 + .../nat-two-rw-mark/hosts/sun/etc/mark_updown | 527 ++++++ .../nat-two-rw-mark/hosts/sun/etc/strongswan.conf | 5 + .../nat-two-rw-mark/hosts/venus/etc/ipsec.conf | 25 + .../hosts/venus/etc/strongswan.conf | 5 + testing/tests/ikev2/nat-two-rw-mark/posttest.dat | 11 + testing/tests/ikev2/nat-two-rw-mark/pretest.dat | 21 + testing/tests/ikev2/nat-two-rw-mark/test.conf | 21 + .../nat-two-rw/hosts/alice/etc/strongswan.conf | 2 +- .../ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf | 2 +- .../nat-two-rw/hosts/venus/etc/strongswan.conf | 2 +- testing/tests/ikev2/nat-virtual-ip/description.txt | 6 + testing/tests/ikev2/nat-virtual-ip/evaltest.dat | 8 + .../tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts | 70 + .../ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf | 25 + .../ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown | 152 ++ .../nat-virtual-ip/hosts/moon/etc/strongswan.conf | 6 + .../ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf | 25 + .../nat-virtual-ip/hosts/sun/etc/strongswan.conf | 6 + testing/tests/ikev2/nat-virtual-ip/posttest.dat | 6 + testing/tests/ikev2/nat-virtual-ip/pretest.dat | 9 + testing/tests/ikev2/nat-virtual-ip/test.conf | 21 + .../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-cert/hosts/sun/etc/strongswan.conf | 2 +- .../tests/ikev2/net2net-psk-dscp/description.txt | 13 + testing/tests/ikev2/net2net-psk-dscp/evaltest.dat | 8 + .../net2net-psk-dscp/hosts/moon/etc/ipsec.conf | 38 + .../net2net-psk-dscp/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-psk-dscp/hosts/sun/etc/ipsec.conf | 38 + .../net2net-psk-dscp/hosts/sun/etc/ipsec.secrets | 7 + .../net2net-psk-dscp/hosts/sun/etc/strongswan.conf | 6 + testing/tests/ikev2/net2net-psk-dscp/posttest.dat | 8 + testing/tests/ikev2/net2net-psk-dscp/pretest.dat | 17 + testing/tests/ikev2/net2net-psk-dscp/test.conf | 21 + .../net2net-rfc3779/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-rfc3779/hosts/sun/etc/strongswan.conf | 2 +- .../net2net-route/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-route/hosts/sun/etc/strongswan.conf | 2 +- .../tests/ikev2/net2net-same-nets/description.txt | 15 + testing/tests/ikev2/net2net-same-nets/evaltest.dat | 10 + .../net2net-same-nets/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/strongswan.conf | 6 + .../net2net-same-nets/hosts/sun/etc/ipsec.conf | 27 + .../net2net-same-nets/hosts/sun/etc/mark_updown | 224 +++ .../hosts/sun/etc/strongswan.conf | 6 + testing/tests/ikev2/net2net-same-nets/posttest.dat | 7 + testing/tests/ikev2/net2net-same-nets/pretest.dat | 6 + testing/tests/ikev2/net2net-same-nets/test.conf | 21 + .../net2net-start/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-start/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../ocsp-local-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../ocsp-revoked/hosts/carol/etc/strongswan.conf | 2 +- .../ocsp-revoked/hosts/moon/etc/strongswan.conf | 2 +- .../ocsp-root-cert/hosts/carol/etc/strongswan.conf | 2 +- .../ocsp-root-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +- .../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../protoport-route/hosts/moon/etc/strongswan.conf | 2 +- .../reauth-early/hosts/carol/etc/strongswan.conf | 2 +- .../reauth-early/hosts/moon/etc/strongswan.conf | 2 +- .../reauth-late/hosts/carol/etc/strongswan.conf | 2 +- .../reauth-late/hosts/moon/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../rw-hash-and-url/hosts/dave/etc/strongswan.conf | 2 +- .../rw-hash-and-url/hosts/moon/etc/strongswan.conf | 2 +- testing/tests/ikev2/rw-mark-in-out/description.txt | 16 + testing/tests/ikev2/rw-mark-in-out/evaltest.dat | 16 + .../rw-mark-in-out/hosts/alice/etc/init.d/iptables | 77 + .../rw-mark-in-out/hosts/alice/etc/ipsec.conf | 25 + .../rw-mark-in-out/hosts/alice/etc/strongswan.conf | 5 + .../ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf | 37 + .../ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown | 527 ++++++ .../rw-mark-in-out/hosts/sun/etc/strongswan.conf | 5 + .../rw-mark-in-out/hosts/venus/etc/init.d/iptables | 77 + .../rw-mark-in-out/hosts/venus/etc/ipsec.conf | 25 + .../rw-mark-in-out/hosts/venus/etc/strongswan.conf | 5 + testing/tests/ikev2/rw-mark-in-out/posttest.dat | 12 + testing/tests/ikev2/rw-mark-in-out/pretest.dat | 18 + testing/tests/ikev2/rw-mark-in-out/test.conf | 21 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../two-certs/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/two-certs/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../virtual-ip/hosts/carol/etc/strongswan.conf | 2 +- .../virtual-ip/hosts/dave/etc/strongswan.conf | 2 +- .../virtual-ip/hosts/moon/etc/strongswan.conf | 2 +- .../wildcards/hosts/carol/etc/strongswan.conf | 2 +- .../ikev2/wildcards/hosts/dave/etc/strongswan.conf | 2 +- .../ikev2/wildcards/hosts/moon/etc/strongswan.conf | 2 +- .../host2host-ikev2/hosts/moon/etc/strongswan.conf | 2 +- .../host2host-ikev2/hosts/sun/etc/strongswan.conf | 2 +- .../net2net-ikev2/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-ikev2/hosts/sun/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf | 2 +- .../ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf | 2 +- .../ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../transport-ikev2/hosts/moon/etc/strongswan.conf | 2 +- .../transport-ikev2/hosts/sun/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev1/alg-ecp-high/description.txt | 6 +- .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev1/alg-ecp-low/description.txt | 6 +- .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev1/ecdsa-certs/description.txt | 2 +- .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../tests/openssl-ikev1/rw-cert/description.txt | 6 +- .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/carol/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/dave/etc/strongswan.conf | 2 +- .../alg-blowfish/hosts/moon/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/carol/etc/strongswan.conf | 2 +- .../alg-camellia/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev2/alg-ecp-high/description.txt | 8 +- .../alg-ecp-high/hosts/carol/etc/strongswan.conf | 2 +- .../alg-ecp-high/hosts/dave/etc/strongswan.conf | 2 +- .../alg-ecp-high/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev2/alg-ecp-low/description.txt | 8 +- .../alg-ecp-low/hosts/carol/etc/strongswan.conf | 2 +- .../alg-ecp-low/hosts/dave/etc/strongswan.conf | 2 +- .../alg-ecp-low/hosts/moon/etc/strongswan.conf | 2 +- .../openssl-ikev2/ecdsa-certs/description.txt | 2 +- .../ecdsa-certs/hosts/carol/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/dave/etc/strongswan.conf | 2 +- .../ecdsa-certs/hosts/moon/etc/strongswan.conf | 2 +- .../tests/openssl-ikev2/rw-cert/description.txt | 6 +- .../rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/alice/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/venus/etc/strongswan.conf | 2 +- .../medsrv-psk/hosts/alice/etc/strongswan.conf | 2 +- .../medsrv-psk/hosts/bob/etc/strongswan.conf | 2 +- .../medsrv-psk/hosts/carol/etc/strongswan.conf | 2 +- .../alg-aes-xcbc/hosts/carol/etc/strongswan.conf | 2 +- .../alg-aes-xcbc/hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha384/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha384/hosts/moon/etc/strongswan.conf | 2 +- .../alg-sha512/hosts/carol/etc/strongswan.conf | 2 +- .../alg-sha512/hosts/moon/etc/strongswan.conf | 2 +- .../esp-alg-null/hosts/carol/etc/strongswan.conf | 2 +- .../esp-alg-null/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/sun/etc/strongswan.conf | 2 +- .../nat-two-rw/hosts/alice/etc/strongswan.conf | 2 +- .../pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf | 2 +- .../nat-two-rw/hosts/venus/etc/strongswan.conf | 2 +- .../net2net-route/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-route/hosts/sun/etc/strongswan.conf | 2 +- .../protoport-dual/hosts/carol/etc/strongswan.conf | 2 +- .../protoport-dual/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../protoport-route/hosts/moon/etc/strongswan.conf | 2 +- .../pfkey/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../pfkey/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../pfkey/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 26 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/ipsec.d/data.sql | 20 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/ipsec.d/data.sql | 34 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 26 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/ipsec.d/data.sql | 26 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/ipsec.d/data.sql | 34 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../ip-pool-db/hosts/carol/etc/ipsec.d/data.sql | 24 +- .../sql/ip-pool-db/hosts/carol/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql | 24 +- .../sql/ip-pool-db/hosts/dave/etc/strongswan.conf | 2 +- .../sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql | 24 +- .../sql/ip-pool-db/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 26 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/ipsec.d/data.sql | 25 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/ipsec.d/data.sql | 37 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 26 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/ipsec.d/data.sql | 26 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/ipsec.d/data.sql | 26 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 26 +- .../net2net-cert/hosts/moon/etc/strongswan.conf | 2 +- .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 26 +- .../sql/net2net-cert/hosts/sun/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql | 26 +- .../sql/rw-cert/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql | 26 +- .../sql/rw-cert/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql | 26 +- .../sql/rw-cert/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 20 +- .../rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql | 26 +- .../rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf | 2 +- .../hosts/carol/etc/ipsec.d/data.sql | 20 +- .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/dave/etc/ipsec.d/data.sql | 20 +- .../hosts/dave/etc/strongswan.conf | 2 +- .../hosts/moon/etc/ipsec.d/data.sql | 34 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql | 4 +- .../rw-rsa-keyid/hosts/carol/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql | 4 +- .../rw-rsa-keyid/hosts/dave/etc/strongswan.conf | 2 +- .../rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql | 6 +- .../rw-rsa-keyid/hosts/moon/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql | 4 +- .../sql/rw-rsa/hosts/carol/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql | 4 +- .../sql/rw-rsa/hosts/dave/etc/strongswan.conf | 2 +- .../sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql | 6 +- .../sql/rw-rsa/hosts/moon/etc/strongswan.conf | 2 +- 1044 files changed, 30010 insertions(+), 12421 deletions(-) create mode 100644 src/ipsec/ipsec.8.in delete mode 100644 src/libcharon/config/auth_cfg.c delete mode 100644 src/libcharon/config/auth_cfg.h delete mode 100644 src/libcharon/credentials/credential_manager.c delete mode 100644 src/libcharon/credentials/credential_manager.h delete mode 100644 src/libcharon/credentials/credential_set.h delete mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.c delete mode 100644 src/libcharon/credentials/sets/auth_cfg_wrapper.h delete mode 100644 src/libcharon/credentials/sets/cert_cache.c delete mode 100644 src/libcharon/credentials/sets/cert_cache.h delete mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.c delete mode 100644 src/libcharon/credentials/sets/ocsp_response_wrapper.h create mode 100644 src/libcharon/plugins/addrblock/Makefile.am create mode 100644 src/libcharon/plugins/addrblock/Makefile.in create mode 100644 src/libcharon/plugins/addrblock/addrblock_narrow.c create mode 100644 src/libcharon/plugins/addrblock/addrblock_narrow.h create mode 100644 src/libcharon/plugins/addrblock/addrblock_plugin.c create mode 100644 src/libcharon/plugins/addrblock/addrblock_plugin.h create mode 100644 src/libcharon/plugins/addrblock/addrblock_validator.c create mode 100644 src/libcharon/plugins/addrblock/addrblock_validator.h create mode 100644 src/libcharon/plugins/android/android_creds.c create mode 100644 src/libcharon/plugins/android/android_creds.h create mode 100644 src/libcharon/plugins/android/android_logger.c create mode 100644 src/libcharon/plugins/android/android_logger.h create mode 100644 src/libcharon/plugins/android/android_service.c create mode 100644 src/libcharon/plugins/android/android_service.h create mode 100644 src/libcharon/plugins/eap_radius/radius_server.c create mode 100644 src/libcharon/plugins/eap_radius/radius_server.h create mode 100644 src/libcharon/plugins/eap_radius/radius_socket.c create mode 100644 src/libcharon/plugins/eap_radius/radius_socket.h create mode 100644 src/libcharon/plugins/eap_simaka_sql/Makefile.am create mode 100644 src/libcharon/plugins/eap_simaka_sql/Makefile.in create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c create mode 100644 src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h create mode 100644 src/libcharon/plugins/ha/ha_attribute.c create mode 100644 src/libcharon/plugins/ha/ha_attribute.h create mode 100644 src/libcharon/plugins/ha/ha_cache.c create mode 100644 src/libcharon/plugins/ha/ha_cache.h delete mode 100644 src/libcharon/plugins/resolve/Makefile.am delete mode 100644 src/libcharon/plugins/resolve/Makefile.in delete mode 100644 src/libcharon/plugins/resolve/resolve_handler.c delete mode 100644 src/libcharon/plugins/resolve/resolve_handler.h delete mode 100644 src/libcharon/plugins/resolve/resolve_plugin.c delete mode 100644 src/libcharon/plugins/resolve/resolve_plugin.h create mode 100644 src/libcharon/plugins/unit_tester/tests/test_hashtable.c create mode 100644 src/libhydra/plugins/attr_sql/pool_attributes.c create mode 100644 src/libhydra/plugins/attr_sql/pool_attributes.h create mode 100644 src/libhydra/plugins/attr_sql/pool_usage.c create mode 100644 src/libhydra/plugins/attr_sql/pool_usage.h create mode 100644 src/libhydra/plugins/resolve/Makefile.am create mode 100644 src/libhydra/plugins/resolve/Makefile.in create mode 100644 src/libhydra/plugins/resolve/resolve_handler.c create mode 100644 src/libhydra/plugins/resolve/resolve_handler.h create mode 100644 src/libhydra/plugins/resolve/resolve_plugin.c create mode 100644 src/libhydra/plugins/resolve/resolve_plugin.h create mode 100644 src/libstrongswan/credentials/auth_cfg.c create mode 100644 src/libstrongswan/credentials/auth_cfg.h create mode 100644 src/libstrongswan/credentials/cert_validator.h create mode 100644 src/libstrongswan/credentials/cred_encoding.c create mode 100644 src/libstrongswan/credentials/cred_encoding.h create mode 100644 src/libstrongswan/credentials/credential_manager.c create mode 100644 src/libstrongswan/credentials/credential_manager.h create mode 100644 src/libstrongswan/credentials/credential_set.h delete mode 100644 src/libstrongswan/credentials/keys/key_encoding.c delete mode 100644 src/libstrongswan/credentials/keys/key_encoding.h create mode 100644 src/libstrongswan/credentials/sets/auth_cfg_wrapper.c create mode 100644 src/libstrongswan/credentials/sets/auth_cfg_wrapper.h create mode 100644 src/libstrongswan/credentials/sets/cert_cache.c create mode 100644 src/libstrongswan/credentials/sets/cert_cache.h create mode 100644 src/libstrongswan/credentials/sets/ocsp_response_wrapper.c create mode 100644 src/libstrongswan/credentials/sets/ocsp_response_wrapper.h create mode 100644 src/libstrongswan/plugins/openssl/openssl_crl.c create mode 100644 src/libstrongswan/plugins/openssl/openssl_crl.h create mode 100644 src/libstrongswan/plugins/openssl/openssl_x509.c create mode 100644 src/libstrongswan/plugins/openssl/openssl_x509.h create mode 100644 src/libstrongswan/plugins/revocation/Makefile.am create mode 100644 src/libstrongswan/plugins/revocation/Makefile.in create mode 100644 src/libstrongswan/plugins/revocation/revocation_plugin.c create mode 100644 src/libstrongswan/plugins/revocation/revocation_plugin.h create mode 100644 src/libstrongswan/plugins/revocation/revocation_validator.c create mode 100644 src/libstrongswan/plugins/revocation/revocation_validator.h create mode 100644 src/pki/commands/print.c create mode 100644 src/pki/commands/signcrl.c create mode 100644 src/pluto/ipsec.secrets.5.in create mode 100644 src/pluto/plugins/xauth/Makefile.am create mode 100644 src/pluto/plugins/xauth/Makefile.in create mode 100644 src/pluto/plugins/xauth/xauth_default_provider.c create mode 100644 src/pluto/plugins/xauth/xauth_default_provider.h create mode 100644 src/pluto/plugins/xauth/xauth_default_verifier.c create mode 100644 src/pluto/plugins/xauth/xauth_default_verifier.h create mode 100644 src/pluto/plugins/xauth/xauth_plugin.c create mode 100644 src/pluto/plugins/xauth/xauth_plugin.h create mode 100644 src/pluto/pluto.c create mode 100644 src/pluto/pluto.h delete mode 100644 src/pluto/xauth.c delete mode 100644 src/pluto/xauth.h create mode 100644 src/pluto/xauth/xauth_manager.c create mode 100644 src/pluto/xauth/xauth_manager.h create mode 100644 src/pluto/xauth/xauth_provider.h create mode 100644 src/pluto/xauth/xauth_verifier.h create mode 100644 src/starter/ipsec.conf.5.in delete mode 100644 testing/hosts/winnetou/etc/openssl/research/carolReq.pem create mode 100644 testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem create mode 100644 testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem delete mode 100644 testing/tests/ike2/description.txt delete mode 100644 testing/tests/ike2/evaltest.dat delete mode 100644 testing/tests/ike2/hosts/bob/etc/hosts delete mode 100755 testing/tests/ike2/hosts/moon/etc/ipsec.conf delete mode 100755 testing/tests/ike2/hosts/moon/etc/nat_updown delete mode 100644 testing/tests/ike2/hosts/moon/etc/strongswan.conf delete mode 100755 testing/tests/ike2/hosts/sun/etc/ipsec.conf delete mode 100644 testing/tests/ike2/hosts/sun/etc/strongswan.conf delete mode 100644 testing/tests/ike2/posttest.dat delete mode 100644 testing/tests/ike2/pretest.dat delete mode 100644 testing/tests/ike2/test.conf create mode 100644 testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/description.txt create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk-mode-config/test.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/description.txt create mode 100644 testing/tests/ikev1/xauth-id-psk/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-psk/posttest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk/pretest.dat create mode 100644 testing/tests/ikev1/xauth-id-psk/test.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/description.txt create mode 100644 testing/tests/ikev1/xauth-id-rsa/evaltest.dat create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-id-rsa/posttest.dat create mode 100644 testing/tests/ikev1/xauth-id-rsa/pretest.dat create mode 100644 testing/tests/ikev1/xauth-id-rsa/test.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/description.txt delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/posttest.dat delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/pretest.dat delete mode 100644 testing/tests/ikev1/xauth-psk-mode-config/test.conf create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw-mark/description.txt create mode 100644 testing/tests/ikev2/nat-two-rw-mark/evaltest.dat create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-two-rw-mark/posttest.dat create mode 100644 testing/tests/ikev2/nat-two-rw-mark/pretest.dat create mode 100644 testing/tests/ikev2/nat-two-rw-mark/test.conf create mode 100644 testing/tests/ikev2/nat-virtual-ip/description.txt create mode 100644 testing/tests/ikev2/nat-virtual-ip/evaltest.dat create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/nat-virtual-ip/posttest.dat create mode 100644 testing/tests/ikev2/nat-virtual-ip/pretest.dat create mode 100644 testing/tests/ikev2/nat-virtual-ip/test.conf create mode 100644 testing/tests/ikev2/net2net-psk-dscp/description.txt create mode 100644 testing/tests/ikev2/net2net-psk-dscp/evaltest.dat create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-psk-dscp/posttest.dat create mode 100644 testing/tests/ikev2/net2net-psk-dscp/pretest.dat create mode 100644 testing/tests/ikev2/net2net-psk-dscp/test.conf create mode 100644 testing/tests/ikev2/net2net-same-nets/description.txt create mode 100644 testing/tests/ikev2/net2net-same-nets/evaltest.dat create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown create mode 100644 testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/net2net-same-nets/posttest.dat create mode 100644 testing/tests/ikev2/net2net-same-nets/pretest.dat create mode 100644 testing/tests/ikev2/net2net-same-nets/test.conf create mode 100644 testing/tests/ikev2/rw-mark-in-out/description.txt create mode 100644 testing/tests/ikev2/rw-mark-in-out/evaltest.dat create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-mark-in-out/posttest.dat create mode 100644 testing/tests/ikev2/rw-mark-in-out/pretest.dat create mode 100644 testing/tests/ikev2/rw-mark-in-out/test.conf (limited to 'src/libcharon/encoding/payloads/cert_payload.c') diff --git a/Android.mk b/Android.mk index 0cda18302..0a9fc5387 100644 --- a/Android.mk +++ b/Android.mk @@ -3,8 +3,9 @@ include $(CLEAR_VARS) # this is the list of plugins that are built into libstrongswan and charon # also these plugins are loaded by default (if not changed in strongswan.conf) -strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \ - pem xcbc hmac kernel-netlink socket-default android +strongswan_PLUGINS := openssl fips-prf random pubkey pkcs1 \ + pem xcbc hmac kernel-netlink socket-default android \ + eap-identity eap-mschapv2 eap-md5 # helper macros to only add source files for plugins included in the list above # source files are relative to the android.mk that called the macro @@ -12,7 +13,9 @@ plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS)) add_plugin = $(if $(call plugin_enabled,$(1)), \ $(patsubst $(LOCAL_PATH)/%,%, \ $(wildcard \ - $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \ + $(subst %,$(subst -,_,$(strip $(1))), \ + $(LOCAL_PATH)/plugins/%/%*.c \ + ) \ ) \ ) \ ) @@ -40,11 +43,17 @@ strongswan_CFLAGS := \ -DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \ -DHAVE_IPSEC_MODE_BEET \ -DHAVE_IPSEC_DIR_FWD \ + -DOPENSSL_NO_EC \ + -DOPENSSL_NO_ECDSA \ + -DOPENSSL_NO_ECDH \ + -DOPENSSL_NO_ENGINE \ + -DCAPABILITIES \ + -DCAPABILITIES_NATIVE \ -DMONOLITHIC \ -DUSE_VSTR \ -DROUTING_TABLE=0 \ -DROUTING_TABLE_PRIO=220 \ - -DVERSION=\"4.4.0\" \ + -DVERSION=\"4.4.1\" \ -DPLUGINS='"$(strongswan_PLUGINS)"' \ -DIPSEC_DIR=\"/system/bin\" \ -DIPSEC_PIDDIR=\"/data/misc/vpn\" \ diff --git a/Android.mk.in b/Android.mk.in index 4a4b7df96..1ad0b27fe 100644 --- a/Android.mk.in +++ b/Android.mk.in @@ -3,8 +3,9 @@ include $(CLEAR_VARS) # this is the list of plugins that are built into libstrongswan and charon # also these plugins are loaded by default (if not changed in strongswan.conf) -strongswan_PLUGINS := openssl fips-prf random x509 pubkey pkcs1 \ - pem xcbc hmac kernel-netlink socket-default android +strongswan_PLUGINS := openssl fips-prf random pubkey pkcs1 \ + pem xcbc hmac kernel-netlink socket-default android \ + eap-identity eap-mschapv2 eap-md5 # helper macros to only add source files for plugins included in the list above # source files are relative to the android.mk that called the macro @@ -12,7 +13,9 @@ plugin_enabled = $(findstring $(1), $(strongswan_PLUGINS)) add_plugin = $(if $(call plugin_enabled,$(1)), \ $(patsubst $(LOCAL_PATH)/%,%, \ $(wildcard \ - $(LOCAL_PATH)/plugins/$(subst -,_,$(strip $(1)))/*.c \ + $(subst %,$(subst -,_,$(strip $(1))), \ + $(LOCAL_PATH)/plugins/%/%*.c \ + ) \ ) \ ) \ ) @@ -40,6 +43,12 @@ strongswan_CFLAGS := \ -DHAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY \ -DHAVE_IPSEC_MODE_BEET \ -DHAVE_IPSEC_DIR_FWD \ + -DOPENSSL_NO_EC \ + -DOPENSSL_NO_ECDSA \ + -DOPENSSL_NO_ECDH \ + -DOPENSSL_NO_ENGINE \ + -DCAPABILITIES \ + -DCAPABILITIES_NATIVE \ -DMONOLITHIC \ -DUSE_VSTR \ -DROUTING_TABLE=0 \ diff --git a/Makefile.am b/Makefile.am index 6ed121f67..af0465fee 100644 --- a/Makefile.am +++ b/Makefile.am @@ -7,7 +7,7 @@ endif ACLOCAL_AMFLAGS = -I m4/config EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk -CLEANFILES = apidoc Doxyfile +CLEANFILES = Doxyfile BUILT_SOURCES = Android.mk MAINTAINERCLEANFILES = Android.mk @@ -25,3 +25,6 @@ Doxyfile : Doxyfile.in apidoc : Doxyfile doxygen + +clean-local: + rm -rf apidoc diff --git a/Makefile.in b/Makefile.in index d4f18d054..522683ab1 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -267,7 +267,7 @@ xml_LIBS = @xml_LIBS@ SUBDIRS = src testing $(am__append_1) ACLOCAL_AMFLAGS = -I m4/config EXTRA_DIST = Doxyfile.in CREDITS Android.mk.in Android.mk -CLEANFILES = apidoc Doxyfile +CLEANFILES = Doxyfile BUILT_SOURCES = Android.mk MAINTAINERCLEANFILES = Android.mk all: $(BUILT_SOURCES) @@ -327,7 +327,7 @@ distclean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -352,7 +352,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -516,7 +516,8 @@ distdir: $(DISTFILES) fi; \ done -test -n "$(am__skip_mode_fix)" \ - || find "$(distdir)" -type d ! -perm -777 -exec chmod a+rwx {} \; -o \ + || find "$(distdir)" -type d ! -perm -755 \ + -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ @@ -560,17 +561,17 @@ dist dist-all: distdir distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).tar.gz | $(am__untar) ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ - bunzip2 -c $(distdir).tar.bz2 | $(am__untar) ;;\ + bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lzma*) \ - unlzma -c $(distdir).tar.lzma | $(am__untar) ;;\ + lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ - GZIP=$(GZIP_ENV) gunzip -c $(distdir).shar.gz | unshar ;;\ + GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac @@ -666,7 +667,7 @@ maintainer-clean-generic: -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) clean: clean-recursive -clean-am: clean-generic clean-libtool mostlyclean-am +clean-am: clean-generic clean-libtool clean-local mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) @@ -740,19 +741,19 @@ uninstall-am: .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-generic \ - clean-libtool ctags ctags-recursive dist dist-all dist-bzip2 \ - dist-gzip dist-lzma dist-shar dist-tarZ dist-xz dist-zip \ - distcheck distclean distclean-generic distclean-libtool \ - distclean-tags distcleancheck distdir distuninstallcheck dvi \ - dvi-am html html-am info info-am install install-am \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs installdirs-am \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags tags-recursive uninstall uninstall-am + clean-libtool clean-local ctags ctags-recursive dist dist-all \ + dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \ + dist-zip distcheck distclean distclean-generic \ + distclean-libtool distclean-tags distcleancheck distdir \ + distuninstallcheck dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + installdirs-am maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am tags tags-recursive uninstall uninstall-am Android.mk : Android.mk.in configure.in @@ -770,6 +771,9 @@ Doxyfile : Doxyfile.in apidoc : Doxyfile doxygen +clean-local: + rm -rf apidoc + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/NEWS b/NEWS index bd4e770cd..a5f4a16ff 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,52 @@ +strongswan-4.4.1 +---------------- + +- Support of xfrm marks in IPsec SAs and IPsec policies introduced + with the Linux 2.6.34 kernel. For details see the example scenarios + ikev2/nat-two-rw-mark, ikev2/rw-nat-mark-in-out and ikev2/net2net-psk-dscp. + +- The PLUTO_MARK_IN and PLUTO_ESP_ENC environment variables can be used + in a user-specific updown script to set marks on inbound ESP or + ESP_IN_UDP packets. + +- The openssl plugin now supports X.509 certificate and CRL functions. + +- OCSP/CRL checking in IKEv2 has been moved to the revocation plugin, enabled + by default. Plase update manual load directives in strongswan.conf. + +- RFC3779 ipAddrBlock constraint checking has been moved to the addrblock + plugin, disabled by default. Enable it and update manual load directives + in strongswan.conf, if required. + +- The pki utility supports CRL generation using the --signcrl command. + +- The ipsec pki --self, --issue and --req commands now support output in + PEM format using the --outform pem option. + +- The major refactoring of the IKEv1 Mode Config functionality now allows + the transport and handling of any Mode Config attribute. + +- The RADIUS proxy plugin eap-radius now supports multiple servers. Configured + servers are chosen randomly, with the option to prefer a specific server. + Non-responding servers are degraded by the selection process. + +- The ipsec pool tool manages arbitrary configuration attributes stored + in an SQL database. ipsec pool --help gives the details. + +- The new eap-simaka-sql plugin acts as a backend for EAP-SIM and EAP-AKA, + reading triplets/quintuplets from an SQL database. + +- The High Availability plugin now supports a HA enabled in-memory address + pool and Node reintegration without IKE_SA rekeying. The latter allows + clients without IKE_SA rekeying support to keep connected during + reintegration. Additionally, many other issues have been fixed in the ha + plugin. + +- Fixed a potential remote code execution vulnerability resulting from + the misuse of snprintf(). The vulnerability is exploitable by + unauthenticated users. + + strongswan-4.4.0 ---------------- diff --git a/aclocal.m4 b/aclocal.m4 index dea9d6f31..23b7e59ee 100644 --- a/aclocal.m4 +++ b/aclocal.m4 @@ -1,4 +1,4 @@ -# generated automatically by aclocal 1.11 -*- Autoconf -*- +# generated automatically by aclocal 1.11.1 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. @@ -13,8 +13,8 @@ m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl -m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.64],, -[m4_warning([this file was generated for autoconf 2.64. +m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.65],, +[m4_warning([this file was generated for autoconf 2.65. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically `autoreconf'.])]) @@ -378,7 +378,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.11' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. -m4_if([$1], [1.11], [], +m4_if([$1], [1.11.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) @@ -394,7 +394,7 @@ m4_define([_AM_AUTOCONF_VERSION], []) # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], -[AM_AUTOMAKE_VERSION([1.11])dnl +[AM_AUTOMAKE_VERSION([1.11.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) diff --git a/config.guess b/config.guess index da8331460..e3a2116a7 100755 --- a/config.guess +++ b/config.guess @@ -1,10 +1,10 @@ #! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-27' +timestamp='2009-06-10' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -170,7 +170,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ - | grep __ELF__ >/dev/null + | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? @@ -656,7 +656,7 @@ EOF # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | - grep __LP64__ >/dev/null + grep -q __LP64__ then HP_ARCH="hppa2.0w" else @@ -822,6 +822,9 @@ EOF [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; + 8664:Windows_NT:*) + echo x86_64-pc-mks + exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we @@ -882,40 +885,17 @@ EOF m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; - mips:Linux:*:*) + mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU - #undef mips - #undef mipsel + #undef ${UNAME_MACHINE} + #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mipsel + CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips - #else - CPU= - #endif - #endif -EOF - eval "`$CC_FOR_BUILD -E $dummy.c 2>/dev/null | sed -n ' - /^CPU/{ - s: ::g - p - }'`" - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } - ;; - mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c - #undef CPU - #undef mips64 - #undef mips64el - #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) - CPU=mips64el - #else - #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) - CPU=mips64 + CPU=${UNAME_MACHINE} #else CPU= #endif @@ -947,7 +927,7 @@ EOF EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac - objdump --private-headers /bin/sh | grep ld.so.1 >/dev/null + objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} exit ;; @@ -1001,14 +981,6 @@ EOF elf32-i386) TENTATIVE="${UNAME_MACHINE}-pc-linux-gnu" ;; - a.out-i386-linux) - echo "${UNAME_MACHINE}-pc-linux-gnuaout" - exit ;; - "") - # Either a pre-BFD a.out linker (linux-gnuoldld) or - # one that does not give us useful --help. - echo "${UNAME_MACHINE}-pc-linux-gnuoldld" - exit ;; esac # Determine whether the default compiler is a.out or elf eval $set_cc_for_build @@ -1074,7 +1046,7 @@ EOF i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; - i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.0*:*) + i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) @@ -1182,7 +1154,7 @@ EOF rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; - PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.0*:*) + PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) diff --git a/config.sub b/config.sub index a39437d01..eb0389a69 100755 --- a/config.sub +++ b/config.sub @@ -1,10 +1,10 @@ #! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, -# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008 +# 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 # Free Software Foundation, Inc. -timestamp='2009-04-17' +timestamp='2009-06-11' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software @@ -153,6 +153,9 @@ case $os in os= basic_machine=$1 ;; + -bluegene*) + os=-cnk + ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 @@ -467,6 +470,10 @@ case $basic_machine in basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; + bluegene*) + basic_machine=powerpc-ibm + os=-cnk + ;; c90) basic_machine=c90-cray os=-unicos @@ -1260,7 +1267,7 @@ case $os in # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -sunos | -sunos[34]*\ + | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -solaris* | -sym* \ | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ @@ -1613,7 +1620,7 @@ case $basic_machine in -sunos*) vendor=sun ;; - -aix*) + -cnk*|-aix*) vendor=ibm ;; -beos*) diff --git a/configure b/configure index 952734d15..64ecd2c57 100755 --- a/configure +++ b/configure @@ -1,10 +1,12 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.64 for strongSwan 4.4.0. +# Generated by GNU Autoconf 2.65 for strongSwan 4.4.1. +# # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, -# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software -# Foundation, Inc. +# 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. @@ -673,7 +675,8 @@ fi -exec 7<&0 &1 +test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, Linux) returns a bogus exit status, @@ -695,8 +698,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='4.4.0' -PACKAGE_STRING='strongSwan 4.4.0' +PACKAGE_VERSION='4.4.1' +PACKAGE_STRING='strongSwan 4.4.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -746,6 +749,8 @@ USE_SIMAKA_FALSE USE_SIMAKA_TRUE USE_VSTR_FALSE USE_VSTR_TRUE +USE_LIBCAP_FALSE +USE_LIBCAP_TRUE USE_FILE_CONFIG_FALSE USE_FILE_CONFIG_TRUE USE_LIBHYDRA_FALSE @@ -762,8 +767,8 @@ USE_THREADS_FALSE USE_THREADS_TRUE USE_PLUTO_FALSE USE_PLUTO_TRUE -USE_CAPABILITIES_FALSE -USE_CAPABILITIES_TRUE +USE_LOAD_WARNING_FALSE +USE_LOAD_WARNING_TRUE USE_INTEGRITY_TEST_FALSE USE_INTEGRITY_TEST_TRUE USE_ME_FALSE @@ -788,6 +793,16 @@ USE_CISCO_QUIRKS_FALSE USE_CISCO_QUIRKS_TRUE USE_SMARTCARD_FALSE USE_SMARTCARD_TRUE +USE_XAUTH_FALSE +USE_XAUTH_TRUE +USE_RESOLVE_FALSE +USE_RESOLVE_TRUE +USE_ATTR_SQL_FALSE +USE_ATTR_SQL_TRUE +USE_ATTR_FALSE +USE_ATTR_TRUE +USE_ADDRBLOCK_FALSE +USE_ADDRBLOCK_TRUE USE_FARP_FALSE USE_FARP_TRUE USE_SOCKET_DYNAMIC_FALSE @@ -822,6 +837,8 @@ USE_EAP_SIMAKA_REAUTH_FALSE USE_EAP_SIMAKA_REAUTH_TRUE USE_EAP_SIMAKA_PSEUDONYM_FALSE USE_EAP_SIMAKA_PSEUDONYM_TRUE +USE_EAP_SIMAKA_SQL_FALSE +USE_EAP_SIMAKA_SQL_TRUE USE_EAP_SIM_FILE_FALSE USE_EAP_SIM_FILE_TRUE USE_EAP_SIM_FALSE @@ -832,12 +849,8 @@ USE_LOAD_TESTER_FALSE USE_LOAD_TESTER_TRUE USE_UNIT_TESTS_FALSE USE_UNIT_TESTS_TRUE -USE_RESOLVE_FALSE -USE_RESOLVE_TRUE USE_DHCP_FALSE USE_DHCP_TRUE -USE_ATTR_FALSE -USE_ATTR_TRUE USE_UPDOWN_FALSE USE_UPDOWN_TRUE USE_SQL_FALSE @@ -864,8 +877,6 @@ USE_OPENSSL_FALSE USE_OPENSSL_TRUE USE_PADLOCK_FALSE USE_PADLOCK_TRUE -USE_ATTR_SQL_FALSE -USE_ATTR_SQL_TRUE USE_SQLITE_FALSE USE_SQLITE_TRUE USE_MYSQL_FALSE @@ -884,6 +895,8 @@ USE_PKCS1_FALSE USE_PKCS1_TRUE USE_PUBKEY_FALSE USE_PUBKEY_TRUE +USE_REVOCATION_FALSE +USE_REVOCATION_TRUE USE_X509_FALSE USE_X509_TRUE USE_RANDOM_FALSE @@ -1094,6 +1107,7 @@ enable_fips_prf enable_gmp enable_random enable_x509 +enable_revocation enable_pubkey enable_pkcs1 enable_pgp @@ -1117,6 +1131,7 @@ enable_unit_tests enable_load_tester enable_eap_sim enable_eap_sim_file +enable_eap_simaka_sql enable_eap_simaka_pseudonym enable_eap_simaka_reauth enable_eap_identity @@ -1142,7 +1157,9 @@ enable_fast enable_manager enable_mediation enable_integrity_test +enable_load_warning enable_pluto +enable_xauth enable_threads enable_charon enable_tools @@ -1156,6 +1173,7 @@ enable_padlock enable_openssl enable_gcrypt enable_agent +enable_addrblock enable_uci enable_android enable_nm @@ -1730,7 +1748,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 4.4.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 4.4.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1800,7 +1818,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 4.4.0:";; + short | recursive ) echo "Configuration of strongSwan 4.4.1:";; esac cat <<\_ACEOF @@ -1825,6 +1843,7 @@ Optional Features: plugin. --disable-random disable RNG implementation on top of /dev/(u)random. --disable-x509 disable X509 certificate implementation plugin. + --disable-revocation disable X509 CRL/OCSP revocation check plugin. --disable-pubkey disable RAW public key support plugin. --disable-pkcs1 disable PKCS1 key decoding plugin. --disable-pgp disable PGP key decoding plugin. @@ -1853,6 +1872,8 @@ Optional Features: --enable-load-tester enable load testing plugin for IKEv2 daemon. --enable-eap-sim enable SIM authenication module for EAP. --enable-eap-sim-file enable EAP-SIM backend based on a triplet file. + --enable-eap-simaka-sql enable EAP-SIM/AKA backend based on a + triplet/quintuplet SQL database. --enable-eap-simaka-pseudonym enable EAP-SIM/AKA pseudonym storage plugin. --enable-eap-simaka-reauth @@ -1890,7 +1911,10 @@ Optional Features: --enable-mediation enable IKEv2 Mediation Extension. --enable-integrity-test enable integrity testing of libstrongswan and plugins. + --disable-load-warning disable the charon/pluto plugin load option warning + in starter. --disable-pluto disable the IKEv1 keying daemon pluto. + --disable-xauth disable xauth plugin. --disable-threads disable the use of threads in pluto. Charon always uses threads. --disable-charon disable the IKEv2 keying daemon charon. @@ -1908,6 +1932,7 @@ Optional Features: --enable-openssl enables the OpenSSL crypto plugin. --enable-gcrypt enables the libgcrypt plugin. --enable-agent enables the ssh-agent signing plugin. + --enable-addrblock enables RFC 3779 address block constraint support. --enable-uci enable OpenWRT UCI configuration plugin. --enable-android enable Android specific plugin. --enable-nm enable NetworkManager plugin. @@ -1958,8 +1983,8 @@ Optional Packages: 220). --with-routing-table-prio=arg set priority for IPsec routing table (default: 220). - --with-capabilities=arg set capability dropping library. Currently only the - value "libcap" is supported (default: no). + --with-capabilities=arg set capability dropping library. Currently supported + values are "libcap" and "native" (default: no). --with-mpz_powm_sec=arg use the more side-channel resistant mpz_powm_sec in libgmp, if available (default: yes). --with-xauth-module=lib set the path to the XAUTH module @@ -1980,7 +2005,7 @@ Some influential environment variables: LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l - CPPFLAGS C/C++/Objective C preprocessor flags, e.g. -I if + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory CPP C preprocessor YACC The `Yet Another C Compiler' implementation to use. Defaults to @@ -2061,8 +2086,8 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 4.4.0 -generated by GNU Autoconf 2.64 +strongSwan configure 4.4.1 +generated by GNU Autoconf 2.65 Copyright (C) 2009 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation @@ -2109,7 +2134,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - return $ac_retval + as_fn_set_status $ac_retval } # ac_fn_c_try_compile @@ -2151,7 +2176,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 fi rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - return $ac_retval + as_fn_set_status $ac_retval } # ac_fn_c_try_run @@ -2188,7 +2213,7 @@ sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - return $ac_retval + as_fn_set_status $ac_retval } # ac_fn_c_try_cpp @@ -2265,7 +2290,7 @@ fi # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} - return $ac_retval + as_fn_set_status $ac_retval } # ac_fn_c_try_link @@ -2537,8 +2562,8 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 4.4.0, which was -generated by GNU Autoconf 2.64. Invocation command line was +It was created by strongSwan $as_me 4.4.1, which was +generated by GNU Autoconf 2.65. Invocation command line was $ $0 $@ @@ -2791,7 +2816,7 @@ fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue - if test -r "$ac_site_file"; then + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 @@ -2800,9 +2825,9 @@ $as_echo "$as_me: loading site script $ac_site_file" >&6;} done if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special - # files actually), so we avoid doing that. - if test -f "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in @@ -3221,6 +3246,7 @@ IFS=$as_save_IFS fi + test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else @@ -3228,7 +3254,6 @@ fi # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. - test -d ./--version && rmdir ./--version MKDIR_P="$ac_install_sh -d" fi fi @@ -3345,7 +3370,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='4.4.0' + VERSION='4.4.1' cat >>confdefs.h <<_ACEOF @@ -4010,6 +4035,21 @@ else fi +# Check whether --enable-revocation was given. +if test "${enable_revocation+set}" = set; then : + enableval=$enable_revocation; revocation_given=true + if test x$enableval = xyes; then + revocation=true + else + revocation=false + fi +else + revocation=true + revocation_given=false + +fi + + # Check whether --enable-pubkey was given. if test "${enable_pubkey+set}" = set; then : enableval=$enable_pubkey; pubkey_given=true @@ -4355,6 +4395,21 @@ else fi +# Check whether --enable-eap-simaka-sql was given. +if test "${enable_eap_simaka_sql+set}" = set; then : + enableval=$enable_eap_simaka_sql; eap_simaka_sql_given=true + if test x$enableval = xyes; then + eap_simaka_sql=true + else + eap_simaka_sql=false + fi +else + eap_simaka_sql=false + eap_simaka_sql_given=false + +fi + + # Check whether --enable-eap-simaka-pseudonym was given. if test "${enable_eap_simaka_pseudonym+set}" = set; then : enableval=$enable_eap_simaka_pseudonym; eap_simaka_pseudonym_given=true @@ -4730,6 +4785,21 @@ else fi +# Check whether --enable-load-warning was given. +if test "${enable_load_warning+set}" = set; then : + enableval=$enable_load_warning; load_warning_given=true + if test x$enableval = xyes; then + load_warning=true + else + load_warning=false + fi +else + load_warning=true + load_warning_given=false + +fi + + # Check whether --enable-pluto was given. if test "${enable_pluto+set}" = set; then : enableval=$enable_pluto; pluto_given=true @@ -4745,6 +4815,21 @@ else fi +# Check whether --enable-xauth was given. +if test "${enable_xauth+set}" = set; then : + enableval=$enable_xauth; xauth_given=true + if test x$enableval = xyes; then + xauth=true + else + xauth=false + fi +else + xauth=true + xauth_given=false + +fi + + # Check whether --enable-threads was given. if test "${enable_threads+set}" = set; then : enableval=$enable_threads; threads_given=true @@ -4940,6 +5025,21 @@ else fi +# Check whether --enable-addrblock was given. +if test "${enable_addrblock+set}" = set; then : + enableval=$enable_addrblock; addrblock_given=true + if test x$enableval = xyes; then + addrblock=true + else + addrblock=false + fi +else + addrblock=false + addrblock_given=false + +fi + + # Check whether --enable-uci was given. if test "${enable_uci+set}" = set; then : enableval=$enable_uci; uci_given=true @@ -5357,32 +5457,30 @@ $as_echo "$ac_try_echo"; } >&5 ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 - rm -f conftest.er1 conftest.err fi + rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ -#include + int main () { -FILE *f = fopen ("conftest.out", "w"); - return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out conftest.out" +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: @@ -5444,10 +5542,10 @@ test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -$as_echo "$ac_file" >&6; } if test -z "$ac_file"; then : - $as_echo "$as_me: failed program was:" >&5 + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 @@ -5455,51 +5553,18 @@ $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { as_fn_set_status 77 as_fn_error "C compiler cannot create executables See \`config.log' for more details." "$LINENO" 5; }; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -$as_echo_n "checking whether the C compiler works... " >&6; } -# If not cross compiling, check that we can run a simple program. -if test "$cross_compiling" != yes; then - if { ac_try='./$ac_file' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error "cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details." "$LINENO" 5; } - fi - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - -rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out conftest.out +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -$as_echo_n "checking whether we are cross compiling... " >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -$as_echo "$cross_compiling" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" @@ -5532,13 +5597,72 @@ $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details." "$LINENO" 5; } fi -rm -f conftest$ac_cv_exeext +rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details." "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if test "${ac_cv_objext+set}" = set; then : @@ -6845,8 +6969,8 @@ esac -macro_version='2.2.6' -macro_revision='1.3012' +macro_version='2.2.6b' +macro_revision='1.3017' @@ -7316,13 +7440,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:7319: $ac_compile\"" >&5) + (eval echo "\"\$as_me:7443: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:7322: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:7446: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:7325: output\"" >&5) + (eval echo "\"\$as_me:7449: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -7788,7 +7912,7 @@ irix5* | irix6* | nonstopux*) ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -8527,7 +8651,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8530 "configure"' > conftest.$ac_ext + echo '#line 8654 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -9789,11 +9913,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:9792: $lt_compile\"" >&5) + (eval echo "\"\$as_me:9916: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:9796: \$? = $ac_status" >&5 + echo "$as_me:9920: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -9958,7 +10082,7 @@ $as_echo_n "checking for $compiler option to produce PIC... " >&6; } lt_prog_compiler_static='-non_shared' ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -10128,11 +10252,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10131: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10255: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10135: \$? = $ac_status" >&5 + echo "$as_me:10259: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10233,11 +10357,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10236: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10360: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10240: \$? = $ac_status" >&5 + echo "$as_me:10364: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10288,11 +10412,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10291: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10415: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10295: \$? = $ac_status" >&5 + echo "$as_me:10419: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10431,6 +10555,7 @@ $as_echo_n "checking whether the $compiler linker ($LD) supports shared librarie fi supports_anon_versioning=no case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; *\ [01].* | *\ 2.[0-9].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... @@ -10522,7 +10647,7 @@ _LT_EOF archive_expsym_cmds='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; - gnu* | linux* | tpf* | k*bsd*-gnu) + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in @@ -11984,7 +12109,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux need_lib_prefix=no need_version=no @@ -12671,7 +12796,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12674 "configure" +#line 12799 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -12767,7 +12892,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 12770 "configure" +#line 12895 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -14261,6 +14386,18 @@ fi done +for ac_func in mallinfo +do : + ac_fn_c_check_func "$LINENO" "mallinfo" "ac_cv_func_mallinfo" +if test "x$ac_cv_func_mallinfo" = x""yes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_MALLINFO 1 +_ACEOF + +fi +done + + for ac_header in sys/sockio.h do : ac_fn_c_check_header_mongrel "$LINENO" "sys/sockio.h" "ac_cv_header_sys_sockio_h" "$ac_includes_default" @@ -15401,7 +15538,7 @@ if test "${ac_cv_lib_gcrypt_main+set}" = set; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lgcrypt $LIBS" +LIBS="-lgcrypt -lgpg-error $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ @@ -15803,6 +15940,32 @@ else fi +fi + +if test x$capabilities = xnative; then + { $as_echo "$as_me:${as_lineno-$LINENO}: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&5 +$as_echo "$as_me: Usage of the native Linux capabilities interface is deprecated, use libcap instead" >&6;} + for ac_header in sys/capability.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_capability_h" = x""yes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_CAPABILITY_H 1 +_ACEOF + +fi + +done + + ac_fn_c_check_func "$LINENO" "capset" "ac_cv_func_capset" +if test "x$ac_cv_func_capset" = x""yes; then : + +else + as_fn_error "capset() not found!" "$LINENO" 5 +fi + + $as_echo "#define CAPABILITIES_NATIVE 1" >>confdefs.h + fi if test x$capabilities = xlibcap; then @@ -15845,12 +16008,15 @@ ac_cv_lib_cap=ac_cv_lib_cap_main ac_fn_c_check_header_mongrel "$LINENO" "sys/capability.h" "ac_cv_header_sys_capability_h" "$ac_includes_default" if test "x$ac_cv_header_sys_capability_h" = x""yes; then : + $as_echo "#define HAVE_SYS_CAPABILITY_H 1" >>confdefs.h else as_fn_error "libcap header sys/capability.h not found!" "$LINENO" 5 fi + $as_echo "#define CAPABILITIES_LIBCAP 1" >>confdefs.h + fi if test x$integrity_test = xtrue; then @@ -15956,6 +16122,9 @@ if test x$x509 = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" x509" pluto_plugins=${pluto_plugins}" x509" fi +if test x$revocation = xtrue; then + libstrongswan_plugins=${libstrongswan_plugins}" revocation" +fi if test x$pubkey = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" pubkey" pluto_plugins=${pluto_plugins}" pubkey" @@ -16012,13 +16181,17 @@ if test x$gmp = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" gmp" pluto_plugins=${pluto_plugins}" gmp" fi +if test x$xauth = xtrue; then + pluto_plugins=${pluto_plugins}" xauth" +fi if test x$attr = xtrue; then libhydra_plugins=${libhydra_plugins}" attr" - pluto_plugins=${pluto_plugins}" attr" fi if test x$attr_sql = xtrue -o x$sql = xtrue; then libhydra_plugins=${libhydra_plugins}" attr-sql" - pluto_plugins=${pluto_plugins}" attr-sql" +fi +if test x$resolve = xtrue; then + libhydra_plugins=${libhydra_plugins}" resolve" fi @@ -16138,6 +16311,14 @@ else USE_X509_FALSE= fi + if test x$revocation = xtrue; then + USE_REVOCATION_TRUE= + USE_REVOCATION_FALSE='#' +else + USE_REVOCATION_TRUE='#' + USE_REVOCATION_FALSE= +fi + if test x$pubkey = xtrue; then USE_PUBKEY_TRUE= USE_PUBKEY_FALSE='#' @@ -16210,14 +16391,6 @@ else USE_SQLITE_FALSE= fi - if test x$attr_sql = xtrue -o x$sql = xtrue; then - USE_ATTR_SQL_TRUE= - USE_ATTR_SQL_FALSE='#' -else - USE_ATTR_SQL_TRUE='#' - USE_ATTR_SQL_FALSE= -fi - if test x$padlock = xtrue; then USE_PADLOCK_TRUE= USE_PADLOCK_FALSE='#' @@ -16323,14 +16496,6 @@ else USE_UPDOWN_FALSE= fi - if test x$attr = xtrue; then - USE_ATTR_TRUE= - USE_ATTR_FALSE='#' -else - USE_ATTR_TRUE='#' - USE_ATTR_FALSE= -fi - if test x$dhcp = xtrue; then USE_DHCP_TRUE= USE_DHCP_FALSE='#' @@ -16339,14 +16504,6 @@ else USE_DHCP_FALSE= fi - if test x$resolve = xtrue; then - USE_RESOLVE_TRUE= - USE_RESOLVE_FALSE='#' -else - USE_RESOLVE_TRUE='#' - USE_RESOLVE_FALSE= -fi - if test x$unit_tests = xtrue; then USE_UNIT_TESTS_TRUE= USE_UNIT_TESTS_FALSE='#' @@ -16387,6 +16544,14 @@ else USE_EAP_SIM_FILE_FALSE= fi + if test x$eap_simaka_sql = xtrue; then + USE_EAP_SIMAKA_SQL_TRUE= + USE_EAP_SIMAKA_SQL_FALSE='#' +else + USE_EAP_SIMAKA_SQL_TRUE='#' + USE_EAP_SIMAKA_SQL_FALSE= +fi + if test x$eap_simaka_pseudonym = xtrue; then USE_EAP_SIMAKA_PSEUDONYM_TRUE= USE_EAP_SIMAKA_PSEUDONYM_FALSE='#' @@ -16523,6 +16688,48 @@ else USE_FARP_FALSE= fi + if test x$addrblock = xtrue; then + USE_ADDRBLOCK_TRUE= + USE_ADDRBLOCK_FALSE='#' +else + USE_ADDRBLOCK_TRUE='#' + USE_ADDRBLOCK_FALSE= +fi + + + if test x$attr = xtrue; then + USE_ATTR_TRUE= + USE_ATTR_FALSE='#' +else + USE_ATTR_TRUE='#' + USE_ATTR_FALSE= +fi + + if test x$attr_sql = xtrue -o x$sql = xtrue; then + USE_ATTR_SQL_TRUE= + USE_ATTR_SQL_FALSE='#' +else + USE_ATTR_SQL_TRUE='#' + USE_ATTR_SQL_FALSE= +fi + + if test x$resolve = xtrue; then + USE_RESOLVE_TRUE= + USE_RESOLVE_FALSE='#' +else + USE_RESOLVE_TRUE='#' + USE_RESOLVE_FALSE= +fi + + + if test x$xauth = xtrue; then + USE_XAUTH_TRUE= + USE_XAUTH_FALSE='#' +else + USE_XAUTH_TRUE='#' + USE_XAUTH_FALSE= +fi + if test x$smartcard = xtrue; then USE_SMARTCARD_TRUE= @@ -16620,12 +16827,12 @@ else USE_INTEGRITY_TEST_FALSE= fi - if test x$capabilities = xlibcap; then - USE_CAPABILITIES_TRUE= - USE_CAPABILITIES_FALSE='#' + if test x$load_warning = xtrue; then + USE_LOAD_WARNING_TRUE= + USE_LOAD_WARNING_FALSE='#' else - USE_CAPABILITIES_TRUE='#' - USE_CAPABILITIES_FALSE= + USE_LOAD_WARNING_TRUE='#' + USE_LOAD_WARNING_FALSE= fi if test x$pluto = xtrue; then @@ -16692,6 +16899,14 @@ else USE_FILE_CONFIG_FALSE= fi + if test x$capabilities = xlibcap; then + USE_LIBCAP_TRUE= + USE_LIBCAP_FALSE='#' +else + USE_LIBCAP_TRUE='#' + USE_LIBCAP_FALSE= +fi + if test x$vstr = xtrue; then USE_VSTR_TRUE= USE_VSTR_FALSE='#' @@ -16722,7 +16937,7 @@ if test x$mediation = xtrue; then $as_echo "#define ME 1" >>confdefs.h fi -if test x$capabilities = xlibcap; then +if test x$capabilities = xlibcap -o x$capabilities = xnative; then $as_echo "#define CAPABILITIES 1" >>confdefs.h fi @@ -16733,7 +16948,7 @@ fi -ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/kernel_netlink/Makefile src/libcharon/plugins/kernel_pfkey/Makefile src/libcharon/plugins/kernel_pfroute/Makefile src/libcharon/plugins/kernel_klips/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -16941,6 +17156,10 @@ if test -z "${USE_X509_TRUE}" && test -z "${USE_X509_FALSE}"; then as_fn_error "conditional \"USE_X509\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then + as_fn_error "conditional \"USE_REVOCATION\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then as_fn_error "conditional \"USE_PUBKEY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -16977,10 +17196,6 @@ if test -z "${USE_SQLITE_TRUE}" && test -z "${USE_SQLITE_FALSE}"; then as_fn_error "conditional \"USE_SQLITE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then - as_fn_error "conditional \"USE_ATTR_SQL\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_PADLOCK_TRUE}" && test -z "${USE_PADLOCK_FALSE}"; then as_fn_error "conditional \"USE_PADLOCK\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -17033,18 +17248,10 @@ if test -z "${USE_UPDOWN_TRUE}" && test -z "${USE_UPDOWN_FALSE}"; then as_fn_error "conditional \"USE_UPDOWN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then - as_fn_error "conditional \"USE_ATTR\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_DHCP_TRUE}" && test -z "${USE_DHCP_FALSE}"; then as_fn_error "conditional \"USE_DHCP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then - as_fn_error "conditional \"USE_RESOLVE\" was never defined. -Usually this means the macro was only invoked conditionally." "$LINENO" 5 -fi if test -z "${USE_UNIT_TESTS_TRUE}" && test -z "${USE_UNIT_TESTS_FALSE}"; then as_fn_error "conditional \"USE_UNIT_TESTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -17065,6 +17272,10 @@ if test -z "${USE_EAP_SIM_FILE_TRUE}" && test -z "${USE_EAP_SIM_FILE_FALSE}"; th as_fn_error "conditional \"USE_EAP_SIM_FILE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_EAP_SIMAKA_SQL_TRUE}" && test -z "${USE_EAP_SIMAKA_SQL_FALSE}"; then + as_fn_error "conditional \"USE_EAP_SIMAKA_SQL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_EAP_SIMAKA_PSEUDONYM_TRUE}" && test -z "${USE_EAP_SIMAKA_PSEUDONYM_FALSE}"; then as_fn_error "conditional \"USE_EAP_SIMAKA_PSEUDONYM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -17133,6 +17344,26 @@ if test -z "${USE_FARP_TRUE}" && test -z "${USE_FARP_FALSE}"; then as_fn_error "conditional \"USE_FARP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_ADDRBLOCK_TRUE}" && test -z "${USE_ADDRBLOCK_FALSE}"; then + as_fn_error "conditional \"USE_ADDRBLOCK\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_ATTR_TRUE}" && test -z "${USE_ATTR_FALSE}"; then + as_fn_error "conditional \"USE_ATTR\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_ATTR_SQL_TRUE}" && test -z "${USE_ATTR_SQL_FALSE}"; then + as_fn_error "conditional \"USE_ATTR_SQL\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_RESOLVE_TRUE}" && test -z "${USE_RESOLVE_FALSE}"; then + as_fn_error "conditional \"USE_RESOLVE\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi +if test -z "${USE_XAUTH_TRUE}" && test -z "${USE_XAUTH_FALSE}"; then + as_fn_error "conditional \"USE_XAUTH\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_SMARTCARD_TRUE}" && test -z "${USE_SMARTCARD_FALSE}"; then as_fn_error "conditional \"USE_SMARTCARD\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -17181,8 +17412,8 @@ if test -z "${USE_INTEGRITY_TEST_TRUE}" && test -z "${USE_INTEGRITY_TEST_FALSE}" as_fn_error "conditional \"USE_INTEGRITY_TEST\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi -if test -z "${USE_CAPABILITIES_TRUE}" && test -z "${USE_CAPABILITIES_FALSE}"; then - as_fn_error "conditional \"USE_CAPABILITIES\" was never defined. +if test -z "${USE_LOAD_WARNING_TRUE}" && test -z "${USE_LOAD_WARNING_FALSE}"; then + as_fn_error "conditional \"USE_LOAD_WARNING\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${USE_PLUTO_TRUE}" && test -z "${USE_PLUTO_FALSE}"; then @@ -17217,6 +17448,10 @@ if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then as_fn_error "conditional \"USE_FILE_CONFIG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then + as_fn_error "conditional \"USE_LIBCAP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_VSTR_TRUE}" && test -z "${USE_VSTR_FALSE}"; then as_fn_error "conditional \"USE_VSTR\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -17637,8 +17872,8 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 4.4.0, which was -generated by GNU Autoconf 2.64. Invocation command line was +This file was extended by strongSwan $as_me 4.4.1, which was +generated by GNU Autoconf 2.65. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS @@ -17674,6 +17909,7 @@ Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit + --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files @@ -17691,10 +17927,11 @@ Report bugs to the package provider." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 4.4.0 -configured by $0, generated by GNU Autoconf 2.64, - with options \\"`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`\\" +strongSwan config.status 4.4.1 +configured by $0, generated by GNU Autoconf 2.65, + with options \\"\$ac_cs_config\\" Copyright (C) 2009 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation @@ -17732,6 +17969,8 @@ do ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) @@ -18076,6 +18315,7 @@ do "src/libstrongswan/plugins/hmac/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/hmac/Makefile" ;; "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;; "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;; + "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;; "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;; "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;; "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;; @@ -18093,9 +18333,11 @@ do "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;; "src/libhydra/plugins/attr_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr_sql/Makefile" ;; + "src/libhydra/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/resolve/Makefile" ;; "src/libfreeswan/Makefile") CONFIG_FILES="$CONFIG_FILES src/libfreeswan/Makefile" ;; "src/libsimaka/Makefile") CONFIG_FILES="$CONFIG_FILES src/libsimaka/Makefile" ;; "src/pluto/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/Makefile" ;; + "src/pluto/plugins/xauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/pluto/plugins/xauth/Makefile" ;; "src/whack/Makefile") CONFIG_FILES="$CONFIG_FILES src/whack/Makefile" ;; "src/charon/Makefile") CONFIG_FILES="$CONFIG_FILES src/charon/Makefile" ;; "src/libcharon/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/Makefile" ;; @@ -18106,6 +18348,7 @@ do "src/libcharon/plugins/eap_gtc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_gtc/Makefile" ;; "src/libcharon/plugins/eap_sim/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim/Makefile" ;; "src/libcharon/plugins/eap_sim_file/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_sim_file/Makefile" ;; + "src/libcharon/plugins/eap_simaka_sql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_sql/Makefile" ;; "src/libcharon/plugins/eap_simaka_pseudonym/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_pseudonym/Makefile" ;; "src/libcharon/plugins/eap_simaka_reauth/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_simaka_reauth/Makefile" ;; "src/libcharon/plugins/eap_mschapv2/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/eap_mschapv2/Makefile" ;; @@ -18123,13 +18366,13 @@ do "src/libcharon/plugins/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medsrv/Makefile" ;; "src/libcharon/plugins/medcli/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/medcli/Makefile" ;; "src/libcharon/plugins/nm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/nm/Makefile" ;; + "src/libcharon/plugins/addrblock/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/addrblock/Makefile" ;; "src/libcharon/plugins/uci/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/uci/Makefile" ;; "src/libcharon/plugins/ha/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/ha/Makefile" ;; "src/libcharon/plugins/android/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/android/Makefile" ;; "src/libcharon/plugins/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/stroke/Makefile" ;; "src/libcharon/plugins/updown/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/updown/Makefile" ;; "src/libcharon/plugins/dhcp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/dhcp/Makefile" ;; - "src/libcharon/plugins/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/resolve/Makefile" ;; "src/libcharon/plugins/unit_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/unit_tester/Makefile" ;; "src/libcharon/plugins/load_tester/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/load_tester/Makefile" ;; "src/stroke/Makefile") CONFIG_FILES="$CONFIG_FILES src/stroke/Makefile" ;; @@ -18251,7 +18494,7 @@ s/'"$ac_delim"'$// t delim :nl h -s/\(.\{148\}\).*/\1/ +s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p @@ -18265,7 +18508,7 @@ s/.\{148\}// t nl :delim h -s/\(.\{148\}\).*/\1/ +s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p diff --git a/configure.in b/configure.in index efcccbb42..d829071ea 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ dnl =========================== dnl initialize & set some vars dnl =========================== -AC_INIT(strongSwan,4.4.0) +AC_INIT(strongSwan,4.4.1) AM_INIT_AUTOMAKE(tar-ustar) AC_CONFIG_MACRO_DIR([m4/config]) PKG_PROG_PKG_CONFIG @@ -40,7 +40,7 @@ ARG_WITH_SUBST([linux-headers], [\${top_srcdir}/src/include], [set director ARG_WITH_SUBST([routing-table], [220], [set routing table to use for IPsec routes]) ARG_WITH_SUBST([routing-table-prio], [220], [set priority for IPsec routing table]) -ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently only the value "libcap" is supported]) +ARG_WITH_SET([capabilities], [no], [set capability dropping library. Currently supported values are "libcap" and "native"]) ARG_WITH_SET([mpz_powm_sec], [yes], [use the more side-channel resistant mpz_powm_sec in libgmp, if available]) AC_ARG_WITH( @@ -78,6 +78,7 @@ ARG_DISBL_SET([fips-prf], [disable FIPS PRF software implementation plugin ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementation plugin.]) ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) +ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.]) ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) @@ -101,6 +102,7 @@ ARG_ENABL_SET([unit-tests], [enable unit tests on IKEv2 daemon startup.]) ARG_ENABL_SET([load-tester], [enable load testing plugin for IKEv2 daemon.]) ARG_ENABL_SET([eap-sim], [enable SIM authenication module for EAP.]) ARG_ENABL_SET([eap-sim-file], [enable EAP-SIM backend based on a triplet file.]) +ARG_ENABL_SET([eap-simaka-sql], [enable EAP-SIM/AKA backend based on a triplet/quintuplet SQL database.]) ARG_ENABL_SET([eap-simaka-pseudonym], [enable EAP-SIM/AKA pseudonym storage plugin.]) ARG_ENABL_SET([eap-simaka-reauth], [enable EAP-SIM/AKA reauthentication data storage plugin.]) ARG_ENABL_SET([eap-identity], [enable EAP module providing EAP-Identity helper.]) @@ -126,7 +128,9 @@ ARG_ENABL_SET([fast], [enable libfast (FastCGI Application Server w/ t ARG_ENABL_SET([manager], [enable web management console (proof of concept).]) ARG_ENABL_SET([mediation], [enable IKEv2 Mediation Extension.]) ARG_ENABL_SET([integrity-test], [enable integrity testing of libstrongswan and plugins.]) +ARG_DISBL_SET([load-warning], [disable the charon/pluto plugin load option warning in starter.]) ARG_DISBL_SET([pluto], [disable the IKEv1 keying daemon pluto.]) +ARG_DISBL_SET([xauth], [disable xauth plugin.]) ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon always uses threads.]) ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.]) ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) @@ -140,6 +144,7 @@ ARG_ENABL_SET([padlock], [enables VIA Padlock crypto plugin.]) ARG_ENABL_SET([openssl], [enables the OpenSSL crypto plugin.]) ARG_ENABL_SET([gcrypt], [enables the libgcrypt plugin.]) ARG_ENABL_SET([agent], [enables the ssh-agent signing plugin.]) +ARG_ENABL_SET([addrblock], [enables RFC 3779 address block constraint support.]) ARG_ENABL_SET([uci], [enable OpenWRT UCI configuration plugin.]) ARG_ENABL_SET([android], [enable Android specific plugin.]) ARG_ENABL_SET([nm], [enable NetworkManager plugin.]) @@ -334,6 +339,8 @@ LIBS=$saved_LIBS AC_CHECK_FUNCS(prctl) +AC_CHECK_FUNCS(mallinfo) + AC_CHECK_HEADERS(sys/sockio.h) AC_CHECK_HEADERS(net/pfkeyv2.h netipsec/ipsec.h netinet6/ipsec.h linux/udp.h) @@ -572,7 +579,7 @@ if test x$openssl = xtrue; then fi if test x$gcrypt = xtrue; then - AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])]) + AC_HAVE_LIBRARY([gcrypt],[LIBS="$LIBS"],[AC_MSG_ERROR([gcrypt library not found])],[-lgpg-error]) AC_CHECK_HEADER([gcrypt.h],,[AC_MSG_ERROR([gcrypt header gcrypt.h not found!])]) AC_MSG_CHECKING([gcrypt CAMELLIA cipher]) AC_TRY_COMPILE( @@ -611,9 +618,21 @@ if test x$eap_gtc = xtrue; then AC_CHECK_HEADER([security/pam_appl.h],,[AC_MSG_ERROR([PAM header security/pam_appl.h not found!])]) fi +if test x$capabilities = xnative; then + AC_MSG_NOTICE([Usage of the native Linux capabilities interface is deprecated, use libcap instead]) + dnl Linux requires the following for capset(), Android does not have it, + dnl but defines capset() in unistd.h instead. + AC_CHECK_HEADERS([sys/capability.h]) + AC_CHECK_FUNC(capset,,[AC_MSG_ERROR([capset() not found!])]) + AC_DEFINE(CAPABILITIES_NATIVE) +fi + if test x$capabilities = xlibcap; then AC_HAVE_LIBRARY([cap],[LIBS="$LIBS"],[AC_MSG_ERROR([libcap library not found])]) - AC_CHECK_HEADER([sys/capability.h],,[AC_MSG_ERROR([libcap header sys/capability.h not found!])]) + AC_CHECK_HEADER([sys/capability.h], + [AC_DEFINE(HAVE_SYS_CAPABILITY_H)], + [AC_MSG_ERROR([libcap header sys/capability.h not found!])]) + AC_DEFINE(CAPABILITIES_LIBCAP) fi if test x$integrity_test = xtrue; then @@ -690,6 +709,9 @@ if test x$x509 = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" x509" pluto_plugins=${pluto_plugins}" x509" fi +if test x$revocation = xtrue; then + libstrongswan_plugins=${libstrongswan_plugins}" revocation" +fi if test x$pubkey = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" pubkey" pluto_plugins=${pluto_plugins}" pubkey" @@ -746,13 +768,17 @@ if test x$gmp = xtrue; then libstrongswan_plugins=${libstrongswan_plugins}" gmp" pluto_plugins=${pluto_plugins}" gmp" fi +if test x$xauth = xtrue; then + pluto_plugins=${pluto_plugins}" xauth" +fi if test x$attr = xtrue; then libhydra_plugins=${libhydra_plugins}" attr" - pluto_plugins=${pluto_plugins}" attr" fi if test x$attr_sql = xtrue -o x$sql = xtrue; then libhydra_plugins=${libhydra_plugins}" attr-sql" - pluto_plugins=${pluto_plugins}" attr-sql" +fi +if test x$resolve = xtrue; then + libhydra_plugins=${libhydra_plugins}" resolve" fi AC_SUBST(libstrongswan_plugins) @@ -779,6 +805,7 @@ AM_CONDITIONAL(USE_FIPS_PRF, test x$fips_prf = xtrue) AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) +AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue) AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue) AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue) AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue) @@ -788,7 +815,6 @@ AM_CONDITIONAL(USE_HMAC, test x$hmac = xtrue) AM_CONDITIONAL(USE_XCBC, test x$xcbc = xtrue) AM_CONDITIONAL(USE_MYSQL, test x$mysql = xtrue) AM_CONDITIONAL(USE_SQLITE, test x$sqlite = xtrue) -AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue) AM_CONDITIONAL(USE_PADLOCK, test x$padlock = xtrue) AM_CONDITIONAL(USE_OPENSSL, test x$openssl = xtrue) AM_CONDITIONAL(USE_GCRYPT, test x$gcrypt = xtrue) @@ -805,14 +831,13 @@ AM_CONDITIONAL(USE_ANDROID, test x$android = xtrue) AM_CONDITIONAL(USE_SMP, test x$smp = xtrue) AM_CONDITIONAL(USE_SQL, test x$sql = xtrue) AM_CONDITIONAL(USE_UPDOWN, test x$updown = xtrue) -AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) AM_CONDITIONAL(USE_DHCP, test x$dhcp = xtrue) -AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) AM_CONDITIONAL(USE_UNIT_TESTS, test x$unit_tests = xtrue) AM_CONDITIONAL(USE_LOAD_TESTER, test x$load_tester = xtrue) AM_CONDITIONAL(USE_HA, test x$ha = xtrue) AM_CONDITIONAL(USE_EAP_SIM, test x$eap_sim = xtrue) AM_CONDITIONAL(USE_EAP_SIM_FILE, test x$eap_sim_file = xtrue) +AM_CONDITIONAL(USE_EAP_SIMAKA_SQL, test x$eap_simaka_sql = xtrue) AM_CONDITIONAL(USE_EAP_SIMAKA_PSEUDONYM, test x$eap_simaka_pseudonym = xtrue) AM_CONDITIONAL(USE_EAP_SIMAKA_REAUTH, test x$eap_simaka_reauth = xtrue) AM_CONDITIONAL(USE_EAP_IDENTITY, test x$eap_identity = xtrue) @@ -830,6 +855,17 @@ AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) AM_CONDITIONAL(USE_FARP, test x$farp = xtrue) +AM_CONDITIONAL(USE_ADDRBLOCK, test x$addrblock = xtrue) + +dnl hydra plugins +dnl ============= +AM_CONDITIONAL(USE_ATTR, test x$attr = xtrue) +AM_CONDITIONAL(USE_ATTR_SQL, test x$attr_sql = xtrue -o x$sql = xtrue) +AM_CONDITIONAL(USE_RESOLVE, test x$resolve = xtrue) + +dnl pluto plugins +dnl ============= +AM_CONDITIONAL(USE_XAUTH, test x$xauth = xtrue) dnl other options dnl ============= @@ -845,7 +881,7 @@ AM_CONDITIONAL(USE_FAST, test x$fast = xtrue) AM_CONDITIONAL(USE_MANAGER, test x$manager = xtrue) AM_CONDITIONAL(USE_ME, test x$mediation = xtrue) AM_CONDITIONAL(USE_INTEGRITY_TEST, test x$integrity_test = xtrue) -AM_CONDITIONAL(USE_CAPABILITIES, test x$capabilities = xlibcap) +AM_CONDITIONAL(USE_LOAD_WARNING, test x$load_warning = xtrue) AM_CONDITIONAL(USE_PLUTO, test x$pluto = xtrue) AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) @@ -854,6 +890,7 @@ AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue) AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) +AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue) AM_CONDITIONAL(MONOLITHIC, test x$monolithic = xtrue) @@ -865,7 +902,7 @@ dnl ============================== if test x$mediation = xtrue; then AC_DEFINE(ME) fi -if test x$capabilities = xlibcap; then +if test x$capabilities = xlibcap -o x$capabilities = xnative; then AC_DEFINE(CAPABILITIES) fi if test x$monolithic = xtrue; then @@ -895,6 +932,7 @@ AC_OUTPUT( src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile + src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile @@ -912,9 +950,11 @@ AC_OUTPUT( src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile + src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/pluto/Makefile + src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile @@ -925,6 +965,7 @@ AC_OUTPUT( src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile + src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile @@ -942,13 +983,13 @@ AC_OUTPUT( src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile + src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile - src/libcharon/plugins/resolve/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile diff --git a/ltmain.sh b/ltmain.sh index 3506ead39..7ed280bc9 100644 --- a/ltmain.sh +++ b/ltmain.sh @@ -1,6 +1,6 @@ # Generated from ltmain.m4sh. -# ltmain.sh (GNU libtool) 2.2.6 +# ltmain.sh (GNU libtool) 2.2.6b # Written by Gordon Matzigkeit , 1996 # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2003, 2004, 2005, 2006, 2007 2008 Free Software Foundation, Inc. @@ -65,7 +65,7 @@ # compiler: $LTCC # compiler flags: $LTCFLAGS # linker: $LD (gnu? $with_gnu_ld) -# $progname: (GNU libtool) 2.2.6 Debian-2.2.6a-4 +# $progname: (GNU libtool) 2.2.6b Debian-2.2.6b-2ubuntu1 # automake: $automake_version # autoconf: $autoconf_version # @@ -73,9 +73,9 @@ PROGRAM=ltmain.sh PACKAGE=libtool -VERSION="2.2.6 Debian-2.2.6a-4" +VERSION="2.2.6b Debian-2.2.6b-2ubuntu1" TIMESTAMP="" -package_revision=1.3012 +package_revision=1.3017 # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then diff --git a/m4/config/libtool.m4 b/m4/config/libtool.m4 index 1e7ea47c0..a3fee5360 100644 --- a/m4/config/libtool.m4 +++ b/m4/config/libtool.m4 @@ -2445,7 +2445,7 @@ linux*oldld* | linux*aout* | linux*coff*) ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) version_type=linux need_lib_prefix=no need_version=no @@ -3084,7 +3084,7 @@ irix5* | irix6* | nonstopux*) ;; # This must be Linux ELF. -linux* | k*bsd*-gnu) +linux* | k*bsd*-gnu | kopensolaris*-gnu) lt_cv_deplibs_check_method=pass_all ;; @@ -3705,7 +3705,7 @@ m4_if([$1], [CXX], [ ;; esac ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # KAI C++ Compiler @@ -3989,7 +3989,7 @@ m4_if([$1], [CXX], [ _LT_TAGVAR(lt_prog_compiler_static, $1)='-non_shared' ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in # old Intel for x86_64 which still supported -KPIC. ecc*) @@ -4285,6 +4285,7 @@ dnl Note also adjust exclude_expsyms for C++ above. fi supports_anon_versioning=no case `$LD -v 2>&1` in + *GNU\ gold*) supports_anon_versioning=yes ;; *\ [[01]].* | *\ 2.[[0-9]].* | *\ 2.10.*) ;; # catch versions < 2.11 *\ 2.11.93.0.2\ *) supports_anon_versioning=yes ;; # RH7.3 ... *\ 2.11.92.0.12\ *) supports_anon_versioning=yes ;; # Mandrake 8.2 ... @@ -4376,7 +4377,7 @@ _LT_EOF _LT_TAGVAR(archive_expsym_cmds, $1)='sed "s,^,_," $export_symbols >$output_objdir/$soname.expsym~$CC -shared $pic_flag $libobjs $deplibs $compiler_flags ${wl}-h,$soname ${wl}--retain-symbols-file,$output_objdir/$soname.expsym ${wl}--image-base,`expr ${RANDOM-$$} % 4096 / 2 \* 262144 + 1342177280` -o $lib' ;; - gnu* | linux* | tpf* | k*bsd*-gnu) + gnu* | linux* | tpf* | k*bsd*-gnu | kopensolaris*-gnu) tmp_diet=no if test "$host_os" = linux-dietlibc; then case $cc_basename in @@ -5860,7 +5861,7 @@ if test "$_lt_caught_CXX_error" != yes; then _LT_TAGVAR(inherit_rpath, $1)=yes ;; - linux* | k*bsd*-gnu) + linux* | k*bsd*-gnu | kopensolaris*-gnu) case $cc_basename in KCC*) # Kuck and Associates, Inc. (KAI) C++ Compiler diff --git a/m4/config/ltversion.m4 b/m4/config/ltversion.m4 index b8e154fe6..f3c530980 100644 --- a/m4/config/ltversion.m4 +++ b/m4/config/ltversion.m4 @@ -9,15 +9,15 @@ # Generated from ltversion.in. -# serial 3012 ltversion.m4 +# serial 3017 ltversion.m4 # This file is part of GNU Libtool -m4_define([LT_PACKAGE_VERSION], [2.2.6]) -m4_define([LT_PACKAGE_REVISION], [1.3012]) +m4_define([LT_PACKAGE_VERSION], [2.2.6b]) +m4_define([LT_PACKAGE_REVISION], [1.3017]) AC_DEFUN([LTVERSION_VERSION], -[macro_version='2.2.6' -macro_revision='1.3012' +[macro_version='2.2.6b' +macro_revision='1.3017' _LT_DECL(, macro_version, 0, [Which release of libtool.m4 was used?]) _LT_DECL(, macro_revision, 0) ]) diff --git a/scripts/Makefile.in b/scripts/Makefile.in index 6a75fa7ae..20e6df94c 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/scripts/key2keyid.c b/scripts/key2keyid.c index cd6ebc1ed..551d031c6 100644 --- a/scripts/key2keyid.c +++ b/scripts/key2keyid.c @@ -37,17 +37,17 @@ int main(int argc, char *argv[]) printf("parsed %d bits %N private key.\n", private->get_keysize(private)*8, key_type_names, private->get_type(private)); - if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) + if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &chunk)) { printf("subjectPublicKeyInfo keyid: %#B\n", &chunk); } - if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk)) + if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &chunk)) { printf("subjectPublicKey keyid: %#B\n", &chunk); } - if (private->get_fingerprint(private, KEY_ID_PGPV3, &chunk)) + if (private->get_fingerprint(private, KEYID_PGPV3, &chunk)) { - printf("PGP verison 3 keyid: %#B\n", &chunk); + printf("PGP version 3 keyid: %#B\n", &chunk); } private->destroy(private); return 0; @@ -67,17 +67,17 @@ int main(int argc, char *argv[]) printf("parsed %d bits %N public key.\n", public->get_keysize(public)*8, key_type_names, public->get_type(public)); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk)) { printf("subjectPublicKeyInfo keyid: %#B\n", &chunk); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) { printf("subjectPublicKey keyid: %#B\n", &chunk); } - if (public->get_fingerprint(public, KEY_ID_PGPV3, &chunk)) + if (public->get_fingerprint(public, KEYID_PGPV3, &chunk)) { - printf("PGP verison 3 keyid: %#B\n", &chunk); + printf("PGP version 3 keyid: %#B\n", &chunk); } public->destroy(public); return 0; diff --git a/scripts/keyid2sql.c b/scripts/keyid2sql.c index 2d17c273d..e37303c08 100644 --- a/scripts/keyid2sql.c +++ b/scripts/keyid2sql.c @@ -34,7 +34,7 @@ int main(int argc, char *argv[]) BUILD_END); if (private) { - if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &chunk)) + if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &chunk)) { printf("%d, X'", ID_KEY_ID); for (n = 0; n < chunk.len; n++) @@ -58,7 +58,7 @@ int main(int argc, char *argv[]) } if (public) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) { printf("%d, X'", ID_KEY_ID); for (n = 0; n < chunk.len; n++) diff --git a/src/Makefile.in b/src/Makefile.in index 2a04c8b19..0bd728397 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -317,7 +317,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -342,7 +342,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index d4e1c157b..eb52fc52e 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index cf153461d..73ecf1abb 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown/_updown.in b/src/_updown/_updown.in index 2cc311665..430a0cff6 100644 --- a/src/_updown/_updown.in +++ b/src/_updown/_updown.in @@ -115,6 +115,19 @@ # is the UDP/TCP port to which the IPsec SA is # restricted on the peer side. # +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# # define a minimum PATH environment in case it is not set PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index a4379b44c..10ea4312f 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/_updown_espmark/_updown_espmark b/src/_updown_espmark/_updown_espmark index 74de0722d..42cd3607b 100644 --- a/src/_updown_espmark/_updown_espmark +++ b/src/_updown_espmark/_updown_espmark @@ -115,6 +115,19 @@ # is the UDP/TCP port to which the IPsec SA is # restricted on the peer side. # +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# # logging of VPN connections # diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 66690a37a..72abca97e 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/charon/charon.c b/src/charon/charon.c index 9b552fb62..84cd54615 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -38,11 +38,21 @@ #include #include +#ifdef ANDROID +#include +#endif + + /** * PID file, in which charon stores its process id */ #define PID_FILE IPSEC_PIDDIR "/charon.pid" +/** + * Global reference to PID file (required to truncate, if undeletable) + */ +static FILE *pidfile = NULL; + /** * hook in library for debugging messages */ @@ -177,6 +187,9 @@ static bool lookup_uid_gid() } charon->gid = grp->gr_gid; } +#endif +#ifdef ANDROID + charon->uid = AID_VPN; #endif return TRUE; } @@ -190,7 +203,7 @@ static void segv_handler(int signal) DBG1(DBG_DMN, "thread %u received %d", thread_current_id(), signal); backtrace = backtrace_create(2); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); DBG1(DBG_DMN, "killing ourself, received critical signal"); @@ -203,22 +216,21 @@ static void segv_handler(int signal) static bool check_pidfile() { struct stat stb; - FILE *file; if (stat(PID_FILE, &stb) == 0) { - file = fopen(PID_FILE, "r"); - if (file) + pidfile = fopen(PID_FILE, "r"); + if (pidfile) { char buf[64]; pid_t pid = 0; memset(buf, 0, sizeof(buf)); - if (fread(buf, 1, sizeof(buf), file)) + if (fread(buf, 1, sizeof(buf), pidfile)) { pid = atoi(buf); } - fclose(file); + fclose(pidfile); if (pid && kill(pid, 0) == 0) { /* such a process is running */ return TRUE; @@ -229,16 +241,34 @@ static bool check_pidfile() } /* create new pidfile */ - file = fopen(PID_FILE, "w"); - if (file) + pidfile = fopen(PID_FILE, "w"); + if (pidfile) { - fprintf(file, "%d\n", getpid()); - ignore_result(fchown(fileno(file), charon->uid, charon->gid)); - fclose(file); + ignore_result(fchown(fileno(pidfile), charon->uid, charon->gid)); + fprintf(pidfile, "%d\n", getpid()); + fflush(pidfile); } return FALSE; } +/** + * Delete/truncate the PID file + */ +static void unlink_pidfile() +{ + /* because unlinking the PID file may fail, we truncate it to ensure the + * daemon can be properly restarted. one probable cause for this is the + * combination of not running as root and the effective user lacking + * permissions on the parent dir(s) of the PID file */ + if (pidfile) + { + ignore_result(ftruncate(fileno(pidfile), 0)); + fclose(pidfile); + } + unlink(PID_FILE); +} + + /** * print command line usage and exit */ @@ -258,7 +288,6 @@ static void usage(const char *msg) " 2 = controlmore, 3 = raw, 4 = private)\n" "\n" ); - exit(msg == NULL? 0 : 1); } /** @@ -337,7 +366,8 @@ int main(int argc, char *argv[]) break; case 'h': usage(NULL); - break; + status = 0; + goto deinit; case 'v': printf("Linux strongSwan %s\n", VERSION); status = 0; @@ -351,7 +381,8 @@ int main(int argc, char *argv[]) continue; default: usage(""); - break; + status = 1; + goto deinit; } break; } @@ -405,7 +436,7 @@ int main(int argc, char *argv[]) run(); /* normal termination, cleanup and exit */ - unlink(PID_FILE); + unlink_pidfile(); status = 0; deinit: diff --git a/src/checksum/Makefile.am b/src/checksum/Makefile.am index 27d615dab..ad2923799 100644 --- a/src/checksum/Makefile.am +++ b/src/checksum/Makefile.am @@ -19,6 +19,7 @@ AM_CFLAGS = -rdynamic libs = $(shell find $(top_builddir)/src/libstrongswan \ $(top_builddir)/src/libcharon \ $(top_builddir)/src/libhydra \ + $(top_builddir)/src/pluto \ -name 'libstrongswan*.so') if USE_LIBHYDRA diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 3e0ab1e69..05e90a9a1 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -288,8 +288,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -rdynamic libs = $(shell find $(top_builddir)/src/libstrongswan \ $(top_builddir)/src/libcharon $(top_builddir)/src/libhydra \ - -name 'libstrongswan*.so') $(am__append_1) $(am__append_2) \ - $(am__append_3) $(am__append_4) $(am__append_5) + $(top_builddir)/src/pluto -name 'libstrongswan*.so') \ + $(am__append_1) $(am__append_2) $(am__append_3) \ + $(am__append_4) $(am__append_5) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-am diff --git a/src/checksum/checksum_builder.c b/src/checksum/checksum_builder.c index b68a25a19..2db68054e 100644 --- a/src/checksum/checksum_builder.c +++ b/src/checksum/checksum_builder.c @@ -20,6 +20,9 @@ #include +/* we need to fake the pluto symbol to dlopen() the xauth plugin */ +void *pluto; + int main(int argc, char* argv[]) { int i; diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 36fdbff28..37751b856 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 720ba3a11..c47e6e451 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h index d28e85310..b971e3848 100644 --- a/src/include/linux/xfrm.h +++ b/src/include/linux/xfrm.h @@ -10,8 +10,7 @@ /* Structure to encapsulate addresses. I do not want to use * "standard" structure. My apologies. */ -typedef union -{ +typedef union { __be32 a4; __be32 a6[4]; } xfrm_address_t; @@ -20,8 +19,7 @@ typedef union * the state by (spi,daddr,ah/esp) or to store information about * spi, protocol and tunnel address on output. */ -struct xfrm_id -{ +struct xfrm_id { xfrm_address_t daddr; __be32 spi; __u8 proto; @@ -45,8 +43,7 @@ struct xfrm_sec_ctx { /* Selector, used as selector both on policy rules (SPD) and SAs. */ -struct xfrm_selector -{ +struct xfrm_selector { xfrm_address_t daddr; xfrm_address_t saddr; __be16 dport; @@ -63,8 +60,7 @@ struct xfrm_selector #define XFRM_INF (~(__u64)0) -struct xfrm_lifetime_cfg -{ +struct xfrm_lifetime_cfg { __u64 soft_byte_limit; __u64 hard_byte_limit; __u64 soft_packet_limit; @@ -75,16 +71,14 @@ struct xfrm_lifetime_cfg __u64 hard_use_expires_seconds; }; -struct xfrm_lifetime_cur -{ +struct xfrm_lifetime_cur { __u64 bytes; __u64 packets; __u64 add_time; __u64 use_time; }; -struct xfrm_replay_state -{ +struct xfrm_replay_state { __u32 oseq; __u32 seq; __u32 bitmap; @@ -116,16 +110,14 @@ struct xfrm_stats { __u32 integrity_failed; }; -enum -{ +enum { XFRM_POLICY_TYPE_MAIN = 0, XFRM_POLICY_TYPE_SUB = 1, XFRM_POLICY_TYPE_MAX = 2, XFRM_POLICY_TYPE_ANY = 255 }; -enum -{ +enum { XFRM_POLICY_IN = 0, XFRM_POLICY_OUT = 1, XFRM_POLICY_FWD = 2, @@ -133,8 +125,7 @@ enum XFRM_POLICY_MAX = 3 }; -enum -{ +enum { XFRM_SHARE_ANY, /* No limitations */ XFRM_SHARE_SESSION, /* For this session only */ XFRM_SHARE_USER, /* For this user only */ @@ -276,8 +267,8 @@ enum xfrm_attr_type_t { XFRMA_ALG_COMP, /* struct xfrm_algo */ XFRMA_ENCAP, /* struct xfrm_algo + struct xfrm_encap_tmpl */ XFRMA_TMPL, /* 1 or more struct xfrm_user_tmpl */ - XFRMA_SA, - XFRMA_POLICY, + XFRMA_SA, /* struct xfrm_usersa_info */ + XFRMA_POLICY, /*struct xfrm_userpolicy_info */ XFRMA_SEC_CTX, /* struct xfrm_sec_ctx */ XFRMA_LTIME_VAL, XFRMA_REPLAY_VAL, @@ -285,17 +276,23 @@ enum xfrm_attr_type_t { XFRMA_ETIMER_THRESH, XFRMA_SRCADDR, /* xfrm_address_t */ XFRMA_COADDR, /* xfrm_address_t */ - XFRMA_LASTUSED, + XFRMA_LASTUSED, /* unsigned long */ XFRMA_POLICY_TYPE, /* struct xfrm_userpolicy_type */ XFRMA_MIGRATE, XFRMA_ALG_AEAD, /* struct xfrm_algo_aead */ XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ + XFRMA_MARK, /* struct xfrm_mark */ __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) }; +struct xfrm_mark { + __u32 v; /* value */ + __u32 m; /* mask */ +}; + enum xfrm_sadattr_type_t { XFRMA_SAD_UNSPEC, XFRMA_SAD_CNT, diff --git a/src/ipsec/Makefile.am b/src/ipsec/Makefile.am index f3ca1ca06..510f1021a 100644 --- a/src/ipsec/Makefile.am +++ b/src/ipsec/Makefile.am @@ -1,7 +1,12 @@ sbin_SCRIPTS = ipsec -CLEANFILES = ipsec +CLEANFILES = ipsec ipsec.8 dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in +EXTRA_DIST = ipsec.in ipsec.8.in + +ipsec.8 : ipsec.8.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ ipsec : ipsec.in sed \ @@ -10,7 +15,7 @@ ipsec : ipsec.in -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ - -e "s:@IPSEC_CONFDIR@:$(confdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 3834b672a..2b4b14b49 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -236,9 +236,9 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ sbin_SCRIPTS = ipsec -CLEANFILES = ipsec +CLEANFILES = ipsec ipsec.8 dist_man8_MANS = ipsec.8 -EXTRA_DIST = ipsec.in +EXTRA_DIST = ipsec.in ipsec.8.in all: all-am .SUFFIXES: @@ -513,6 +513,11 @@ uninstall-man: uninstall-man8 uninstall-sbinSCRIPTS +ipsec.8 : ipsec.8.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + ipsec : ipsec.in sed \ -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ @@ -520,7 +525,7 @@ ipsec : ipsec.in -e "s:@IPSEC_DISTRO@::" \ -e "s:@IPSEC_DIR@:$(ipsecdir):" \ -e "s:@IPSEC_SBINDIR@:$(sbindir):" \ - -e "s:@IPSEC_CONFDIR@:$(confdir):" \ + -e "s:@IPSEC_CONFDIR@:$(sysconfdir):" \ -e "s:@IPSEC_PIDDIR@:$(piddir):" \ $(srcdir)/$@.in > $@ chmod +x $@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index 0cd9914cc..150fefc12 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,128 +1,23 @@ -.TH IPSEC 8 "9 February 2006" +.TH IPSEC 8 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS .B ipsec -command [ argument ...] -.sp -.B ipsec start|update|reload|restart|stop -.sp -.B ipsec up|down|route|unroute -\fIconnectionname\fP -.sp -.B ipsec status|statusall -[ -\fIconnectionname\fP -] -.sp -.B ipsec listalgs|listpubkeys|listcerts -[ -.B \-\-utc -] -.br -.B ipsec listcacerts|listaacerts|listocspcerts -[ -.B \-\-utc -] -.br -.B ipsec listacerts|listgroups|listcainfos -[ -.B \-\-utc -] -.br -.B ipsec listcrls|listocsp|listcards|listall -[ -.B \-\-utc -] -.sp -.B ipsec rereadsecrets|rereadgroups -.br -.B ipsec rereadcacerts|rereadaacerts|rereadocspcerts -.br -.B ipsec rereadacerts|rereadcrls|rereadall -.sp -.B ipsec purgeocsp -.sp -.B ipsec -[ -.B \-\-help -] [ -.B \-\-version -] [ -.B \-\-versioncode -] [ -.B \-\-copyright -] -.br -.B ipsec -[ -.B \-\-directory -] [ -.B \-\-confdir -] +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP .SH DESCRIPTION -.I Ipsec -invokes any of several utilities involved in controlling the IPsec -encryption/authentication system, -running the specified -.I command -with the specified -.IR argument s -as if it had been invoked directly. -This largely eliminates possible name collisions with other software, +The +.B ipsec +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, and also permits some centralized services. .PP -The commands -.BR start , -.BR update , -.BR reload , -.BR restart , -and -.BR stop -are built-in and are used to control the -.BR "ipsec starter" -utility, an extremely fast replacement for the traditional -.BR ipsec -.BR setup -script. -.PP -The commands -.BR up, -.BR down, -.BR route, -.BR unroute, -.BR status, -.BR statusall, -.BR listalgs, -.BR listpubkeys, -.BR listcerts, -.BR listcacerts, -.BR listaacerts, -.BR listocspcerts, -.BR listacerts, -.BR listgroups, -.BR listcainfos, -.BR listcrls, -.BR listocsp, -.BR listcards, -.BR listall, -.BR rereadsecrets, -.BR rereadgroups, -.BR rereadcacerts, -.BR rereadaacerts, -.BR rereadocspcerts, -.BR rereadacerts, -.BR rereadcrls, -and -.BR rereadall -are also built-in and completely replace the corresponding -.BR "ipsec auto" -\-\-\fIoperation\fP" -commands. Communication with the pluto daemon happens via the -.BR "ipsec whack" -socket interface. -.PP -In particular, +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands .I ipsec supplies the invoked .I command @@ -134,173 +29,243 @@ the full pathname of the directory where the IPsec utilities are stored, the full pathname of the directory where the configuration files live, and the IPsec version number. .PP -.B "ipsec start" +.SS CONTROL COMMANDS +.TP +.B "ipsec start [ starter options ]" calls .BR "ipsec starter" -which in turn starts \fIpluto\fR. +which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and +IKEv2 \fIcharon\fR daemons. .PP +.TP .B "ipsec update" sends a \fIHUP\fR signal to .BR "ipsec starter" which in turn determines any changes in \fIipsec.conf\fR -and updates the configuration on the running \fIpluto\fR daemon, correspondingly. +and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons, correspondingly. .PP +.TP .B "ipsec reload" sends a \fIUSR1\fR signal to .BR "ipsec starter" -which in turn reloads the whole configuration on the running \fIpluto\fR daemon -based on the actual \fIipsec.conf\fR. +which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR +and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. .PP +.TP .B "ipsec restart" -executes +is equivalent to .B "ipsec stop" followed by -.BR "ipsec start". +.B "ipsec start" +after a guard of 2 seconds. .PP +.TP .B "ipsec stop" -stops \fIipsec\fR by sending a \fITERM\fR signal to +terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons by sending a \fITERM\fR signal to .BR "ipsec starter". .PP -.B "ipsec up" -\fIname\fP tells the \fIpluto\fP daemon to start up connection \fIname\fP. +.TP +.B "ipsec up \fIname\fP" +tells the responsible IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname\fP" +tells the responsible IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{n}\fP" +terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. .PP -.B "ipsec down" -\fIname\fP tells the \fIpluto\fP daemon to take down connection \fIname\fP. +.TP +.B "ipsec down \fIname{*}\fP" +terminates all IKEv2 CHILD SA instances of connection \fIname\fP. .PP -.B "ipsec route" -\fIname\fP tells the \fIpluto\fP daemon to install a route for connection -\fIname\fP. +.TP +.B "ipsec down \fIname[n]\fP" +terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. .PP -.B "ipsec unroute" -\fIname\fP tells the \fIpluto\fP daemon to take down the route for connection -\fIname\fP. +.TP +.B "ipsec down \fIname[*]\fP" +terminates all IKEv2 IKE SA instances of connection \fIname\fP. .PP -.B "ipsec status" -[ \fIname\fP ] gives concise status information either on connection -\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.TP +.B "ipsec route \fIname\fP" +tells the responsible IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. .PP -.B "ipsec statusall" -[ \fIname\fP ] gives detailed status information either on connection -\fIname\fP or if the \fIname\fP argument is lacking, on all connections. +.TP +.B "ipsec unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. .PP +.TP +.B "ipsec status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "ipsec statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP .B "ipsec listalgs" returns a list all supported IKE encryption and hash algorithms, the available -Diffie-Hellman groups, as well as all supported ESP encryption and authentication -algorithms. +Diffie-Hellman groups, as well as all supported ESP encryption and +authentication algorithms registered via the Linux kernel's Crypto API. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listpubkeys" +.TP +.B "ipsec listpubkeys [ --utc ]" returns a list of RSA public keys that were either loaded in raw key format or extracted from X.509 and|or OpenPGP certificates. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listcerts" -returns a list of X.509 and|or OpenPGP certificates that were loaded locally -by the \fIpluto\fP daemon. +.TP +.B "ipsec listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKEv2 protocol. .PP -.B "ipsec listcacerts" +.TP +.B "ipsec listcacerts [ --utc ]" returns a list of X.509 Certification Authority (CA) certificates that were -loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/cacerts/\fP -directory or received in PKCS#7-wrapped certificate payloads via the IKE +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received in PKCS#7-wrapped certificate payloads via the IKE protocol. .PP -.B "ipsec listaacerts" +.TP +.B "ipsec listaacerts [ --utc ]" returns a list of X.509 Authorization Authority (AA) certificates that were -loaded locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/aacerts/\fP +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP directory. .PP -.B "ipsec listocspcerts" +.TP +.B "ipsec listocspcerts [ --utc ]" returns a list of X.509 OCSP Signer certificates that were either loaded -locally by the \fIpluto\fP daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP directory or were sent by an OCSP server. .PP -.B "ipsec listacerts" +.TP +.B "ipsec listacerts [ --utc ]" returns a list of X.509 Attribute certificates that were loaded locally by -the \fIpluto\fP daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. .PP -.B "ipsec listgroups" +.TP +.B "ipsec listgroups [ --utc ]" returns a list of groups that are used to define user authorization profiles. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listcainfos" +.TP +.B "ipsec listcainfos [ --utc ]" returns certification authority information (CRL distribution points, OCSP URIs, LDAP servers) that were defined by .BR ca sections in \fIipsec.conf\fP. .PP -.B "ipsec listcrls" -returns a list of Certificate Revocation Lists (CRLs). +.TP +.B "ipsec listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. .PP -.B "ipsec listocsp" +.TP +.B "ipsec listocsp [ --utc ]" returns revocation information fetched from OCSP servers. .PP -.B "ipsec listcards" -returns a list of certificates residing on smartcards. +.TP +.B "ipsec listcards [ --utc ]" +list all certificates found on attached smart cards. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. .PP -.B "ipsec listall" +.TP +.B "ipsec listall [ --utc ]" returns all information generated by the list commands above. Each list command can be called with the -\-\-url +\fB\-\-utc\fP option which displays all dates in UTC instead of local time. .PP +.SS REREAD COMMANDS +.TP .B "ipsec rereadsecrets" -flushes and rereads all secrets defined in \fIipsec.conf\fP. +flushes and rereads all secrets defined in \fIipsec.secrets\fP. .PP +.TP .B "ipsec rereadcacerts" reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP -directory and adds them to \fIpluto\fP's list of Certification Authority (CA) certificates. +directory and adds them to the list of Certification Authority (CA) +certificates. .PP +.TP .B "ipsec rereadaacerts" reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP -directory and adds them to \fIpluto\fP's list of Authorization Authority (AA) certificates. +directory and adds them to the list of Authorization Authority (AA) +certificates. .PP +.TP .B "ipsec rereadocspcerts" reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP -directory and adds them to \fIpluto\fP's list of OCSP signer certificates. +directory and adds them to the list of OCSP signer certificates. .PP +.TP .B "ipsec rereadacerts" -operation reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP -directory and adds them to \fIpluto\fP's list of attribute certificates. +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. .PP +.TP .B "ipsec rereadcrls" reads all Certificate Revocation Lists (CRLs) contained in the -\fI/etc/ipsec.d/crls/\fP directory and adds them to \fIpluto\fP's list of CRLs. +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. .PP +.TP .B "ipsec rereadall" -is equivalent to the execution of \fBrereadsecrets\fP, -\fBrereadcacerts\fP, \fBrereadaacerts\fP, \fBrereadocspcerts\fP, -\fBrereadacerts\fP, and \fBrereadcrls\fP. +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "ipsec purgeike" +purges IKEv2 SAs that don't have a CHILD SA. .PP +.TP +.B "ipsec purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP .B "ipsec \-\-help" -lists the available commands. -Most have their own manual pages, e.g. -.IR ipsec_auto (8) -for -.IR auto . +returns the usage information for the ipsec command. .PP +.TP .B "ipsec \-\-version" -outputs version information about Linux strongSwan. -A version code of the form ``U\fIxxx\fR/K\fIyyy\fR'' -indicates that the user-level utilities are version \fIxxx\fR -but the kernel portion appears to be version \fIyyy\fR -(this form is used only if the two disagree). +returns the version in the form of +.B Linux strongSwan U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. .PP +.TP .B "ipsec \-\-versioncode" -outputs \fIjust\fR the version code, -with none of -.BR \-\-version 's -supporting information, -for use by scripts. +returns the version number in the form of +.B U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. .PP +.TP .B "ipsec \-\-copyright" -supplies boring copyright details. +returns the copyright information. .PP +.TP .B "ipsec \-\-directory" -reports where -.I ipsec -thinks the IPsec utilities are stored. +returns the \fILIBEXECDIR\fP directory as defined by the configure options. .PP +.TP .B "ipsec \-\-confdir" -reports where -.I ipsec -thinks the IPsec configuration files are stored. +returns the \fISYSCONFDIR\fP directory as defined by the configure options. .SH FILES /usr/local/lib/ipsec usual utilities directory .SH ENVIRONMENT @@ -327,15 +292,11 @@ IPSEC_CHARON_PID PID file for IKEv2 keying daemon .SH SEE ALSO .hy 0 .na -ipsec.conf(5), ipsec.secrets(5), -ipsec_barf(8), +ipsec.conf(5), ipsec.secrets(5) .ad .hy .PP .SH HISTORY -Written for Linux FreeS/WAN - -by Henry Spencer. -Updated and extended for Linux strongSwan - -by Andreas Steffen. +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. diff --git a/src/ipsec/ipsec.8.in b/src/ipsec/ipsec.8.in new file mode 100644 index 000000000..24a796392 --- /dev/null +++ b/src/ipsec/ipsec.8.in @@ -0,0 +1,302 @@ +.TH IPSEC 8 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec \- invoke IPsec utilities +.SH SYNOPSIS +.B ipsec +\fIcommand\fP [ \fIarguments\fP ] [ \fIoptions\fP ] +.PP +.SH DESCRIPTION +The +.B ipsec +utility invokes any of several utilities involved in controlling and monitoring +the IPsec encryption/authentication system, running the specified \fIcommand\fP +with the specified \fIarguments\fP and \fIoptions\fP as if it had been invoked +directly. This largely eliminates possible name collisions with other software, +and also permits some centralized services. +.PP +All the commands described in this manual page are built-in and are used to +control and monitor IPsec connections as well as the IKE daemons. +.PP +For other commands +.I ipsec +supplies the invoked +.I command +with a suitable PATH environment variable, +and also provides IPSEC_DIR, +IPSEC_CONFS, and IPSEC_VERSION environment variables, +containing respectively +the full pathname of the directory where the IPsec utilities are stored, +the full pathname of the directory where the configuration files live, +and the IPsec version number. +.PP +.SS CONTROL COMMANDS +.TP +.B "ipsec start [ starter options ]" +calls +.BR "ipsec starter" +which in turn parses \fIipsec.conf\fR and starts the IKEv1 \fIpluto\fR and +IKEv2 \fIcharon\fR daemons. +.PP +.TP +.B "ipsec update" +sends a \fIHUP\fR signal to +.BR "ipsec starter" +which in turn determines any changes in \fIipsec.conf\fR +and updates the configuration on the running IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons, correspondingly. +.PP +.TP +.B "ipsec reload" +sends a \fIUSR1\fR signal to +.BR "ipsec starter" +which in turn reloads the whole configuration on the running IKEv1 \fIpluto\fR +and IKEv2 \fIcharon\fR daemons based on the actual \fIipsec.conf\fR. +.PP +.TP +.B "ipsec restart" +is equivalent to +.B "ipsec stop" +followed by +.B "ipsec start" +after a guard of 2 seconds. +.PP +.TP +.B "ipsec stop" +terminates all IPsec connections and stops the IKEv1 \fIpluto\fR and IKEv2 +\fIcharon\fR daemons by sending a \fITERM\fR signal to +.BR "ipsec starter". +.PP +.TP +.B "ipsec up \fIname\fP" +tells the responsible IKE daemon to start up connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname\fP" +tells the responsible IKE daemon to terminate connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{n}\fP" +terminates IKEv2 CHILD SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname{*}\fP" +terminates all IKEv2 CHILD SA instances of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname[n]\fP" +terminates all IKEv2 IKE SA instance \fIn\fP of connection \fIname\fP. +.PP +.TP +.B "ipsec down \fIname[*]\fP" +terminates all IKEv2 IKE SA instances of connection \fIname\fP. +.PP +.TP +.B "ipsec route \fIname\fP" +tells the responsible IKE daemon to insert an IPsec policy in the kernel +for connection \fIname\fP. The first payload packet matching the IPsec policy +will automatically trigger an IKE connection setup. +.PP +.TP +.B "ipsec unroute \fIname\fP" +remove the IPsec policy in the kernel for connection \fIname\fP. +.PP +.TP +.B "ipsec status [ \fIname\fP ]" +returns concise status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.TP +.B "ipsec statusall [ \fIname\fP ]" +returns detailed status information either on connection +\fIname\fP or if the argument is lacking, on all connections. +.PP +.SS LIST COMMANDS +.TP +.B "ipsec listalgs" +returns a list all supported IKE encryption and hash algorithms, the available +Diffie-Hellman groups, as well as all supported ESP encryption and +authentication algorithms registered via the Linux kernel's Crypto API. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listpubkeys [ --utc ]" +returns a list of RSA public keys that were either loaded in raw key format +or extracted from X.509 and|or OpenPGP certificates. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listcerts [ --utc ]" +returns a list of X.509 and|or OpenPGP certificates that were either loaded +locally by the IKE daemon or received via the IKEv2 protocol. +.PP +.TP +.B "ipsec listcacerts [ --utc ]" +returns a list of X.509 Certification Authority (CA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/cacerts/\fP +directory or received in PKCS#7-wrapped certificate payloads via the IKE +protocol. +.PP +.TP +.B "ipsec listaacerts [ --utc ]" +returns a list of X.509 Authorization Authority (AA) certificates that were +loaded locally by the IKE daemon from the \fI/etc/ipsec.d/aacerts/\fP +directory. +.PP +.TP +.B "ipsec listocspcerts [ --utc ]" +returns a list of X.509 OCSP Signer certificates that were either loaded +locally by the IKE daemon from the \fI/etc/ipsec.d/ocspcerts/\fP +directory or were sent by an OCSP server. +.PP +.TP +.B "ipsec listacerts [ --utc ]" +returns a list of X.509 Attribute certificates that were loaded locally by +the IKE daemon from the \fI/etc/ipsec.d/acerts/\fP directory. +.PP +.TP +.B "ipsec listgroups [ --utc ]" +returns a list of groups that are used to define user authorization profiles. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listcainfos [ --utc ]" +returns certification authority information (CRL distribution points, OCSP URIs, +LDAP servers) that were defined by +.BR ca +sections in \fIipsec.conf\fP. +.PP +.TP +.B "ipsec listcrls [ --utc ]" +returns a list of Certificate Revocation Lists (CRLs) that were either loaded +by the IKE daemon from the \fI/etc/ipsec.d/crls\fP directory or fetched from +an HTTP- or LDAP-based CRL distribution point. +.PP +.TP +.B "ipsec listocsp [ --utc ]" +returns revocation information fetched from OCSP servers. +.PP +.TP +.B "ipsec listcards [ --utc ]" +list all certificates found on attached smart cards. +.br +Supported by the IKEv1 \fIpluto\fP daemon only. +.PP +.TP +.B "ipsec listall [ --utc ]" +returns all information generated by the list commands above. Each list command +can be called with the +\fB\-\-utc\fP +option which displays all dates in UTC instead of local time. +.PP +.SS REREAD COMMANDS +.TP +.B "ipsec rereadsecrets" +flushes and rereads all secrets defined in \fIipsec.secrets\fP. +.PP +.TP +.B "ipsec rereadcacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/cacerts\fP +directory and adds them to the list of Certification Authority (CA) +certificates. +.PP +.TP +.B "ipsec rereadaacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/aacerts\fP +directory and adds them to the list of Authorization Authority (AA) +certificates. +.PP +.TP +.B "ipsec rereadocspcerts" +reads all certificate files contained in the \fI/etc/ipsec.d/ocspcerts/\fP +directory and adds them to the list of OCSP signer certificates. +.PP +.TP +.B "ipsec rereadacerts" +reads all certificate files contained in the \fI/etc/ipsec.d/acerts/\fP +directory and adds them to the list of attribute certificates. +.PP +.TP +.B "ipsec rereadcrls" +reads all Certificate Revocation Lists (CRLs) contained in the +\fI/etc/ipsec.d/crls/\fP directory and adds them to the list of CRLs. +.PP +.TP +.B "ipsec rereadall" +executes all reread commands listed above. +.PP +.SS PURGE COMMANDS +.TP +.B "ipsec purgeike" +purges IKEv2 SAs that don't have a CHILD SA. +.PP +.TP +.B "ipsec purgeocsp" +purges all cached OCSP information records. +.PP +.SS INFO COMMANDS +.TP +.B "ipsec \-\-help" +returns the usage information for the ipsec command. +.PP +.TP +.B "ipsec \-\-version" +returns the version in the form of +.B Linux strongSwan U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "ipsec \-\-versioncode" +returns the version number in the form of +.B U/K +if strongSwan uses the native NETKEY IPsec stack of the Linux kernel it is +running on. +.PP +.TP +.B "ipsec \-\-copyright" +returns the copyright information. +.PP +.TP +.B "ipsec \-\-directory" +returns the \fILIBEXECDIR\fP directory as defined by the configure options. +.PP +.TP +.B "ipsec \-\-confdir" +returns the \fISYSCONFDIR\fP directory as defined by the configure options. +.SH FILES +/usr/local/lib/ipsec usual utilities directory +.SH ENVIRONMENT +.PP +The following environment variables control where strongSwan finds its +components. +The +.B ipsec +command sets them if they are not already set. +.nf +.na + +IPSEC_DIR directory containing ipsec programs and utilities +IPSEC_SBINDIR directory containing \fBipsec\fP command +IPSEC_CONFDIR directory containing configuration files +IPSEC_PIDDIR directory containing PID files +IPSEC_NAME name of ipsec distribution +IPSEC_VERSION version numer of ipsec userland and kernel +IPSEC_STARTER_PID PID file for ipsec starter +IPSEC_PLUTO_PID PID file for IKEv1 keying daemon +IPSEC_CHARON_PID PID file for IKEv2 keying daemon +.ad +.fi +.SH SEE ALSO +.hy 0 +.na +ipsec.conf(5), ipsec.secrets(5) +.ad +.hy +.PP +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. diff --git a/src/libcharon/Android.mk b/src/libcharon/Android.mk index d473b455e..3297654e9 100644 --- a/src/libcharon/Android.mk +++ b/src/libcharon/Android.mk @@ -12,7 +12,6 @@ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ config/proposal.c config/proposal.h \ -config/auth_cfg.c config/auth_cfg.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -95,17 +94,13 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h \ -credentials/credential_manager.c credentials/credential_manager.h \ -credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ -credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ -credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ -credentials/credential_set.h +sa/tasks/task.c sa/tasks/task.h # adding the plugin source files LOCAL_SRC_FILES += $(call add_plugin, android) -ifneq ($(call plugin_enabled, android)),) +ifneq ($(call plugin_enabled, android),) +LOCAL_C_INCLUDES += frameworks/base/cmds/keystore LOCAL_SHARED_LIBRARIES += libcutils endif @@ -114,7 +109,7 @@ LOCAL_SRC_FILES += $(call add_plugin, attr) LOCAL_SRC_FILES += $(call add_plugin, eap-aka) LOCAL_SRC_FILES += $(call add_plugin, eap-aka-3gpp2) -ifneq ($(call plugin_enabled, eap-aka-3gpp2)),) +ifneq ($(call plugin_enabled, eap-aka-3gpp2),) LOCAL_C_INCLUDES += $(libgmp_PATH) LOCAL_SHARED_LIBRARIES += libgmp endif @@ -129,6 +124,8 @@ LOCAL_SRC_FILES += $(call add_plugin, eap-mschapv2) LOCAL_SRC_FILES += $(call add_plugin, eap-sim) +LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-sql) + LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-pseudonym) LOCAL_SRC_FILES += $(call add_plugin, eap-simaka-reauth) @@ -146,6 +143,8 @@ endif LOCAL_SRC_FILES += $(call add_plugin, kernel-netlink) +LOCAL_SRC_FILES += $(call add_plugin, kernel-pfkey) + LOCAL_SRC_FILES += $(call add_plugin, load-tester) LOCAL_SRC_FILES += $(call add_plugin, socket-default) diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 0eaccf7a0..44501c0d0 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -10,7 +10,6 @@ config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h \ config/proposal.c config/proposal.h \ -config/auth_cfg.c config/auth_cfg.h \ control/controller.c control/controller.h \ daemon.c daemon.h \ encoding/generator.c encoding/generator.h \ @@ -93,12 +92,7 @@ sa/tasks/ike_rekey.c sa/tasks/ike_rekey.h \ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ -sa/tasks/task.c sa/tasks/task.h \ -credentials/credential_manager.c credentials/credential_manager.h \ -credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ -credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ -credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ -credentials/credential_set.h +sa/tasks/task.c sa/tasks/task.h daemon.lo : $(top_builddir)/config.status @@ -128,7 +122,7 @@ if USE_ME sa/tasks/ike_me.c sa/tasks/ike_me.h endif -if USE_CAPABILITIES +if USE_LIBCAP libcharon_la_LIBADD += -lcap endif @@ -271,6 +265,14 @@ if MONOLITHIC endif endif +if USE_EAP_SIMAKA_SQL + SUBDIRS += plugins/eap_simaka_sql + PLUGINS += eap-simaka-sql +if MONOLITHIC + libcharon_la_LIBADD += plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +endif +endif + if USE_EAP_SIMAKA_PSEUDONYM SUBDIRS += plugins/eap_simaka_pseudonym PLUGINS += eap-simaka-pseudonym @@ -374,14 +376,6 @@ if MONOLITHIC endif endif -if USE_RESOLVE - SUBDIRS += plugins/resolve - PLUGINS += resolve -if MONOLITHIC - libcharon_la_LIBADD += plugins/resolve/libstrongswan-resolve.la -endif -endif - if USE_ANDROID SUBDIRS += plugins/android PLUGINS += android @@ -406,6 +400,14 @@ if MONOLITHIC endif endif +if USE_ADDRBLOCK + SUBDIRS += plugins/addrblock + PLUGINS += addrblock +if MONOLITHIC + libcharon_la_LIBADD += plugins/uci/libstrongswan-addrblock.la +endif +endif + if USE_UNIT_TESTS SUBDIRS += plugins/unit_tester PLUGINS += unit-tester diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 0eb6f36f4..8e58b0e2e 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -44,7 +44,7 @@ host_triplet = @host@ @USE_ME_TRUE@ sa/mediation_manager.c sa/mediation_manager.h \ @USE_ME_TRUE@ sa/tasks/ike_me.c sa/tasks/ike_me.h -@USE_CAPABILITIES_TRUE@am__append_2 = -lcap +@USE_LIBCAP_TRUE@am__append_2 = -lcap @USE_LOAD_TESTER_TRUE@am__append_3 = plugins/load_tester @USE_LOAD_TESTER_TRUE@am__append_4 = load-tester @MONOLITHIC_TRUE@@USE_LOAD_TESTER_TRUE@am__append_5 = plugins/load_tester/libstrongswan-load-tester.la @@ -93,46 +93,46 @@ host_triplet = @host@ @USE_EAP_SIM_FILE_TRUE@am__append_48 = plugins/eap_sim_file @USE_EAP_SIM_FILE_TRUE@am__append_49 = eap-sim-file @MONOLITHIC_TRUE@@USE_EAP_SIM_FILE_TRUE@am__append_50 = plugins/eap_sim_file/libstrongswan-eap-sim-file.la -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_51 = plugins/eap_simaka_pseudonym -@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_52 = eap-simaka-pseudonym -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_53 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_54 = plugins/eap_simaka_reauth -@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_55 = eap-simaka-reauth -@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_56 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la -@USE_EAP_AKA_TRUE@am__append_57 = plugins/eap_aka -@USE_EAP_AKA_TRUE@am__append_58 = eap-aka -@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_59 = plugins/eap_aka/libstrongswan-eap-aka.la -@USE_EAP_AKA_3GPP2_TRUE@am__append_60 = plugins/eap_aka_3gpp2 -@USE_EAP_AKA_3GPP2_TRUE@am__append_61 = eap-aka-3gpp2 -@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_62 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la -@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_63 = $(top_builddir)/src/libsimaka/libsimaka.la -@USE_EAP_MD5_TRUE@am__append_64 = plugins/eap_md5 -@USE_EAP_MD5_TRUE@am__append_65 = eap-md5 -@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_66 = plugins/eap_md5/libstrongswan-eap-md5.la -@USE_EAP_GTC_TRUE@am__append_67 = plugins/eap_gtc -@USE_EAP_GTC_TRUE@am__append_68 = eap-gtc -@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_69 = plugins/eap_gtc/libstrongswan-eap-gtc.la -@USE_EAP_MSCHAPV2_TRUE@am__append_70 = plugins/eap_mschapv2 -@USE_EAP_MSCHAPV2_TRUE@am__append_71 = eap-mschapv2 -@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_72 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la -@USE_EAP_RADIUS_TRUE@am__append_73 = plugins/eap_radius -@USE_EAP_RADIUS_TRUE@am__append_74 = eap-radius -@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_75 = plugins/eap_radius/libstrongswan-eap-radius.la -@USE_MEDSRV_TRUE@am__append_76 = plugins/medsrv -@USE_MEDSRV_TRUE@am__append_77 = medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_78 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_79 = plugins/medcli -@USE_MEDCLI_TRUE@am__append_80 = medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_81 = plugins/medcli/libstrongswan-medcli.la -@USE_NM_TRUE@am__append_82 = plugins/nm -@USE_NM_TRUE@am__append_83 = nm -@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_84 = plugins/nm/libstrongswan-nm.la -@USE_DHCP_TRUE@am__append_85 = plugins/dhcp -@USE_DHCP_TRUE@am__append_86 = dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_87 = plugins/dhcp/libstrongswan-dhcp.la -@USE_RESOLVE_TRUE@am__append_88 = plugins/resolve -@USE_RESOLVE_TRUE@am__append_89 = resolve -@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_90 = plugins/resolve/libstrongswan-resolve.la +@USE_EAP_SIMAKA_SQL_TRUE@am__append_51 = plugins/eap_simaka_sql +@USE_EAP_SIMAKA_SQL_TRUE@am__append_52 = eap-simaka-sql +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_SQL_TRUE@am__append_53 = plugins/eap_simaka_sql/libstrongswan-eap-simaka-sql.la +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_54 = plugins/eap_simaka_pseudonym +@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_55 = eap-simaka-pseudonym +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_PSEUDONYM_TRUE@am__append_56 = plugins/eap_simaka_pseudonym/libstrongswan-eap-simaka-pseudonym.la +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_57 = plugins/eap_simaka_reauth +@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_58 = eap-simaka-reauth +@MONOLITHIC_TRUE@@USE_EAP_SIMAKA_REAUTH_TRUE@am__append_59 = plugins/eap_simaka_reauth/libstrongswan-eap-simaka-reauth.la +@USE_EAP_AKA_TRUE@am__append_60 = plugins/eap_aka +@USE_EAP_AKA_TRUE@am__append_61 = eap-aka +@MONOLITHIC_TRUE@@USE_EAP_AKA_TRUE@am__append_62 = plugins/eap_aka/libstrongswan-eap-aka.la +@USE_EAP_AKA_3GPP2_TRUE@am__append_63 = plugins/eap_aka_3gpp2 +@USE_EAP_AKA_3GPP2_TRUE@am__append_64 = eap-aka-3gpp2 +@MONOLITHIC_TRUE@@USE_EAP_AKA_3GPP2_TRUE@am__append_65 = plugins/eap_aka_3gpp2/libstrongswan-eap-aka-3gpp2.la +@MONOLITHIC_TRUE@@USE_SIMAKA_TRUE@am__append_66 = $(top_builddir)/src/libsimaka/libsimaka.la +@USE_EAP_MD5_TRUE@am__append_67 = plugins/eap_md5 +@USE_EAP_MD5_TRUE@am__append_68 = eap-md5 +@MONOLITHIC_TRUE@@USE_EAP_MD5_TRUE@am__append_69 = plugins/eap_md5/libstrongswan-eap-md5.la +@USE_EAP_GTC_TRUE@am__append_70 = plugins/eap_gtc +@USE_EAP_GTC_TRUE@am__append_71 = eap-gtc +@MONOLITHIC_TRUE@@USE_EAP_GTC_TRUE@am__append_72 = plugins/eap_gtc/libstrongswan-eap-gtc.la +@USE_EAP_MSCHAPV2_TRUE@am__append_73 = plugins/eap_mschapv2 +@USE_EAP_MSCHAPV2_TRUE@am__append_74 = eap-mschapv2 +@MONOLITHIC_TRUE@@USE_EAP_MSCHAPV2_TRUE@am__append_75 = plugins/eap_mschapv2/libstrongswan-eap-mschapv2.la +@USE_EAP_RADIUS_TRUE@am__append_76 = plugins/eap_radius +@USE_EAP_RADIUS_TRUE@am__append_77 = eap-radius +@MONOLITHIC_TRUE@@USE_EAP_RADIUS_TRUE@am__append_78 = plugins/eap_radius/libstrongswan-eap-radius.la +@USE_MEDSRV_TRUE@am__append_79 = plugins/medsrv +@USE_MEDSRV_TRUE@am__append_80 = medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_81 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_82 = plugins/medcli +@USE_MEDCLI_TRUE@am__append_83 = medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_84 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_85 = plugins/nm +@USE_NM_TRUE@am__append_86 = nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_87 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_88 = plugins/dhcp +@USE_DHCP_TRUE@am__append_89 = dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_90 = plugins/dhcp/libstrongswan-dhcp.la @USE_ANDROID_TRUE@am__append_91 = plugins/android @USE_ANDROID_TRUE@am__append_92 = android @MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_93 = plugins/android/libstrongswan-android.la @@ -142,9 +142,12 @@ host_triplet = @host@ @USE_UCI_TRUE@am__append_97 = plugins/uci @USE_UCI_TRUE@am__append_98 = uci @MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_99 = plugins/uci/libstrongswan-uci.la -@USE_UNIT_TESTS_TRUE@am__append_100 = plugins/unit_tester -@USE_UNIT_TESTS_TRUE@am__append_101 = unit-tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_102 = plugins/unit_tester/libstrongswan-unit-tester.la +@USE_ADDRBLOCK_TRUE@am__append_100 = plugins/addrblock +@USE_ADDRBLOCK_TRUE@am__append_101 = addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_102 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_103 = plugins/unit_tester +@USE_UNIT_TESTS_TRUE@am__append_104 = unit-tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_105 = plugins/unit_tester/libstrongswan-unit-tester.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -194,11 +197,11 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_38) $(am__append_41) $(am__append_44) \ $(am__append_47) $(am__append_50) $(am__append_53) \ $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_63) $(am__append_66) $(am__append_69) \ + $(am__append_65) $(am__append_66) $(am__append_69) \ $(am__append_72) $(am__append_75) $(am__append_78) \ $(am__append_81) $(am__append_84) $(am__append_87) \ $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) + $(am__append_99) $(am__append_102) $(am__append_105) am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -206,11 +209,10 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ config/backend_manager.h config/backend.h config/child_cfg.c \ config/child_cfg.h config/ike_cfg.c config/ike_cfg.h \ config/peer_cfg.c config/peer_cfg.h config/proposal.c \ - config/proposal.h config/auth_cfg.c config/auth_cfg.h \ - control/controller.c control/controller.h daemon.c daemon.h \ - encoding/generator.c encoding/generator.h encoding/message.c \ - encoding/message.h encoding/parser.c encoding/parser.h \ - encoding/payloads/auth_payload.c \ + config/proposal.h control/controller.c control/controller.h \ + daemon.c daemon.h encoding/generator.c encoding/generator.h \ + encoding/message.c encoding/message.h encoding/parser.c \ + encoding/parser.h encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ encoding/payloads/cert_payload.h \ @@ -311,14 +313,6 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - credentials/credential_manager.c \ - credentials/credential_manager.h \ - credentials/sets/auth_cfg_wrapper.c \ - credentials/sets/auth_cfg_wrapper.h \ - credentials/sets/ocsp_response_wrapper.c \ - credentials/sets/ocsp_response_wrapper.h \ - credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/credential_set.h \ encoding/payloads/endpoint_notify.c \ encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ @@ -332,32 +326,31 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ @USE_ME_TRUE@ connect_manager.lo mediation_manager.lo ike_me.lo am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ backend_manager.lo child_cfg.lo ike_cfg.lo peer_cfg.lo \ - proposal.lo auth_cfg.lo controller.lo daemon.lo generator.lo \ - message.lo parser.lo auth_payload.lo cert_payload.lo \ - certreq_payload.lo configuration_attribute.lo cp_payload.lo \ - delete_payload.lo eap_payload.lo encodings.lo \ - encryption_payload.lo id_payload.lo ike_header.lo \ - ke_payload.lo nonce_payload.lo notify_payload.lo payload.lo \ - proposal_substructure.lo sa_payload.lo \ - traffic_selector_substructure.lo transform_attribute.lo \ - transform_substructure.lo ts_payload.lo unknown_payload.lo \ - vendor_id_payload.lo kernel_interface.lo kernel_ipsec.lo \ - packet.lo receiver.lo sender.lo socket_manager.lo \ - acquire_job.lo callback_job.lo delete_child_sa_job.lo \ - delete_ike_sa_job.lo migrate_job.lo process_message_job.lo \ - rekey_child_sa_job.lo rekey_ike_sa_job.lo retransmit_job.lo \ - send_dpd_job.lo send_keepalive_job.lo roam_job.lo \ - update_sa_job.lo inactivity_job.lo scheduler.lo processor.lo \ - authenticator.lo eap_authenticator.lo eap_method.lo \ - eap_manager.lo sim_manager.lo psk_authenticator.lo \ - pubkey_authenticator.lo child_sa.lo ike_sa.lo ike_sa_id.lo \ - ike_sa_manager.lo task_manager.lo keymat.lo trap_manager.lo \ - child_create.lo child_delete.lo child_rekey.lo ike_auth.lo \ - ike_cert_pre.lo ike_cert_post.lo ike_config.lo ike_delete.lo \ - ike_dpd.lo ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ + proposal.lo controller.lo daemon.lo generator.lo message.lo \ + parser.lo auth_payload.lo cert_payload.lo certreq_payload.lo \ + configuration_attribute.lo cp_payload.lo delete_payload.lo \ + eap_payload.lo encodings.lo encryption_payload.lo \ + id_payload.lo ike_header.lo ke_payload.lo nonce_payload.lo \ + notify_payload.lo payload.lo proposal_substructure.lo \ + sa_payload.lo traffic_selector_substructure.lo \ + transform_attribute.lo transform_substructure.lo ts_payload.lo \ + unknown_payload.lo vendor_id_payload.lo kernel_interface.lo \ + kernel_ipsec.lo packet.lo receiver.lo sender.lo \ + socket_manager.lo acquire_job.lo callback_job.lo \ + delete_child_sa_job.lo delete_ike_sa_job.lo migrate_job.lo \ + process_message_job.lo rekey_child_sa_job.lo \ + rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ + send_keepalive_job.lo roam_job.lo update_sa_job.lo \ + inactivity_job.lo scheduler.lo processor.lo authenticator.lo \ + eap_authenticator.lo eap_method.lo eap_manager.lo \ + sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \ + child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \ + task_manager.lo keymat.lo trap_manager.lo child_create.lo \ + child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \ + ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \ + ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ - credential_manager.lo auth_cfg_wrapper.lo \ - ocsp_response_wrapper.lo cert_cache.lo $(am__objects_1) + $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -394,12 +387,12 @@ DIST_SUBDIRS = . plugins/load_tester plugins/kernel_pfkey \ plugins/socket_raw plugins/socket_dynamic plugins/farp \ plugins/stroke plugins/smp plugins/sql plugins/updown \ plugins/eap_identity plugins/eap_sim plugins/eap_sim_file \ - plugins/eap_simaka_pseudonym plugins/eap_simaka_reauth \ - plugins/eap_aka plugins/eap_aka_3gpp2 plugins/eap_md5 \ - plugins/eap_gtc plugins/eap_mschapv2 plugins/eap_radius \ - plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ - plugins/resolve plugins/android plugins/ha plugins/uci \ - plugins/unit_tester + plugins/eap_simaka_sql plugins/eap_simaka_pseudonym \ + plugins/eap_simaka_reauth plugins/eap_aka \ + plugins/eap_aka_3gpp2 plugins/eap_md5 plugins/eap_gtc \ + plugins/eap_mschapv2 plugins/eap_radius plugins/medsrv \ + plugins/medcli plugins/nm plugins/dhcp plugins/android \ + plugins/ha plugins/uci plugins/addrblock plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -589,10 +582,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ config/backend.h config/child_cfg.c config/child_cfg.h \ config/ike_cfg.c config/ike_cfg.h config/peer_cfg.c \ config/peer_cfg.h config/proposal.c config/proposal.h \ - config/auth_cfg.c config/auth_cfg.h control/controller.c \ - control/controller.h daemon.c daemon.h encoding/generator.c \ - encoding/generator.h encoding/message.c encoding/message.h \ - encoding/parser.c encoding/parser.h \ + control/controller.c control/controller.h daemon.c daemon.h \ + encoding/generator.c encoding/generator.h encoding/message.c \ + encoding/message.h encoding/parser.c encoding/parser.h \ encoding/payloads/auth_payload.c \ encoding/payloads/auth_payload.h \ encoding/payloads/cert_payload.c \ @@ -694,14 +686,7 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - credentials/credential_manager.c \ - credentials/credential_manager.h \ - credentials/sets/auth_cfg_wrapper.c \ - credentials/sets/auth_cfg_wrapper.h \ - credentials/sets/ocsp_response_wrapper.c \ - credentials/sets/ocsp_response_wrapper.h \ - credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ - credentials/credential_set.h $(am__append_1) + $(am__append_1) INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ @@ -718,11 +703,11 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ $(am__append_38) $(am__append_41) $(am__append_44) \ $(am__append_47) $(am__append_50) $(am__append_53) \ $(am__append_56) $(am__append_59) $(am__append_62) \ - $(am__append_63) $(am__append_66) $(am__append_69) \ + $(am__append_65) $(am__append_66) $(am__append_69) \ $(am__append_72) $(am__append_75) $(am__append_78) \ $(am__append_81) $(am__append_84) $(am__append_87) \ $(am__append_90) $(am__append_93) $(am__append_96) \ - $(am__append_99) $(am__append_102) + $(am__append_99) $(am__append_102) $(am__append_105) EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_6) \ @MONOLITHIC_FALSE@ $(am__append_9) $(am__append_12) \ @@ -734,13 +719,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_45) $(am__append_48) \ @MONOLITHIC_FALSE@ $(am__append_51) $(am__append_54) \ @MONOLITHIC_FALSE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_FALSE@ $(am__append_64) $(am__append_67) \ +@MONOLITHIC_FALSE@ $(am__append_63) $(am__append_67) \ @MONOLITHIC_FALSE@ $(am__append_70) $(am__append_73) \ @MONOLITHIC_FALSE@ $(am__append_76) $(am__append_79) \ @MONOLITHIC_FALSE@ $(am__append_82) $(am__append_85) \ @MONOLITHIC_FALSE@ $(am__append_88) $(am__append_91) \ @MONOLITHIC_FALSE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_FALSE@ $(am__append_100) +@MONOLITHIC_FALSE@ $(am__append_100) $(am__append_103) # build optional plugins ######################## @@ -754,13 +739,13 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_45) $(am__append_48) \ @MONOLITHIC_TRUE@ $(am__append_51) $(am__append_54) \ @MONOLITHIC_TRUE@ $(am__append_57) $(am__append_60) \ -@MONOLITHIC_TRUE@ $(am__append_64) $(am__append_67) \ +@MONOLITHIC_TRUE@ $(am__append_63) $(am__append_67) \ @MONOLITHIC_TRUE@ $(am__append_70) $(am__append_73) \ @MONOLITHIC_TRUE@ $(am__append_76) $(am__append_79) \ @MONOLITHIC_TRUE@ $(am__append_82) $(am__append_85) \ @MONOLITHIC_TRUE@ $(am__append_88) $(am__append_91) \ @MONOLITHIC_TRUE@ $(am__append_94) $(am__append_97) \ -@MONOLITHIC_TRUE@ $(am__append_100) +@MONOLITHIC_TRUE@ $(am__append_100) $(am__append_103) PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \ $(am__append_7) $(am__append_10) $(am__append_13) \ $(am__append_16) $(am__append_19) $(am__append_22) \ @@ -768,11 +753,11 @@ PLUGINS = ${libstrongswan_plugins} ${libhydra_plugins} $(am__append_4) \ $(am__append_34) $(am__append_37) $(am__append_40) \ $(am__append_43) $(am__append_46) $(am__append_49) \ $(am__append_52) $(am__append_55) $(am__append_58) \ - $(am__append_61) $(am__append_65) $(am__append_68) \ + $(am__append_61) $(am__append_64) $(am__append_68) \ $(am__append_71) $(am__append_74) $(am__append_77) \ $(am__append_80) $(am__append_83) $(am__append_86) \ $(am__append_89) $(am__append_92) $(am__append_95) \ - $(am__append_98) $(am__append_101) + $(am__append_98) $(am__append_101) $(am__append_104) all: all-recursive .SUFFIXES: @@ -848,14 +833,11 @@ distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/acquire_job.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/authenticator.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backend_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bus.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/callback_job.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certreq_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/child_cfg.Plo@am__quote@ @@ -867,7 +849,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/connect_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/controller.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cp_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/daemon.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_child_sa_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/delete_ike_sa_job.Plo@am__quote@ @@ -913,7 +894,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/migrate_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/nonce_payload.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/notify_payload.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/parser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/payload.Plo@am__quote@ @@ -1025,13 +1005,6 @@ proposal.lo: config/proposal.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o proposal.lo `test -f 'config/proposal.c' || echo '$(srcdir)/'`config/proposal.c -auth_cfg.lo: config/auth_cfg.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='config/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'config/auth_cfg.c' || echo '$(srcdir)/'`config/auth_cfg.c - controller.lo: control/controller.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT controller.lo -MD -MP -MF $(DEPDIR)/controller.Tpo -c -o controller.lo `test -f 'control/controller.c' || echo '$(srcdir)/'`control/controller.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/controller.Tpo $(DEPDIR)/controller.Plo @@ -1592,34 +1565,6 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c -credential_manager.lo: credentials/credential_manager.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c - -auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c - -ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c - -cert_cache.lo: credentials/sets/cert_cache.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c - endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/endpoint_notify.Tpo $(DEPDIR)/endpoint_notify.Plo @@ -1675,7 +1620,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1700,7 +1645,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index 764744a41..441009e5e 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -102,20 +102,16 @@ static void entry_destroy(entry_t *entry) free(entry); } -/** - * Implementation of bus_t.add_listener. - */ -static void add_listener(private_bus_t *this, listener_t *listener) +METHOD(bus_t, add_listener, void, + private_bus_t *this, listener_t *listener) { this->mutex->lock(this->mutex); this->listeners->insert_last(this->listeners, entry_create(listener, FALSE)); this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.remove_listener. - */ -static void remove_listener(private_bus_t *this, listener_t *listener) +METHOD(bus_t, remove_listener, void, + private_bus_t *this, listener_t *listener) { enumerator_t *enumerator; entry_t *entry; @@ -156,10 +152,8 @@ static void listener_cleanup(cleanup_data_t *data) entry_destroy(data->entry); } -/** - * Implementation of bus_t.listen. - */ -static void listen_(private_bus_t *this, listener_t *listener, job_t *job) +METHOD(bus_t, listen_, void, + private_bus_t *this, listener_t *listener, job_t *job) { bool old; cleanup_data_t data; @@ -184,18 +178,14 @@ static void listen_(private_bus_t *this, listener_t *listener, job_t *job) entry_destroy(data.entry); } -/** - * Implementation of bus_t.set_sa. - */ -static void set_sa(private_bus_t *this, ike_sa_t *ike_sa) +METHOD(bus_t, set_sa, void, + private_bus_t *this, ike_sa_t *ike_sa) { this->thread_sa->set(this->thread_sa, ike_sa); } -/** - * Implementation of bus_t.get_sa - */ -static ike_sa_t* get_sa(private_bus_t *this) +METHOD(bus_t, get_sa, ike_sa_t*, + private_bus_t *this) { return this->thread_sa->get(this->thread_sa); } @@ -252,11 +242,9 @@ static bool log_cb(entry_t *entry, log_data_t *data) return FALSE; } -/** - * Implementation of bus_t.vlog. - */ -static void vlog(private_bus_t *this, debug_t group, level_t level, - char* format, va_list args) +METHOD(bus_t, vlog, void, + private_bus_t *this, debug_t group, level_t level, + char* format, va_list args) { log_data_t data; @@ -276,11 +264,8 @@ static void vlog(private_bus_t *this, debug_t group, level_t level, va_end(data.args); } -/** - * Implementation of bus_t.log. - */ -static void log_(private_bus_t *this, debug_t group, level_t level, - char* format, ...) +METHOD(bus_t, log_, void, + private_bus_t *this, debug_t group, level_t level, char* format, ...) { va_list args; @@ -307,10 +292,8 @@ static void unregister_listener(private_bus_t *this, entry_t *entry, this->listeners->remove_at(this->listeners, enumerator); } -/** - * Implementation of bus_t.alert - */ -static void alert(private_bus_t *this, alert_t alert, ...) +METHOD(bus_t, alert, void, + private_bus_t *this, alert_t alert, ...) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -342,11 +325,8 @@ static void alert(private_bus_t *this, alert_t alert, ...) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_state_change - */ -static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, - ike_sa_state_t state) +METHOD(bus_t, ike_state_change, void, + private_bus_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) { enumerator_t *enumerator; entry_t *entry; @@ -372,11 +352,8 @@ static void ike_state_change(private_bus_t *this, ike_sa_t *ike_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_state_change - */ -static void child_state_change(private_bus_t *this, child_sa_t *child_sa, - child_sa_state_t state) +METHOD(bus_t, child_state_change, void, + private_bus_t *this, child_sa_t *child_sa, child_sa_state_t state) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -406,10 +383,8 @@ static void child_state_change(private_bus_t *this, child_sa_t *child_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.message - */ -static void message(private_bus_t *this, message_t *message, bool incoming) +METHOD(bus_t, message, void, + private_bus_t *this, message_t *message, bool incoming) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -439,12 +414,9 @@ static void message(private_bus_t *this, message_t *message, bool incoming) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_keys - */ -static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey) +METHOD(bus_t, ike_keys, void, + private_bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey) { enumerator_t *enumerator; entry_t *entry; @@ -471,11 +443,9 @@ static void ike_keys(private_bus_t *this, ike_sa_t *ike_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_keys - */ -static void child_keys(private_bus_t *this, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) +METHOD(bus_t, child_keys, void, + private_bus_t *this, child_sa_t *child_sa, bool initiator, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -494,7 +464,7 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, } entry->calling++; keep = entry->listener->child_keys(entry->listener, ike_sa, child_sa, - dh, nonce_i, nonce_r); + initiator, dh, nonce_i, nonce_r); entry->calling--; if (!keep) { @@ -505,10 +475,8 @@ static void child_keys(private_bus_t *this, child_sa_t *child_sa, this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_updown - */ -static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) +METHOD(bus_t, child_updown, void, + private_bus_t *this, child_sa_t *child_sa, bool up) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -538,10 +506,8 @@ static void child_updown(private_bus_t *this, child_sa_t *child_sa, bool up) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.child_rekey - */ -static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) +METHOD(bus_t, child_rekey, void, + private_bus_t *this, child_sa_t *old, child_sa_t *new) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -570,10 +536,8 @@ static void child_rekey(private_bus_t *this, child_sa_t *old, child_sa_t *new) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.ike_updown - */ -static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) +METHOD(bus_t, ike_updown, void, + private_bus_t *this, ike_sa_t *ike_sa, bool up) { enumerator_t *enumerator; entry_t *entry; @@ -613,10 +577,8 @@ static void ike_updown(private_bus_t *this, ike_sa_t *ike_sa, bool up) } } -/** - * Implementation of bus_t.ike_rekey - */ -static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) +METHOD(bus_t, ike_rekey, void, + private_bus_t *this, ike_sa_t *old, ike_sa_t *new) { enumerator_t *enumerator; entry_t *entry; @@ -642,10 +604,8 @@ static void ike_rekey(private_bus_t *this, ike_sa_t *old, ike_sa_t *new) this->mutex->unlock(this->mutex); } -/** - * Implementation of bus_t.authorize - */ -static bool authorize(private_bus_t *this, bool final) +METHOD(bus_t, authorize, bool, + private_bus_t *this, bool final) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -680,10 +640,40 @@ static bool authorize(private_bus_t *this, bool final) return success; } -/** - * Implementation of bus_t.destroy. - */ -static void destroy(private_bus_t *this) +METHOD(bus_t, narrow, void, + private_bus_t *this, child_sa_t *child_sa, narrow_hook_t type, + linked_list_t *local, linked_list_t *remote) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + entry_t *entry; + bool keep; + + ike_sa = this->thread_sa->get(this->thread_sa); + + this->mutex->lock(this->mutex); + enumerator = this->listeners->create_enumerator(this->listeners); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->calling || !entry->listener->narrow) + { + continue; + } + entry->calling++; + keep = entry->listener->narrow(entry->listener, ike_sa, child_sa, + type, local, remote); + entry->calling--; + if (!keep) + { + unregister_listener(this, entry, enumerator); + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); +} + +METHOD(bus_t, destroy, void, + private_bus_t *this) { this->thread_sa->destroy(this->thread_sa); this->mutex->destroy(this->mutex); @@ -696,31 +686,35 @@ static void destroy(private_bus_t *this) */ bus_t *bus_create() { - private_bus_t *this = malloc_thing(private_bus_t); - - this->public.add_listener = (void(*)(bus_t*,listener_t*))add_listener; - this->public.remove_listener = (void(*)(bus_t*,listener_t*))remove_listener; - this->public.listen = (void(*)(bus_t*, listener_t *listener, job_t *job))listen_; - this->public.set_sa = (void(*)(bus_t*,ike_sa_t*))set_sa; - this->public.get_sa = (ike_sa_t*(*)(bus_t*))get_sa; - this->public.log = (void(*)(bus_t*,debug_t,level_t,char*,...))log_; - this->public.vlog = (void(*)(bus_t*,debug_t,level_t,char*,va_list))vlog; - this->public.alert = (void(*)(bus_t*, alert_t alert, ...))alert; - this->public.ike_state_change = (void(*)(bus_t*,ike_sa_t*,ike_sa_state_t))ike_state_change; - this->public.child_state_change = (void(*)(bus_t*,child_sa_t*,child_sa_state_t))child_state_change; - this->public.message = (void(*)(bus_t*, message_t *message, bool incoming))message; - this->public.ike_keys = (void(*)(bus_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; - this->public.child_keys = (void(*)(bus_t*, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; - this->public.ike_updown = (void(*)(bus_t*, ike_sa_t *ike_sa, bool up))ike_updown; - this->public.ike_rekey = (void(*)(bus_t*, ike_sa_t *old, ike_sa_t *new))ike_rekey; - this->public.child_updown = (void(*)(bus_t*, child_sa_t *child_sa, bool up))child_updown; - this->public.child_rekey = (void(*)(bus_t*, child_sa_t *old, child_sa_t *new))child_rekey; - this->public.authorize = (bool(*)(bus_t*, bool final))authorize; - this->public.destroy = (void(*)(bus_t*)) destroy; - - this->listeners = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->thread_sa = thread_value_create(NULL); + private_bus_t *this; + + INIT(this, + .public = { + .add_listener = _add_listener, + .remove_listener = _remove_listener, + .listen = _listen_, + .set_sa = _set_sa, + .get_sa = _get_sa, + .log = _log_, + .vlog = _vlog, + .alert = _alert, + .ike_state_change = _ike_state_change, + .child_state_change = _child_state_change, + .message = _message, + .ike_keys = _ike_keys, + .child_keys = _child_keys, + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .child_updown = _child_updown, + .child_rekey = _child_rekey, + .authorize = _authorize, + .narrow = _narrow, + .destroy = _destroy, + }, + .listeners = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + .thread_sa = thread_value_create(NULL), + ); return &this->public; } diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h index 8cf392eae..6a306afcc 100644 --- a/src/libcharon/bus/bus.h +++ b/src/libcharon/bus/bus.h @@ -22,6 +22,7 @@ #define BUS_H_ typedef enum alert_t alert_t; +typedef enum narrow_hook_t narrow_hook_t; typedef struct bus_t bus_t; #include @@ -85,6 +86,31 @@ enum alert_t { ALERT_SHUTDOWN_SIGNAL, }; +/** + * Kind of narrow hook. + * + * There is a non-authenticated (IKE_AUTH) and a authenticated + * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these + * hooks is invoked before the exchange. + * To verify the traffic selectors negotiated, each PRE hook has a POST + * counterpart that follows. POST hooks are invoked with an authenticated peer. + * It is usually not a good idea to narrow in the POST hooks, + * as the resulting traffic selector is not negotiated and results + * in non-matching policies. + */ +enum narrow_hook_t { + /** invoked as initiator before exchange, peer is not yet authenticated */ + NARROW_INITIATOR_PRE_NOAUTH, + /** invoked as initiator before exchange, peer is authenticated */ + NARROW_INITIATOR_PRE_AUTH, + /** invoked as responder during exchange, peer is authenticated */ + NARROW_RESPONDER, + /** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */ + NARROW_INITIATOR_POST_NOAUTH, + /** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */ + NARROW_INITIATOR_POST_AUTH, +}; + /** * The bus receives events and sends them to all registered listeners. * @@ -216,6 +242,17 @@ struct bus_t { */ bool (*authorize)(bus_t *this, bool final); + /** + * CHILD_SA traffic selector narrowing hook. + * + * @param child_sa CHILD_SA set up with these traffic selectors + * @param type type of hook getting invoked + * @param local list of local traffic selectors to narrow + * @param remote list of remote traffic selectors to narrow + */ + void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type, + linked_list_t *local, linked_list_t *remote); + /** * IKE_SA keymat hook. * @@ -231,12 +268,13 @@ struct bus_t { * CHILD_SA keymat hook. * * @param child_sa CHILD_SA this keymat is used for + * @param initiator initiator of the CREATE_CHILD_SA exchange * @param dh diffie hellman shared secret * @param nonce_i initiators nonce * @param nonce_r responders nonce */ - void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r); + void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator, + diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); /** * IKE_SA up/down hook. diff --git a/src/libcharon/bus/listeners/file_logger.c b/src/libcharon/bus/listeners/file_logger.c index 12587deaf..87db532f5 100644 --- a/src/libcharon/bus/listeners/file_logger.c +++ b/src/libcharon/bus/listeners/file_logger.c @@ -15,6 +15,7 @@ #include #include +#include #include "file_logger.h" @@ -40,6 +41,11 @@ struct private_file_logger_t { * Maximum level to log, for each group */ level_t levels[DBG_MAX]; + + /** + * strftime() format of time prefix, if any + */ + char *time_format; }; /** @@ -50,8 +56,17 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, { if (level <= this->levels[group]) { - char buffer[8192]; + char buffer[8192], timestr[128]; char *current = buffer, *next; + struct tm tm; + time_t t; + + if (this->time_format) + { + t = time(NULL); + localtime_r(&t, &tm); + strftime(timestr, sizeof(timestr), this->time_format, &tm); + } /* write in memory buffer first */ vsnprintf(buffer, sizeof(buffer), format, args); @@ -64,8 +79,16 @@ static bool log_(private_file_logger_t *this, debug_t group, level_t level, { *(next++) = '\0'; } - fprintf(this->out, "%.2d[%N] %s\n", - thread, debug_names, group, current); + if (this->time_format) + { + fprintf(this->out, "%s %.2d[%N] %s\n", + timestr, thread, debug_names, group, current); + } + else + { + fprintf(this->out, "%.2d[%N] %s\n", + thread, debug_names, group, current); + } current = next; } } @@ -106,7 +129,7 @@ static void destroy(private_file_logger_t *this) /* * Described in header. */ -file_logger_t *file_logger_create(FILE *out) +file_logger_t *file_logger_create(FILE *out, char *time_format) { private_file_logger_t *this = malloc_thing(private_file_logger_t); @@ -118,6 +141,7 @@ file_logger_t *file_logger_create(FILE *out) /* private variables */ this->out = out; + this->time_format = time_format; set_level(this, DBG_ANY, LEVEL_SILENT); return &this->public; diff --git a/src/libcharon/bus/listeners/file_logger.h b/src/libcharon/bus/listeners/file_logger.h index bd443fdb8..e02a12c0c 100644 --- a/src/libcharon/bus/listeners/file_logger.h +++ b/src/libcharon/bus/listeners/file_logger.h @@ -52,9 +52,10 @@ struct file_logger_t { /** * Constructor to create a file_logger_t object. * - * @param out FILE to write to - * @return file_logger_t object + * @param out FILE to write to + * @param time_format format of timestamp prefix, as in strftime() + * @return file_logger_t object */ -file_logger_t *file_logger_create(FILE *out); +file_logger_t *file_logger_create(FILE *out, char *time_format); #endif /** FILE_LOGGER_H_ @}*/ diff --git a/src/libcharon/bus/listeners/listener.h b/src/libcharon/bus/listeners/listener.h index 9a51a2ef4..e7873ee8c 100644 --- a/src/libcharon/bus/listeners/listener.h +++ b/src/libcharon/bus/listeners/listener.h @@ -110,13 +110,15 @@ struct listener_t { * * @param ike_sa IKE_SA the child sa belongs to * @param child_sa CHILD_SA this keymat is used for + * @param initiator initiator of the CREATE_CHILD_SA exchange * @param dh diffie hellman shared secret * @param nonce_i initiators nonce * @param nonce_r responders nonce * @return TRUE to stay registered, FALSE to unregister */ bool (*child_keys)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); + bool initiator, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r); /** * Hook called if an IKE_SA gets up or down. @@ -173,6 +175,21 @@ struct listener_t { */ bool (*authorize)(listener_t *this, ike_sa_t *ike_sa, bool final, bool *success); + + /** + * CHILD_SA traffic selector narrowing hook. + * + * This hook is invoked for each CHILD_SA and allows plugins to modify + * the traffic selector list negotiated for this CHILD_SA. + * + * @param ike_sa IKE_SA the created CHILD_SA is created in + * @param child_sa CHILD_SA set up with these traffic selectors + * @param type type of hook getting invoked + * @param local list of local traffic selectors to narrow + * @param remote list of remote traffic selectors to narrow + */ + bool (*narrow)(listener_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + narrow_hook_t type, linked_list_t *local, linked_list_t *remote); }; #endif /** LISTENER_H_ @}*/ diff --git a/src/libcharon/bus/listeners/sys_logger.c b/src/libcharon/bus/listeners/sys_logger.c index 11421ad05..5bc1d581a 100644 --- a/src/libcharon/bus/listeners/sys_logger.c +++ b/src/libcharon/bus/listeners/sys_logger.c @@ -15,6 +15,7 @@ #include #include +#include #include "sys_logger.h" diff --git a/src/libcharon/bus/listeners/sys_logger.h b/src/libcharon/bus/listeners/sys_logger.h index 730890d68..58d4de529 100644 --- a/src/libcharon/bus/listeners/sys_logger.h +++ b/src/libcharon/bus/listeners/sys_logger.h @@ -21,8 +21,6 @@ #ifndef SYS_LOGGER_H_ #define SYS_LOGGER_H_ -#include - #include typedef struct sys_logger_t sys_logger_t; diff --git a/src/libcharon/config/auth_cfg.c b/src/libcharon/config/auth_cfg.c deleted file mode 100644 index 94362c756..000000000 --- a/src/libcharon/config/auth_cfg.c +++ /dev/null @@ -1,768 +0,0 @@ -/* - * Copyright (C) 2007-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "auth_cfg.h" - -#include -#include -#include -#include - -ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, - "RULE_IDENTITY", - "RULE_AUTH_CLASS", - "RULE_EAP_IDENTITY", - "RULE_EAP_TYPE", - "RULE_EAP_VENDOR", - "RULE_CA_CERT", - "RULE_IM_CERT", - "RULE_SUBJECT_CERT", - "RULE_CRL_VALIDATION", - "RULE_OCSP_VALIDATION", - "RULE_AC_GROUP", - "HELPER_IM_CERT", - "HELPER_SUBJECT_CERT", - "HELPER_IM_HASH_URL", - "HELPER_SUBJECT_HASH_URL", -); - -typedef struct private_auth_cfg_t private_auth_cfg_t; - -/** - * private data of item_set - */ -struct private_auth_cfg_t { - - /** - * public functions - */ - auth_cfg_t public; - - /** - * list of entry_t - */ - linked_list_t *entries; -}; - -typedef struct entry_t entry_t; - -struct entry_t { - /** rule type */ - auth_rule_t type; - /** associated value */ - void *value; -}; - -/** - * enumerator for auth_cfg_t.create_enumerator() - */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** inner enumerator from linked_list_t */ - enumerator_t *inner; - /** current entry */ - entry_t *current; -} entry_enumerator_t; - -/** - * enumerate function for item_enumerator_t - */ -static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value) -{ - entry_t *entry; - - if (this->inner->enumerate(this->inner, &entry)) - { - this->current = entry; - *type = entry->type; - *value = entry->value; - return TRUE; - } - return FALSE; -} - -/** - * destroy function for item_enumerator_t - */ -static void entry_enumerator_destroy(entry_enumerator_t *this) -{ - this->inner->destroy(this->inner); - free(this); -} - -/** - * Implementation of auth_cfg_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_auth_cfg_t *this) -{ - entry_enumerator_t *enumerator; - - enumerator = malloc_thing(entry_enumerator_t); - enumerator->inner = this->entries->create_enumerator(this->entries); - enumerator->public.enumerate = (void*)enumerate; - enumerator->public.destroy = (void*)entry_enumerator_destroy; - enumerator->current = NULL; - return &enumerator->public; -} - -/** - * Destroy the value associated with an entry - */ -static void destroy_entry_value(entry_t *entry) -{ - switch (entry->type) - { - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - { - identification_t *id = (identification_t*)entry->value; - id->destroy(id); - break; - } - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - { - certificate_t *cert = (certificate_t*)entry->value; - cert->destroy(cert); - break; - } - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - { - free(entry->value); - break; - } - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - break; - } -} - -/** - * Implementation of auth_cfg_t.replace. - */ -static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, - auth_rule_t type, ...) -{ - if (enumerator->current) - { - va_list args; - - va_start(args, type); - - destroy_entry_value(enumerator->current); - enumerator->current->type = type; - switch (type) - { - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - /* integer type */ - enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); - break; - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - /* pointer type */ - enumerator->current->value = va_arg(args, void*); - break; - } - va_end(args); - } -} - -/** - * Implementation of auth_cfg_t.get. - */ -static void* get(private_auth_cfg_t *this, auth_rule_t type) -{ - enumerator_t *enumerator; - void *current_value, *best_value = NULL; - auth_rule_t current_type; - bool found = FALSE; - - enumerator = create_enumerator(this); - while (enumerator->enumerate(enumerator, ¤t_type, ¤t_value)) - { - if (type == current_type) - { - if (type == AUTH_RULE_CRL_VALIDATION || - type == AUTH_RULE_OCSP_VALIDATION) - { /* for CRL/OCSP validation, always get() the highest value */ - if (!found || current_value > best_value) - { - best_value = current_value; - } - found = TRUE; - continue; - } - best_value = current_value; - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - if (found) - { - return best_value; - } - switch (type) - { - /* use some sane defaults if we don't find an entry */ - case AUTH_RULE_AUTH_CLASS: - return (void*)AUTH_CLASS_ANY; - case AUTH_RULE_EAP_TYPE: - return (void*)EAP_NAK; - case AUTH_RULE_EAP_VENDOR: - return (void*)0; - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - return (void*)VALIDATION_FAILED; - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - default: - return NULL; - } -} - -/** - * Implementation of auth_cfg_t.add. - */ -static void add(private_auth_cfg_t *this, auth_rule_t type, ...) -{ - entry_t *entry = malloc_thing(entry_t); - va_list args; - - va_start(args, type); - entry->type = type; - switch (type) - { - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - /* integer type */ - entry->value = (void*)(uintptr_t)va_arg(args, u_int); - break; - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - /* pointer type */ - entry->value = va_arg(args, void*); - break; - } - va_end(args); - this->entries->insert_last(this->entries, entry); -} - -/** - * Implementation of auth_cfg_t.complies. - */ -static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, - bool log_error) -{ - enumerator_t *e1, *e2; - bool success = TRUE; - auth_rule_t t1, t2; - void *value; - - e1 = constraints->create_enumerator(constraints); - while (e1->enumerate(e1, &t1, &value)) - { - switch (t1) - { - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - { - certificate_t *c1, *c2; - - c1 = (certificate_t*)value; - - success = FALSE; - e2 = create_enumerator(this); - while (e2->enumerate(e2, &t2, &c2)) - { - if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && - c1->equals(c1, c2)) - { - success = TRUE; - } - } - e2->destroy(e2); - if (!success && log_error) - { - DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated by CA '%Y'.", c1->get_subject(c1)); - } - break; - } - case AUTH_RULE_SUBJECT_CERT: - { - certificate_t *c1, *c2; - - c1 = (certificate_t*)value; - c2 = get(this, AUTH_RULE_SUBJECT_CERT); - if (!c2 || !c1->equals(c1, c2)) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint check failed: peer not " - "authenticated with peer cert '%Y'.", - c1->get_subject(c1)); - } - } - break; - } - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - { - cert_validation_t validated, required; - - required = (uintptr_t)value; - validated = (uintptr_t)get(this, t1); - switch (required) - { - case VALIDATION_FAILED: - /* no constraint */ - break; - case VALIDATION_SKIPPED: - if (validated == VALIDATION_SKIPPED) - { - break; - } - /* FALL */ - case VALIDATION_GOOD: - if (validated == VALIDATION_GOOD) - { - break; - } - /* FALL */ - default: - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint check failed: %N is %N, " - "but requires at least %N", auth_rule_names, - t1, cert_validation_names, validated, - cert_validation_names, required); - } - break; - } - break; - } - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - { - identification_t *id1, *id2; - - id1 = (identification_t*)value; - id2 = get(this, t1); - if (!id2 || !id2->matches(id2, id1)) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'" - " required ", t1 == AUTH_RULE_IDENTITY ? "" : - "EAP ", id1); - } - } - break; - } - case AUTH_RULE_AUTH_CLASS: - { - if ((uintptr_t)value != AUTH_CLASS_ANY && - (uintptr_t)value != (uintptr_t)get(this, t1)) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires %N authentication, " - "but %N was used", auth_class_names, (uintptr_t)value, - auth_class_names, (uintptr_t)get(this, t1)); - } - } - break; - } - case AUTH_RULE_EAP_TYPE: - { - if ((uintptr_t)value != (uintptr_t)get(this, t1)) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires %N, " - "but %N was used", eap_type_names, (uintptr_t)value, - eap_type_names, (uintptr_t)get(this, t1)); - } - } - break; - } - case AUTH_RULE_EAP_VENDOR: - { - if ((uintptr_t)value != (uintptr_t)get(this, t1)) - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint requires EAP vendor %d, " - "but %d was used", (uintptr_t)value, - (uintptr_t)get(this, t1)); - } - } - break; - } - case AUTH_RULE_AC_GROUP: - { - success = FALSE; - if (log_error) - { - DBG1(DBG_CFG, "constraint check %N not implemented!", - auth_rule_names, t1); - } - break; - } - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - /* skip helpers */ - continue; - } - if (!success) - { - break; - } - } - e1->destroy(e1); - return success; -} - -/** - * Implementation of auth_cfg_t.merge. - */ -static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy) -{ - if (!other) - { /* nothing to merge */ - return; - } - if (copy) - { - enumerator_t *enumerator; - auth_rule_t type; - void *value; - - enumerator = create_enumerator(other); - while (enumerator->enumerate(enumerator, &type, &value)) - { - switch (type) - { - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - { - certificate_t *cert = (certificate_t*)value; - - add(this, type, cert->get_ref(cert)); - break; - } - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - { - add(this, type, (uintptr_t)value); - break; - } - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - { - identification_t *id = (identification_t*)value; - - add(this, type, id->clone(id)); - break; - } - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - { - add(this, type, strdup((char*)value)); - break; - } - } - } - enumerator->destroy(enumerator); - } - else - { - entry_t *entry; - - while (other->entries->remove_first(other->entries, - (void**)&entry) == SUCCESS) - { - this->entries->insert_last(this->entries, entry); - } - } -} - -/** - * Implementation of auth_cfg_t.equals. - */ -static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) -{ - enumerator_t *e1, *e2; - entry_t *i1, *i2; - bool equal = TRUE, found; - - if (this->entries->get_count(this->entries) != - other->entries->get_count(other->entries)) - { - return FALSE; - } - e1 = this->entries->create_enumerator(this->entries); - while (e1->enumerate(e1, &i1)) - { - found = FALSE; - e2 = other->entries->create_enumerator(other->entries); - while (e2->enumerate(e2, &i2)) - { - if (i1->type == i2->type) - { - switch (i1->type) - { - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - { - if (i1->value == i2->value) - { - found = TRUE; - break; - } - continue; - } - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - { - certificate_t *c1, *c2; - - c1 = (certificate_t*)i1->value; - c2 = (certificate_t*)i2->value; - - if (c1->equals(c1, c2)) - { - found = TRUE; - break; - } - continue; - } - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - { - identification_t *id1, *id2; - - id1 = (identification_t*)i1->value; - id2 = (identification_t*)i2->value; - - if (id1->equals(id1, id2)) - { - found = TRUE; - break; - } - continue; - } - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - { - if (streq(i1->value, i2->value)) - { - found = TRUE; - break; - } - continue; - } - } - break; - } - } - e2->destroy(e2); - if (!found) - { - equal = FALSE; - break; - } - } - e1->destroy(e1); - return equal; -} - -/** - * Implementation of auth_cfg_t.purge - */ -static void purge(private_auth_cfg_t *this, bool keep_ca) -{ - entry_t *entry; - linked_list_t *cas; - - cas = linked_list_create(); - while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS) - { - if (keep_ca && entry->type == AUTH_RULE_CA_CERT) - { - cas->insert_first(cas, entry); - } - else - { - destroy_entry_value(entry); - free(entry); - } - } - while (cas->remove_last(cas, (void**)&entry) == SUCCESS) - { - this->entries->insert_first(this->entries, entry); - } - cas->destroy(cas); -} - -/** - * Implementation of auth_cfg_t.clone - */ -static auth_cfg_t* clone_(private_auth_cfg_t *this) -{ - enumerator_t *enumerator; - auth_cfg_t *clone; - entry_t *entry; - - clone = auth_cfg_create(); - enumerator = this->entries->create_enumerator(this->entries); - while (enumerator->enumerate(enumerator, &entry)) - { - switch (entry->type) - { - case AUTH_RULE_IDENTITY: - case AUTH_RULE_EAP_IDENTITY: - case AUTH_RULE_AC_GROUP: - { - identification_t *id = (identification_t*)entry->value; - clone->add(clone, entry->type, id->clone(id)); - break; - } - case AUTH_RULE_CA_CERT: - case AUTH_RULE_IM_CERT: - case AUTH_RULE_SUBJECT_CERT: - case AUTH_HELPER_IM_CERT: - case AUTH_HELPER_SUBJECT_CERT: - { - certificate_t *cert = (certificate_t*)entry->value; - clone->add(clone, entry->type, cert->get_ref(cert)); - break; - } - case AUTH_HELPER_IM_HASH_URL: - case AUTH_HELPER_SUBJECT_HASH_URL: - { - clone->add(clone, entry->type, strdup(entry->value)); - break; - } - case AUTH_RULE_AUTH_CLASS: - case AUTH_RULE_EAP_TYPE: - case AUTH_RULE_EAP_VENDOR: - case AUTH_RULE_CRL_VALIDATION: - case AUTH_RULE_OCSP_VALIDATION: - clone->add(clone, entry->type, (uintptr_t)entry->value); - break; - } - } - enumerator->destroy(enumerator); - return clone; -} - -/** - * Implementation of auth_cfg_t.destroy - */ -static void destroy(private_auth_cfg_t *this) -{ - purge(this, FALSE); - this->entries->destroy(this->entries); - free(this); -} - -/* - * see header file - */ -auth_cfg_t *auth_cfg_create() -{ - private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t); - - this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add; - this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get; - this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator; - this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace; - this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies; - this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge; - this->public.purge = (void(*)(auth_cfg_t*,bool))purge; - this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals; - this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_; - this->public.destroy = (void(*)(auth_cfg_t*))destroy; - - this->entries = linked_list_create(); - - return &this->public; -} - diff --git a/src/libcharon/config/auth_cfg.h b/src/libcharon/config/auth_cfg.h deleted file mode 100644 index 5e6215a4a..000000000 --- a/src/libcharon/config/auth_cfg.h +++ /dev/null @@ -1,201 +0,0 @@ -/* - * Copyright (C) 2007-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup auth_cfg auth_cfg - * @{ @ingroup config - */ - -#ifndef AUTH_CFG_H_ -#define AUTH_CFG_H_ - -#include - -typedef struct auth_cfg_t auth_cfg_t; -typedef enum auth_rule_t auth_rule_t; - -/** - * Authentication config to use during authentication process. - * - * Each authentication config contains a set of rules. These rule-sets are used - * in two ways: - * - For configs specifying local authentication behavior, the rules define - * which authentication method in which way. - * - For configs specifying remote peer authentication, the rules define - * constraints the peer has to fullfill. - * - * Additionally to the rules, there is a set of helper items. These are used - * to transport credentials during the authentication process. - */ -enum auth_rule_t { - - /** identity to use for IKEv2 authentication exchange, identification_t* */ - AUTH_RULE_IDENTITY, - /** authentication class, auth_class_t */ - AUTH_RULE_AUTH_CLASS, - /** EAP identity to use within EAP-Identity exchange, identification_t* */ - AUTH_RULE_EAP_IDENTITY, - /** EAP type to propose for peer authentication, eap_type_t */ - AUTH_RULE_EAP_TYPE, - /** EAP vendor for vendor specific type, u_int32_t */ - AUTH_RULE_EAP_VENDOR, - /** certificate authority, certificate_t* */ - AUTH_RULE_CA_CERT, - /** intermediate certificate in trustchain, certificate_t* */ - AUTH_RULE_IM_CERT, - /** subject certificate, certificate_t* */ - AUTH_RULE_SUBJECT_CERT, - /** result of a CRL validation, cert_validation_t */ - AUTH_RULE_CRL_VALIDATION, - /** result of a OCSP validation, cert_validation_t */ - AUTH_RULE_OCSP_VALIDATION, - /** subject is in attribute certificate group, identification_t* */ - AUTH_RULE_AC_GROUP, - - /** intermediate certificate, certificate_t* */ - AUTH_HELPER_IM_CERT, - /** subject certificate, certificate_t* */ - AUTH_HELPER_SUBJECT_CERT, - /** Hash and URL of a intermediate certificate, char* */ - AUTH_HELPER_IM_HASH_URL, - /** Hash and URL of a end-entity certificate, char* */ - AUTH_HELPER_SUBJECT_HASH_URL, -}; - -/** - * enum name for auth_rule_t. - */ -extern enum_name_t *auth_rule_names; - -/** - * Authentication/Authorization round. - * - * RFC4739 defines multiple authentication rounds. This class defines such - * a round from a configuration perspective, either for the local or the remote - * peer. Local config are called "rulesets", as they define how we authenticate. - * Remote peer configs are called "constraits", they define what is needed to - * complete the authentication round successfully. - * - * @verbatim - - [Repeat for each configuration] - +--------------------------------------------------+ - | | - | | - | +----------+ IKE_AUTH +--------- + | - | | config | -----------> | | | - | | ruleset | | | | - | +----------+ [ <----------- ] | | | - | [ optional EAP ] | Peer | | - | +----------+ [ -----------> ] | | | - | | config | | | | - | | constr. | <----------- | | | - | +----------+ IKE_AUTH +--------- + | - | | - | | - +--------------------------------------------------+ - - @endverbatim - * - * Values for each items are either pointers (casted to void*) or short - * integers (use uintptr_t cast). - */ -struct auth_cfg_t { - - /** - * Add an rule to the set. - * - * @param rule rule type - * @param ... associated value to rule - */ - void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); - - /** - * Get an rule value. - * - * @param rule rule type - * @return bool if item has been found - */ - void* (*get)(auth_cfg_t *this, auth_rule_t rule); - - /** - * Create an enumerator over added rules. - * - * @return enumerator over (auth_rule_t, union{void*,uintpr_t}) - */ - enumerator_t* (*create_enumerator)(auth_cfg_t *this); - - /** - * Replace an rule at enumerator position. - * - * @param pos enumerator position position - * @param rule rule type - * @param ... associated value to rule - */ - void (*replace)(auth_cfg_t *this, enumerator_t *pos, - auth_rule_t rule, ...); - - /** - * Check if a used config fulfills a set of configured constraints. - * - * @param constraints required authorization rules - * @param log_error wheter to log compliance errors - * @return TRUE if this complies with constraints - */ - bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error); - - /** - * Merge items from other into this. - * - * @param other items to read for merge - * @param copy TRUE to copy items, FALSE to move them - */ - void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy); - - /** - * Purge all rules in a config. - * - * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries - */ - void (*purge)(auth_cfg_t *this, bool keep_ca); - - /** - * Check two configs for equality. - * - * @param other other config to compaire against this - * @return TRUE if auth infos identical - */ - bool (*equals)(auth_cfg_t *this, auth_cfg_t *other); - - /** - * Clone a authentication config, including all rules. - * - * @return cloned configuration - */ - auth_cfg_t* (*clone)(auth_cfg_t *this); - - /** - * Destroy a config with all associated rules/values. - */ - void (*destroy)(auth_cfg_t *this); -}; - -/** - * Create a authentication config. - */ -auth_cfg_t *auth_cfg_create(); - -#endif /** AUTH_CFG_H_ @}*/ diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 8410b3fe5..70f38b285 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -17,6 +17,8 @@ #include "child_cfg.h" +#include + #include ENUM(action_names, ACTION_NONE, ACTION_RESTART, @@ -111,6 +113,20 @@ struct private_child_cfg_t { */ u_int32_t inactivity; + /** + * Reqid to install CHILD_SA with + */ + u_int32_t reqid; + + /** + * Optional mark to install inbound CHILD_SA with + */ + mark_t mark_in; + + /** + * Optional mark to install outbound CHILD_SA with + */ + mark_t mark_out; /** * set up IPsec transport SA in MIPv6 proxy mode */ @@ -445,6 +461,22 @@ static u_int32_t get_inactivity(private_child_cfg_t *this) return this->inactivity; } +/** + * Implementation of child_cfg_t.get_reqid. + */ +static u_int32_t get_reqid(private_child_cfg_t *this) +{ + return this->reqid; +} + +/** + * Implementation of child_cfg_t.get_mark. + */ +static mark_t get_mark(private_child_cfg_t *this, bool inbound) +{ + return inbound ? this->mark_in : this->mark_out; +} + /** * Implementation of child_cfg_t.set_mipv6_options. */ @@ -506,7 +538,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, - u_int32_t inactivity) + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out) { private_child_cfg_t *this = malloc_thing(private_child_cfg_t); @@ -526,6 +559,8 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity; + this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid; + this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark; this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode; this->public.install_policy = (bool (*) (child_cfg_t *))install_policy; this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref; @@ -539,6 +574,27 @@ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, this->close_action = close_action; this->use_ipcomp = ipcomp; this->inactivity = inactivity; + this->reqid = reqid; + + if (mark_in) + { + this->mark_in = *mark_in; + } + else + { + this->mark_in.value = 0; + this->mark_in.mask = 0; + } + if (mark_out) + { + this->mark_out = *mark_out; + } + else + { + this->mark_out.value = 0; + this->mark_out.mask = 0; + } + this->proxy_mode = FALSE; this->install_policy = TRUE; this->refcount = 1; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index c6186ea36..d34835ead 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -26,6 +26,7 @@ typedef enum action_t action_t; typedef enum ipcomp_transform_t ipcomp_transform_t; typedef struct lifetime_cfg_t lifetime_cfg_t; +typedef struct mark_t mark_t; typedef struct child_cfg_t child_cfg_t; #include @@ -82,6 +83,16 @@ struct lifetime_cfg_t { } time, bytes, packets; }; +/** + * A mark_t defines an optional mark in a CHILD_SA. + */ +struct mark_t { + /** Mark value */ + u_int32_t value; + /** Mark mask */ + u_int32_t mask; +}; + /** * A child_cfg_t defines the config template for a CHILD_SA. * @@ -238,6 +249,21 @@ struct child_cfg_t { */ u_int32_t (*get_inactivity)(child_cfg_t *this); + /** + * Specific reqid to use for CHILD_SA + * + * @return reqid + */ + u_int32_t (*get_reqid)(child_cfg_t *this); + + /** + * Optional mark for CHILD_SA + * + * @param inbound TRUE for inbound, FALSE for outbound + * @return mark + */ + mark_t (*get_mark)(child_cfg_t *this, bool inbound); + /** * Sets two options needed for Mobile IPv6 interoperability * @@ -299,12 +325,16 @@ struct child_cfg_t { * @param close_action close action * @param ipcomp use IPComp, if peer supports it * @param inactivity inactivity timeout in s before closing a CHILD_SA - * @return child_cfg_t object + * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign + * @param mark_in optional inbound mark (can be NULL) + * @param mark_out optional outbound mark (can be NULL) + * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, ipsec_mode_t mode, action_t dpd_action, action_t close_action, bool ipcomp, - u_int32_t inactivity); + u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out); #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/config/peer_cfg.h b/src/libcharon/config/peer_cfg.h index 6855276f8..723435cbb 100644 --- a/src/libcharon/config/peer_cfg.h +++ b/src/libcharon/config/peer_cfg.h @@ -36,7 +36,7 @@ typedef struct peer_cfg_t peer_cfg_t; #include #include #include -#include +#include /** * Certificate sending policy. This is also used for certificate diff --git a/src/libcharon/credentials/credential_manager.c b/src/libcharon/credentials/credential_manager.c deleted file mode 100644 index adea0b4be..000000000 --- a/src/libcharon/credentials/credential_manager.c +++ /dev/null @@ -1,1681 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "credential_manager.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -typedef struct private_credential_manager_t private_credential_manager_t; - -/** - * private data of credential_manager - */ -struct private_credential_manager_t { - - /** - * public functions - */ - credential_manager_t public; - - /** - * list of credential sets - */ - linked_list_t *sets; - - /** - * thread local set of credentials, linked_list_t with credential_set_t's - */ - thread_value_t *local_sets; - - /** - * trust relationship and certificate cache - */ - cert_cache_t *cache; - - /** - * certificates queued for persistent caching - */ - linked_list_t *cache_queue; - - /** - * read-write lock to sets list - */ - rwlock_t *lock; - - /** - * mutex for cache queue - */ - mutex_t *queue_mutex; -}; - -/** data to pass to create_private_enumerator */ -typedef struct { - private_credential_manager_t *this; - key_type_t type; - identification_t* keyid; -} private_data_t; - -/** data to pass to create_cert_enumerator */ -typedef struct { - private_credential_manager_t *this; - certificate_type_t cert; - key_type_t key; - identification_t *id; - bool trusted; -} cert_data_t; - -/** data to pass to create_cdp_enumerator */ -typedef struct { - private_credential_manager_t *this; - certificate_type_t type; - identification_t *id; -} cdp_data_t; - -/** data to pass to create_shared_enumerator */ -typedef struct { - private_credential_manager_t *this; - shared_key_type_t type; - identification_t *me; - identification_t *other; -} shared_data_t; - -/** enumerator over local and global sets */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** enumerator over global sets */ - enumerator_t *global; - /** enumerator over local sets */ - enumerator_t *local; -} sets_enumerator_t; - -/** - * destroy a sets_enumerator_t - */ -static void sets_enumerator_destroy(sets_enumerator_t *this) -{ - DESTROY_IF(this->global); - DESTROY_IF(this->local); - free(this); -} - -/** - * sets_enumerator_t.enumerate - */ -static bool sets_enumerator_enumerate(sets_enumerator_t *this, - credential_set_t **set) -{ - if (this->global) - { - if (this->global->enumerate(this->global, set)) - { - return TRUE; - } - /* end of global sets, look for local */ - this->global->destroy(this->global); - this->global = NULL; - } - if (this->local) - { - return this->local->enumerate(this->local, set); - } - return FALSE; -} - -/** - * create an enumerator over both, global and local sets - */ -static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) -{ - linked_list_t *local; - sets_enumerator_t *enumerator = malloc_thing(sets_enumerator_t); - - enumerator->public.enumerate = (void*)sets_enumerator_enumerate; - enumerator->public.destroy = (void*)sets_enumerator_destroy; - enumerator->global = this->sets->create_enumerator(this->sets); - enumerator->local = NULL; - local = this->local_sets->get(this->local_sets); - if (local) - { - enumerator->local = local->create_enumerator(local); - } - return &enumerator->public; -} - -/** - * cleanup function for cert data - */ -static void destroy_cert_data(cert_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for certificates - */ -static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data) -{ - return set->create_cert_enumerator(set, data->cert, data->key, - data->id, data->trusted); -} - -/** - * Implementation of credential_manager_t.create_cert_enumerator. - */ -static enumerator_t *create_cert_enumerator(private_credential_manager_t *this, - certificate_type_t certificate, key_type_t key, - identification_t *id, bool trusted) -{ - cert_data_t *data = malloc_thing(cert_data_t); - data->this = this; - data->cert = certificate; - data->key = key; - data->id = id; - data->trusted = trusted; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_cert, data, - (void*)destroy_cert_data); -} - -/** - * Implementation of credential_manager_t.get_cert. - */ -static certificate_t *get_cert(private_credential_manager_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - certificate_t *current, *found = NULL; - enumerator_t *enumerator; - - enumerator = create_cert_enumerator(this, cert, key, id, trusted); - if (enumerator->enumerate(enumerator, ¤t)) - { - /* TODO: best match? order by keyid, subject, sualtname */ - found = current->get_ref(current); - } - enumerator->destroy(enumerator); - return found; -} - - -/** - * cleanup function for cdp data - */ -static void destroy_cdp_data(cdp_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for CDPs - */ -static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data) -{ - return set->create_cdp_enumerator(set, data->type, data->id); -} -/** - * Implementation of credential_manager_t.create_cdp_enumerator. - */ -static enumerator_t * create_cdp_enumerator(private_credential_manager_t *this, - certificate_type_t type, identification_t *id) -{ - cdp_data_t *data = malloc_thing(cdp_data_t); - data->this = this; - data->type = type; - data->id = id; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_cdp, data, - (void*)destroy_cdp_data); -} - -/** - * cleanup function for private data - */ -static void destroy_private_data(private_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for private keys - */ -static enumerator_t *create_private(credential_set_t *set, private_data_t *data) -{ - return set->create_private_enumerator(set, data->type, data->keyid); -} - -/** - * Implementation of credential_manager_t.create_private_enumerator. - */ -static enumerator_t* create_private_enumerator( - private_credential_manager_t *this, - key_type_t key, identification_t *keyid) -{ - private_data_t *data; - - data = malloc_thing(private_data_t); - data->this = this; - data->type = key; - data->keyid = keyid; - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_private, data, - (void*)destroy_private_data); -} - -/** - * Implementation of credential_manager_t.get_private_by_keyid. - */ -static private_key_t *get_private_by_keyid(private_credential_manager_t *this, - key_type_t key, identification_t *keyid) -{ - private_key_t *found = NULL; - enumerator_t *enumerator; - - enumerator = create_private_enumerator(this, key, keyid); - if (enumerator->enumerate(enumerator, &found)) - { - found->get_ref(found); - } - enumerator->destroy(enumerator); - return found; -} - -/** - * cleanup function for shared data - */ -static void destroy_shared_data(shared_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * enumerator constructor for shared keys - */ -static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data) -{ - return set->create_shared_enumerator(set, data->type, data->me, data->other); -} - -/** - * Implementation of credential_manager_t.create_shared_enumerator. - */ -static enumerator_t *create_shared_enumerator(private_credential_manager_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other) -{ - shared_data_t *data = malloc_thing(shared_data_t); - data->this = this; - data->type = type; - data->me = me; - data->other = other; - - this->lock->read_lock(this->lock); - return enumerator_create_nested(create_sets_enumerator(this), - (void*)create_shared, data, - (void*)destroy_shared_data); -} - -/** - * Implementation of credential_manager_t.get_shared. - */ -static shared_key_t *get_shared(private_credential_manager_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - shared_key_t *current, *found = NULL; - id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE; - id_match_t *match_me, *match_other; - enumerator_t *enumerator; - - enumerator = create_shared_enumerator(this, type, me, other); - while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other)) - { - if (match_other > best_other || - (match_other == best_other && match_me > best_me)) - { - DESTROY_IF(found); - found = current->get_ref(current); - best_me = match_me; - best_other = match_other; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * add a credential set to the thread local list - */ -static void add_local_set(private_credential_manager_t *this, - credential_set_t *set) -{ - linked_list_t *sets; - - sets = this->local_sets->get(this->local_sets); - if (!sets) - { /* first invocation */ - sets = linked_list_create(); - this->local_sets->set(this->local_sets, sets); - } - sets->insert_last(sets, set); -} - -/** - * remove a credential set from the thread local list - */ -static void remove_local_set(private_credential_manager_t *this, - credential_set_t *set) -{ - linked_list_t *sets; - - sets = this->local_sets->get(this->local_sets); - sets->remove(sets, set, NULL); -} - -/** - * Implementation of credential_manager_t.cache_cert. - */ -static void cache_cert(private_credential_manager_t *this, certificate_t *cert) -{ - credential_set_t *set; - enumerator_t *enumerator; - - if (this->lock->try_write_lock(this->lock)) - { - enumerator = this->sets->create_enumerator(this->sets); - while (enumerator->enumerate(enumerator, &set)) - { - set->cache_cert(set, cert); - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - } - else - { /* we can't cache now as other threads are active, queue for later */ - this->queue_mutex->lock(this->queue_mutex); - this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert)); - this->queue_mutex->unlock(this->queue_mutex); - } -} - -/** - * Try to cache certificates queued for caching - */ -static void cache_queue(private_credential_manager_t *this) -{ - credential_set_t *set; - certificate_t *cert; - enumerator_t *enumerator; - - this->queue_mutex->lock(this->queue_mutex); - if (this->cache_queue->get_count(this->cache_queue) > 0 && - this->lock->try_write_lock(this->lock)) - { - while (this->cache_queue->remove_last(this->cache_queue, - (void**)&cert) == SUCCESS) - { - enumerator = this->sets->create_enumerator(this->sets); - while (enumerator->enumerate(enumerator, &set)) - { - set->cache_cert(set, cert); - } - enumerator->destroy(enumerator); - cert->destroy(cert); - } - this->lock->unlock(this->lock); - } - this->queue_mutex->unlock(this->queue_mutex); -} - -/** - * forward declaration - */ -static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, bool crl, bool ocsp); - -/** - * Do an OCSP request - */ -static certificate_t *fetch_ocsp(private_credential_manager_t *this, char *url, - certificate_t *subject, certificate_t *issuer) -{ - certificate_t *request, *response; - chunk_t send, receive; - - /* TODO: requestor name, signature */ - request = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, - BUILD_CA_CERT, issuer, - BUILD_CERT, subject, BUILD_END); - if (!request) - { - DBG1(DBG_CFG, "generating ocsp request failed"); - return NULL; - } - - send = request->get_encoding(request); - request->destroy(request); - - DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &receive, - FETCH_REQUEST_DATA, send, - FETCH_REQUEST_TYPE, "application/ocsp-request", - FETCH_END) != SUCCESS) - { - DBG1(DBG_CFG, "ocsp request to %s failed", url); - chunk_free(&send); - return NULL; - } - chunk_free(&send); - - response = lib->creds->create(lib->creds, - CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, - BUILD_BLOB_ASN1_DER, receive, BUILD_END); - chunk_free(&receive); - if (!response) - { - DBG1(DBG_CFG, "parsing ocsp response failed"); - return NULL; - } - return response; -} - -/** - * check the signature of an OCSP response - */ -static bool verify_ocsp(private_credential_manager_t *this, - ocsp_response_t *response) -{ - certificate_t *issuer, *subject; - identification_t *responder; - ocsp_response_wrapper_t *wrapper; - enumerator_t *enumerator; - bool verified = FALSE; - - wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); - add_local_set(this, &wrapper->set); - - subject = &response->certificate; - responder = subject->get_issuer(subject); - enumerator = create_trusted_enumerator(this, KEY_ANY, responder, FALSE, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) - { - if (this->cache->issued_by(this->cache, subject, issuer)) - { - DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", - issuer->get_subject(issuer)); - verified = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - remove_local_set(this, &wrapper->set); - wrapper->destroy(wrapper); - return verified; -} - -/** - * Get the better of two OCSP responses, and check for usable OCSP info - */ -static certificate_t *get_better_ocsp(private_credential_manager_t *this, - certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, - cert_validation_t *valid, bool cache) -{ - ocsp_response_t *response; - time_t revocation, this_update, next_update, valid_until; - crl_reason_t reason; - bool revoked = FALSE; - - response = (ocsp_response_t*)cand; - - /* check ocsp signature */ - if (!verify_ocsp(this, response)) - { - DBG1(DBG_CFG, "ocsp response verification failed"); - cand->destroy(cand); - return best; - } - /* check if response contains our certificate */ - switch (response->get_status(response, subject, issuer, &revocation, &reason, - &this_update, &next_update)) - { - case VALIDATION_REVOKED: - /* subject has been revoked by a valid OCSP response */ - DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", - &revocation, TRUE, crl_reason_names, reason); - revoked = TRUE; - break; - case VALIDATION_GOOD: - /* results in either good or stale */ - break; - default: - case VALIDATION_FAILED: - /* candidate unusable, does not contain our cert */ - DBG1(DBG_CFG, " ocsp response contains no status on our certificate"); - cand->destroy(cand); - return best; - } - - /* select the better of the two responses */ - if (best == NULL || cand->is_newer(cand, best)) - { - DESTROY_IF(best); - best = cand; - if (best->get_validity(best, NULL, NULL, &valid_until)) - { - DBG1(DBG_CFG, " ocsp response is valid: until %T", - &valid_until, FALSE); - *valid = VALIDATION_GOOD; - if (cache) - { /* cache non-stale only, stale certs get refetched */ - cache_cert(this, best); - } - } - else - { - DBG1(DBG_CFG, " ocsp response is stale: since %T", - &valid_until, FALSE); - *valid = VALIDATION_STALE; - } - } - else - { - *valid = VALIDATION_STALE; - cand->destroy(cand); - } - if (revoked) - { /* revoked always counts, even if stale */ - *valid = VALIDATION_REVOKED; - } - return best; -} - -/** - * validate a x509 certificate using OCSP - */ -static cert_validation_t check_ocsp(private_credential_manager_t *this, - x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) -{ - enumerator_t *enumerator; - cert_validation_t valid = VALIDATION_SKIPPED; - certificate_t *best = NULL, *current; - identification_t *keyid = NULL; - public_key_t *public; - chunk_t chunk; - char *uri = NULL; - - /** lookup cache for valid OCSP responses */ - enumerator = create_cert_enumerator(this, CERT_X509_OCSP_RESPONSE, - KEY_ANY, NULL, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) - { - current->get_ref(current); - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, FALSE); - if (best && valid != VALIDATION_STALE) - { - DBG1(DBG_CFG, " using cached ocsp response"); - break; - } - } - enumerator->destroy(enumerator); - - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - } - /** fetch from configured OCSP responder URLs */ - if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = create_cdp_enumerator(this, CERT_X509_OCSP_RESPONSE, keyid); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_ocsp(this, uri, &subject->interface, - &issuer->interface); - if (current) - { - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - DESTROY_IF(public); - DESTROY_IF(keyid); - - /* fallback to URL fetching from subject certificate's URIs */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = subject->create_ocsp_uri_enumerator(subject); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_ocsp(this, uri, &subject->interface, - &issuer->interface); - if (current) - { - best = get_better_ocsp(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) - { - valid = VALIDATION_FAILED; - } - if (auth) - { - auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid); - if (valid == VALIDATION_GOOD) - { /* successful OCSP check fulfills also CRL constraint */ - auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); - } - } - DESTROY_IF(best); - return valid; -} - -/** - * fetch a CRL from an URL - */ -static certificate_t* fetch_crl(private_credential_manager_t *this, char *url) -{ - certificate_t *crl; - chunk_t chunk; - - DBG1(DBG_CFG, " fetching crl from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS) - { - DBG1(DBG_CFG, "crl fetching failed"); - return NULL; - } - crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, - BUILD_BLOB_ASN1_DER, chunk, BUILD_END); - chunk_free(&chunk); - if (!crl) - { - DBG1(DBG_CFG, "crl fetched successfully but parsing failed"); - return NULL; - } - return crl; -} - -/** - * check the signature of an CRL - */ -static bool verify_crl(private_credential_manager_t *this, certificate_t *crl) -{ - certificate_t *issuer; - enumerator_t *enumerator; - bool verified = FALSE; - - enumerator = create_trusted_enumerator(this, KEY_ANY, crl->get_issuer(crl), - FALSE, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) - { - if (this->cache->issued_by(this->cache, crl, issuer)) - { - DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", - issuer->get_subject(issuer)); - verified = TRUE; - break; - } - } - enumerator->destroy(enumerator); - - return verified; -} - -/** - * Get the better of two CRLs, and check for usable CRL info - */ -static certificate_t *get_better_crl(private_credential_manager_t *this, - certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, - cert_validation_t *valid, bool cache) -{ - enumerator_t *enumerator; - time_t revocation, valid_until; - crl_reason_t reason; - chunk_t serial; - crl_t *crl; - - /* check CRL signature */ - if (!verify_crl(this, cand)) - { - DBG1(DBG_CFG, "crl response verification failed"); - cand->destroy(cand); - return best; - } - - crl = (crl_t*)cand; - enumerator = crl->create_enumerator(crl); - while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) - { - if (chunk_equals(serial, subject->get_serial(subject))) - { - DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", - &revocation, TRUE, crl_reason_names, reason); - *valid = VALIDATION_REVOKED; - enumerator->destroy(enumerator); - DESTROY_IF(best); - return cand; - } - } - enumerator->destroy(enumerator); - - /* select the better of the two CRLs */ - if (best == NULL || cand->is_newer(cand, best)) - { - DESTROY_IF(best); - best = cand; - if (best->get_validity(best, NULL, NULL, &valid_until)) - { - DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE); - *valid = VALIDATION_GOOD; - if (cache) - { /* we cache non-stale crls only, as a stale crls are refetched */ - cache_cert(this, best); - } - } - else - { - DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE); - *valid = VALIDATION_STALE; - } - } - else - { - *valid = VALIDATION_STALE; - cand->destroy(cand); - } - return best; -} - -/** - * validate a x509 certificate using CRL - */ -static cert_validation_t check_crl(private_credential_manager_t *this, - x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) -{ - cert_validation_t valid = VALIDATION_SKIPPED; - identification_t *keyid = NULL; - certificate_t *best = NULL; - certificate_t *current; - public_key_t *public; - enumerator_t *enumerator; - chunk_t chunk; - char *uri = NULL; - - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - - /* find a cached crl by authorityKeyIdentifier */ - enumerator = create_cert_enumerator(this, CERT_X509_CRL, KEY_ANY, - keyid, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) - { - current->get_ref(current); - best = get_better_crl(this, current, best, subject, issuer, - &valid, FALSE); - if (best && valid != VALIDATION_STALE) - { - DBG1(DBG_CFG, " using cached crl"); - break; - } - } - enumerator->destroy(enumerator); - - /* fallback to fetching crls from credential sets cdps */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = create_cdp_enumerator(this, CERT_X509_CRL, keyid); - - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(this, uri); - if (current) - { - best = get_better_crl(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - keyid->destroy(keyid); - } - DESTROY_IF(public); - - /* fallback to fetching crls from cdps from subject's certificate */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) - { - enumerator = subject->create_crl_uri_enumerator(subject); - - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(this, uri); - if (current) - { - best = get_better_crl(this, current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); - } - - /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) - { - valid = VALIDATION_FAILED; - } - if (auth) - { - if (valid == VALIDATION_SKIPPED) - { /* if we skipped CRL validation, we use the result of OCSP for - * constraint checking */ - auth->add(auth, AUTH_RULE_CRL_VALIDATION, - auth->get(auth, AUTH_RULE_OCSP_VALIDATION)); - } - else - { - auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid); - } - } - DESTROY_IF(best); - return valid; -} - -/** - * check a certificate for optional IP address block constraints - */ -static bool check_ip_addr_block_constraints(x509_t *subject, x509_t *issuer) -{ - bool subject_constraint = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; - bool issuer_constraint = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; - bool contained = TRUE; - - enumerator_t *subject_enumerator, *issuer_enumerator; - traffic_selector_t *subject_ts, *issuer_ts; - - if (!subject_constraint && !issuer_constraint) - { - return TRUE; - } - if (!subject_constraint) - { - DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; - } - if (!issuer_constraint) - { - DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); - return FALSE; - } - subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); - while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) - { - contained = FALSE; - - issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); - while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) - { - if (subject_ts->is_contained_in(subject_ts, issuer_ts)) - { - DBG2(DBG_CFG, " subject address block %R is contained in " - "issuer address block %R", subject_ts, issuer_ts); - contained = TRUE; - break; - } - } - issuer_enumerator->destroy(issuer_enumerator); - if (!contained) - { - DBG1(DBG_CFG, "subject address block %R is not contained in any " - "issuer address block", subject_ts); - break; - } - } - subject_enumerator->destroy(subject_enumerator); - return contained; -} - -/** - * check a certificate for its lifetime - */ -static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool crl, bool ocsp, auth_cfg_t *auth) -{ - time_t not_before, not_after; - - if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) - { - DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", - ¬_before, FALSE, ¬_after, FALSE); - return FALSE; - } - if (issuer->get_type(issuer) == CERT_X509 && - subject->get_type(subject) == CERT_X509) - { - if (!check_ip_addr_block_constraints((x509_t*)subject, (x509_t*)issuer)) - { - return FALSE; - } - if (ocsp || crl) - { - DBG1(DBG_CFG, "checking certificate status of \"%Y\"", - subject->get_subject(subject)); - } - if (ocsp) - { - switch (check_ocsp(this, (x509_t*)subject, (x509_t*)issuer, auth)) - { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - /* has already been logged */ - return FALSE; - case VALIDATION_SKIPPED: - DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); - break; - case VALIDATION_FAILED: - DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); - break; - } - } - if (crl) - { - switch (check_crl(this, (x509_t*)subject, (x509_t*)issuer, auth)) - { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - /* has already been logged */ - return FALSE; - case VALIDATION_FAILED: - case VALIDATION_SKIPPED: - DBG1(DBG_CFG, "certificate status is not available"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); - break; - } - } - } - return TRUE; -} - -/** - * Get a trusted certificate from a credential set - */ -static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, - key_type_t type, identification_t *id) -{ - certificate_t *subject; - public_key_t *public; - - subject = get_cert(this, CERT_ANY, type, id, TRUE); - if (!subject) - { - return NULL; - } - public = subject->get_public_key(subject); - if (!public) - { - subject->destroy(subject); - return NULL; - } - public->destroy(public); - return subject; -} - -/** - * Get the issuing certificate of a subject certificate - */ -static certificate_t *get_issuer_cert(private_credential_manager_t *this, - certificate_t *subject, bool trusted) -{ - enumerator_t *enumerator; - certificate_t *issuer = NULL, *candidate; - - enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY, - subject->get_issuer(subject), trusted); - while (enumerator->enumerate(enumerator, &candidate)) - { - if (this->cache->issued_by(this->cache, subject, candidate)) - { - issuer = candidate->get_ref(candidate); - break; - } - } - enumerator->destroy(enumerator); - return issuer; -} - -/** - * try to verify the trust chain of subject, return TRUE if trusted - */ -static bool verify_trust_chain(private_credential_manager_t *this, - certificate_t *subject, auth_cfg_t *result, - bool trusted, bool crl, bool ocsp) -{ - certificate_t *current, *issuer; - x509_t *x509; - auth_cfg_t *auth; - int pathlen, pathlen_constraint; - - auth = auth_cfg_create(); - current = subject->get_ref(subject); - - for (pathlen = 0; pathlen <= X509_MAX_PATH_LEN; pathlen++) - { - issuer = get_issuer_cert(this, current, TRUE); - if (issuer) - { - /* accept only self-signed CAs as trust anchor */ - if (this->cache->issued_by(this->cache, issuer, issuer)) - { - auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", - issuer->get_subject(issuer)); - trusted = TRUE; - } - else - { - auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using trusted intermediate ca certificate " - "\"%Y\"", issuer->get_subject(issuer)); - } - } - else - { - issuer = get_issuer_cert(this, current, FALSE); - if (issuer) - { - if (current->equals(current, issuer)) - { - DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", - current->get_subject(current)); - issuer->destroy(issuer); - break; - } - auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); - DBG1(DBG_CFG, " using untrusted intermediate certificate " - "\"%Y\"", issuer->get_subject(issuer)); - } - else - { - DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", - current->get_subject(current)); - break; - } - } - if (!check_certificate(this, current, issuer, crl, ocsp, - current == subject ? auth : NULL)) - { - trusted = FALSE; - issuer->destroy(issuer); - break; - } - - /* check path length constraint */ - x509 = (x509_t*)issuer; - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - DBG1(DBG_CFG, "path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - trusted = FALSE; - issuer->destroy(issuer); - break; - } - current->destroy(current); - current = issuer; - if (trusted) - { - DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d", - pathlen); - break; - } - } - current->destroy(current); - if (pathlen > X509_MAX_PATH_LEN) - { - DBG1(DBG_CFG, "maximum path length of %d exceeded", X509_MAX_PATH_LEN); - } - if (trusted) - { - result->merge(result, auth, FALSE); - } - auth->destroy(auth); - return trusted; -} - -/** - * enumerator for trusted certificates - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** enumerator over candidate peer certificates */ - enumerator_t *candidates; - /** reference to the credential_manager */ - private_credential_manager_t *this; - /** type of the requested key */ - key_type_t type; - /** identity the requested key belongs to */ - identification_t *id; - /** TRUE to do CRL checking */ - bool crl; - /** TRUE to do OCSP checking */ - bool ocsp; - /** pretrusted certificate we have served at first invocation */ - certificate_t *pretrusted; - /** currently enumerating auth config */ - auth_cfg_t *auth; -} trusted_enumerator_t; - -/** - * Implements trusted_enumerator_t.enumerate - */ -static bool trusted_enumerate(trusted_enumerator_t *this, - certificate_t **cert, auth_cfg_t **auth) -{ - certificate_t *current; - - DESTROY_IF(this->auth); - this->auth = auth_cfg_create(); - - if (!this->candidates) - { - /* first invocation, build enumerator for next one */ - this->candidates = create_cert_enumerator(this->this, CERT_ANY, - this->type, this->id, FALSE); - /* check if we have a trusted certificate for that peer */ - this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); - if (this->pretrusted) - { - /* if we find a trusted self signed certificate, we just accept it. - * However, in order to fulfill authorization rules, we try to build - * the trust chain if it is not self signed */ - if (this->this->cache->issued_by(this->this->cache, - this->pretrusted, this->pretrusted) || - verify_trust_chain(this->this, this->pretrusted, this->auth, - TRUE, this->crl, this->ocsp)) - { - this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, - this->pretrusted->get_ref(this->pretrusted)); - DBG1(DBG_CFG, " using trusted certificate \"%Y\"", - this->pretrusted->get_subject(this->pretrusted)); - *cert = this->pretrusted; - if (auth) - { - *auth = this->auth; - } - return TRUE; - } - } - } - /* try to verify the trust chain for each certificate found */ - while (this->candidates->enumerate(this->candidates, ¤t)) - { - if (this->pretrusted && - this->pretrusted->equals(this->pretrusted, current)) - { /* skip pretrusted certificate we already served */ - continue; - } - - DBG1(DBG_CFG, " using certificate \"%Y\"", - current->get_subject(current)); - if (verify_trust_chain(this->this, current, this->auth, FALSE, - this->crl, this->ocsp)) - { - *cert = current; - if (auth) - { - *auth = this->auth; - } - return TRUE; - } - } - return FALSE; -} - -/** - * Implements trusted_enumerator_t.destroy - */ -static void trusted_destroy(trusted_enumerator_t *this) -{ - DESTROY_IF(this->pretrusted); - DESTROY_IF(this->auth); - DESTROY_IF(this->candidates); - free(this); -} - -/** - * create an enumerator over trusted certificates and their trustchain - */ -static enumerator_t *create_trusted_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, bool crl, bool ocsp) -{ - trusted_enumerator_t *enumerator = malloc_thing(trusted_enumerator_t); - - enumerator->public.enumerate = (void*)trusted_enumerate; - enumerator->public.destroy = (void*)trusted_destroy; - - enumerator->candidates = NULL; - enumerator->this = this; - enumerator->type = type; - enumerator->id = id; - enumerator->crl = crl; - enumerator->ocsp = ocsp; - enumerator->pretrusted = NULL; - enumerator->auth = NULL; - - return &enumerator->public; -} - -/** - * enumerator for public keys - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** enumerator over candidate peer certificates */ - enumerator_t *inner; - /** reference to the credential_manager */ - private_credential_manager_t *this; - /** currently enumerating key */ - public_key_t *current; - /** credset wrapper around auth config */ - auth_cfg_wrapper_t *wrapper; -} public_enumerator_t; - -/** - * Implements public_enumerator_t.enumerate - */ -static bool public_enumerate(public_enumerator_t *this, - public_key_t **key, auth_cfg_t **auth) -{ - certificate_t *cert; - - while (this->inner->enumerate(this->inner, &cert, auth)) - { - DESTROY_IF(this->current); - this->current = cert->get_public_key(cert); - if (this->current) - { - *key = this->current; - return TRUE; - } - } - return FALSE; -} - -/** - * Implements public_enumerator_t.destroy - */ -static void public_destroy(public_enumerator_t *this) -{ - DESTROY_IF(this->current); - this->inner->destroy(this->inner); - if (this->wrapper) - { - remove_local_set(this->this, &this->wrapper->set); - this->wrapper->destroy(this->wrapper); - } - this->this->lock->unlock(this->this->lock); - - /* check for delayed certificate cache queue */ - cache_queue(this->this); - free(this); -} - -/** - * Implementation of credential_manager_t.create_public_enumerator. - */ -static enumerator_t* create_public_enumerator(private_credential_manager_t *this, - key_type_t type, identification_t *id, auth_cfg_t *auth) -{ - public_enumerator_t *enumerator = malloc_thing(public_enumerator_t); - - enumerator->public.enumerate = (void*)public_enumerate; - enumerator->public.destroy = (void*)public_destroy; - enumerator->inner = create_trusted_enumerator(this, type, id, TRUE, TRUE); - enumerator->this = this; - enumerator->current = NULL; - enumerator->wrapper = NULL; - if (auth) - { - enumerator->wrapper = auth_cfg_wrapper_create(auth); - add_local_set(this, &enumerator->wrapper->set); - } - this->lock->read_lock(this->lock); - return &enumerator->public; -} - -/** - * Check if a certificate's keyid is contained in the auth helper - */ -static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) -{ - enumerator_t *enumerator; - identification_t *value; - auth_rule_t type; - bool found = FALSE; - - enumerator = auth->create_enumerator(auth); - while (enumerator->enumerate(enumerator, &type, &value)) - { - if (type == AUTH_RULE_CA_CERT && - cert->equals(cert, (certificate_t*)value)) - { - found = TRUE; - break; - } - } - enumerator->destroy(enumerator); - return found; -} - -/** - * build a trustchain from subject up to a trust anchor in trusted - */ -static auth_cfg_t *build_trustchain(private_credential_manager_t *this, - certificate_t *subject, auth_cfg_t *auth) -{ - certificate_t *issuer, *current; - auth_cfg_t *trustchain; - int pathlen = 0; - - trustchain = auth_cfg_create(); - - current = auth->get(auth, AUTH_RULE_CA_CERT); - if (!current) - { - /* no trust anchor specified, return this cert only */ - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, - subject->get_ref(subject)); - return trustchain; - } - current = subject->get_ref(subject); - while (TRUE) - { - if (auth_contains_cacert(auth, current)) - { - trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); - return trustchain; - } - if (subject == current) - { - trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current); - } - else - { - trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); - } - issuer = get_issuer_cert(this, current, FALSE); - if (!issuer || issuer->equals(issuer, current) || - pathlen > X509_MAX_PATH_LEN) - { - DESTROY_IF(issuer); - break; - } - current = issuer; - pathlen++; - } - trustchain->destroy(trustchain); - return NULL; -} - -/** - * find a private key of a give certificate - */ -static private_key_t *get_private_by_cert(private_credential_manager_t *this, - certificate_t *cert, key_type_t type) -{ - private_key_t *private = NULL; - identification_t *keyid; - chunk_t chunk; - public_key_t *public; - - public = cert->get_public_key(cert); - if (public) - { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) - { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); - private = get_private_by_keyid(this, type, keyid); - keyid->destroy(keyid); - } - public->destroy(public); - } - return private; -} - -/** - * Implementation of credential_manager_t.get_private. - */ -static private_key_t *get_private(private_credential_manager_t *this, - key_type_t type, identification_t *id, - auth_cfg_t *auth) -{ - enumerator_t *enumerator; - certificate_t *cert; - private_key_t *private = NULL; - auth_cfg_t *trustchain; - - /* check if this is a lookup by key ID, and do it if so */ - if (id && id->get_type(id) == ID_KEY_ID) - { - private = get_private_by_keyid(this, type, id); - if (private) - { - return private; - } - } - - /* if a specific certificate is preferred, check for a matching key */ - cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (cert) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) - { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); - } - return private; - } - } - - /* try to build a trust chain for each certificate found */ - enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); - while (enumerator->enumerate(enumerator, &cert)) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - trustchain = build_trustchain(this, cert, auth); - if (trustchain) - { - auth->merge(auth, trustchain, FALSE); - trustchain->destroy(trustchain); - break; - } - private->destroy(private); - private = NULL; - } - } - enumerator->destroy(enumerator); - - /* if no valid trustchain was found, fall back to the first usable cert */ - if (!private) - { - enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); - while (enumerator->enumerate(enumerator, &cert)) - { - private = get_private_by_cert(this, cert, type); - if (private) - { - auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); - break; - } - } - enumerator->destroy(enumerator); - } - return private; -} - -/** - * Implementation of credential_manager_t.flush_cache. - */ -static void flush_cache(private_credential_manager_t *this, - certificate_type_t type) -{ - this->cache->flush(this->cache, type); -} - -/** - * Implementation of credential_manager_t.add_set. - */ -static void add_set(private_credential_manager_t *this, - credential_set_t *set) -{ - this->lock->write_lock(this->lock); - this->sets->insert_last(this->sets, set); - this->lock->unlock(this->lock); -} - -/** - * Implementation of credential_manager_t.remove_set. - */ -static void remove_set(private_credential_manager_t *this, credential_set_t *set) -{ - this->lock->write_lock(this->lock); - this->sets->remove(this->sets, set, NULL); - this->lock->unlock(this->lock); -} - -/** - * Implementation of credential_manager_t.destroy - */ -static void destroy(private_credential_manager_t *this) -{ - cache_queue(this); - this->cache_queue->destroy(this->cache_queue); - this->sets->remove(this->sets, this->cache, NULL); - this->sets->destroy(this->sets); - this->local_sets->destroy(this->local_sets); - this->cache->destroy(this->cache); - this->lock->destroy(this->lock); - this->queue_mutex->destroy(this->queue_mutex); - free(this); -} - -/* - * see header file - */ -credential_manager_t *credential_manager_create() -{ - private_credential_manager_t *this = malloc_thing(private_credential_manager_t); - - this->public.create_cert_enumerator = (enumerator_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *id,bool))create_cert_enumerator; - this->public.create_shared_enumerator = (enumerator_t *(*)(credential_manager_t *this, shared_key_type_t type,identification_t *me, identification_t *other))create_shared_enumerator; - this->public.create_cdp_enumerator = (enumerator_t *(*)(credential_manager_t*, certificate_type_t type, identification_t *id))create_cdp_enumerator; - this->public.get_cert = (certificate_t *(*)(credential_manager_t *this,certificate_type_t cert, key_type_t key,identification_t *, bool))get_cert; - this->public.get_shared = (shared_key_t *(*)(credential_manager_t *this,shared_key_type_t type,identification_t *me, identification_t *other))get_shared; - this->public.get_private = (private_key_t*(*)(credential_manager_t*, key_type_t type, identification_t *, auth_cfg_t*))get_private; - this->public.create_public_enumerator = (enumerator_t*(*)(credential_manager_t*, key_type_t type, identification_t *id, auth_cfg_t *aut))create_public_enumerator; - this->public.flush_cache = (void(*)(credential_manager_t*, certificate_type_t type))flush_cache; - this->public.cache_cert = (void(*)(credential_manager_t*, certificate_t *cert))cache_cert; - this->public.add_set = (void(*)(credential_manager_t*, credential_set_t *set))add_set; - this->public.remove_set = (void(*)(credential_manager_t*, credential_set_t *set))remove_set; - this->public.destroy = (void(*)(credential_manager_t*))destroy; - - this->sets = linked_list_create(); - this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); - this->cache = cert_cache_create(); - this->cache_queue = linked_list_create(); - this->sets->insert_first(this->sets, this->cache); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT); - - return &this->public; -} - diff --git a/src/libcharon/credentials/credential_manager.h b/src/libcharon/credentials/credential_manager.h deleted file mode 100644 index 0448da992..000000000 --- a/src/libcharon/credentials/credential_manager.h +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (C) 2007-2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup credential_manager credential_manager - * @{ @ingroup ccredentials - */ - -#ifndef CREDENTIAL_MANAGER_H_ -#define CREDENTIAL_MANAGER_H_ - -#include -#include -#include -#include -#include -#include -#include - -typedef struct credential_manager_t credential_manager_t; - -/** - * Manages credentials using credential_sets. - * - * The credential manager is the entry point of the credential framework. It - * uses so called "sets" to access credentials in a modular fashion, these - * are implemented through the credential_set_t interface. - * The manager additionally does trust chain verification and trust status - * chaching. A set may call the managers methods if it needs credentials itself, - * the manager uses recursive locking. - * - * @verbatim - - +-------+ +----------------+ - | A | | | +------------------+ - | u | -----> | | ------> | +------------------+ - | t | | credential- | | | +------------------+ - | h | -----> | manager | ------> +--| | credential- | => IPC - | e | | | +--| sets | - | n | +--> | | ------> +------------------+ - | t | | | | | - | i | | | | | - | c | | +----------------+ | - | a | | | - | t | +----------------------------------------------+ - | o | may be recursive - | r | - +-------+ - - @endverbatim - * - * The credential manager uses rwlocks for performance reasons, credential - * sets must be fully thread save. - */ -struct credential_manager_t { - - /** - * Create an enumerator over all certificates. - * - * @param cert kind of certificate - * @param key kind of key in certificate - * @param id subject this certificate belongs to - * @param trusted TRUE to list trusted certificates only - * @return enumerator over the certificates - */ - enumerator_t *(*create_cert_enumerator)(credential_manager_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted); - /** - * Create an enumerator over all shared keys. - * - * The enumerator enumerates over: - * shared_key_t*, id_match_t me, id_match_t other - * But must accepts values for the id_matches. - * - * @param type kind of requested shared key - * @param first first subject between key is shared - * @param second second subject between key is shared - * @return enumerator over shared keys - */ - enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, - shared_key_type_t type, - identification_t *first, identification_t *second); - /** - * Create an enumerator over all Certificate Distribution Points. - * - * @param type kind of certificate the point distributes - * @param id identification of the distributed certificate - * @return enumerator of CDPs as char* - */ - enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this, - certificate_type_t type, identification_t *id); - /** - * Get a trusted or untrusted certificate. - * - * @param cert kind of certificate - * @param key kind of key in certificate - * @param id subject this certificate belongs to - * @param trusted TRUE to get a trusted certificate only - * @return certificate, if found, NULL otherwise - */ - certificate_t *(*get_cert)(credential_manager_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted); - /** - * Get the best matching shared key for two IDs. - * - * @param type kind of requested shared key - * @param me own identity - * @param other peers identity - * @return shared_key_t, NULL if none found - */ - shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, - identification_t *me, identification_t *other); - /** - * Get a private key to create a signature. - * - * The get_private() method gets a secret private key identified by either - * the keyid itself or an id the key belongs to. - * The auth parameter contains additional information, such as receipients - * trusted CA certs. Auth gets filled with subject and CA certificates - * needed to validate a created signature. - * - * @param type type of the key to get - * @param id identification the key belongs to - * @param auth auth config, including trusted CA certificates - * @return private_key_t, NULL if none found - */ - private_key_t* (*get_private)(credential_manager_t *this, key_type_t type, - identification_t *id, auth_cfg_t *auth); - - /** - * Create an enumerator over trusted public keys. - * - * This method gets a an enumerator over trusted public keys to verify a - * signature created by id. The auth parameter contains additional - * authentication infos, e.g. peer and intermediate certificates. - * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *, - * where the auth config helper contains rules for constraint checks. - * - * @param type type of the key to get - * @param id owner of the key, signer of the signature - * @param auth authentication infos - * @return enumerator - */ - enumerator_t* (*create_public_enumerator)(credential_manager_t *this, - key_type_t type, identification_t *id, auth_cfg_t *auth); - - /** - * Cache a certificate by invoking cache_cert() on all registerd sets. - * - * @param cert certificate to cache - */ - void (*cache_cert)(credential_manager_t *this, certificate_t *cert); - - /** - * Flush the certificate cache. - * - * Only the managers local cache is flushed, but not the sets cache filled - * by the cache_cert() method. - * - * @param type type of certificate to flush, or CERT_ANY - */ - void (*flush_cache)(credential_manager_t *this, certificate_type_t type); - - /** - * Register a credential set to the manager. - * - * @param set set to register - */ - void (*add_set)(credential_manager_t *this, credential_set_t *set); - - /** - * Unregister a credential set from the manager. - * - * @param set set to unregister - */ - void (*remove_set)(credential_manager_t *this, credential_set_t *set); - - /** - * Destroy a credential_manager instance. - */ - void (*destroy)(credential_manager_t *this); -}; - -/** - * Create a credential_manager instance. - */ -credential_manager_t *credential_manager_create(); - -#endif /** CREDENTIAL_MANAGER_H_ @}*/ diff --git a/src/libcharon/credentials/credential_set.h b/src/libcharon/credentials/credential_set.h deleted file mode 100644 index 274eb3feb..000000000 --- a/src/libcharon/credentials/credential_set.h +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright (C) 2007 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup credential_set credential_set - * @{ @ingroup ccredentials - */ - -#ifndef CREDENTIAL_SET_H_ -#define CREDENTIAL_SET_H_ - -#include -#include -#include - -typedef struct credential_set_t credential_set_t; - -/** - * A set of credentials. - * - * Contains private keys, shared keys and different kinds of certificates. - * Enumerators are used because queries might return multiple matches. - * Filter parameters restrict enumeration over specific items only. - * See credential_manager_t for an overview of the credential framework. - * - * A credential set enumerator may not block the credential set, i.e. multiple - * threads must be able to hold multiple enumerators, as the credential manager - * is higly parallelized. The best way to achieve this is by using shared - * read locks for the enumerators only. Otherwiese deadlocks will occur. - * The writing cache_cert() routine is called by the manager only if no - * enumerator is alive, so it is save to use a write lock there. - */ -struct credential_set_t { - - /** - * Create an enumerator over private keys (private_key_t). - * - * The id is either a key identifier of the requested key, or an identity - * of the key owner. - * - * @param type type of requested private key - * @param id key identifier/owner - * @return enumerator over private_key_t's. - */ - enumerator_t *(*create_private_enumerator)(credential_set_t *this, - key_type_t type, identification_t *id); - /** - * Create an enumerator over certificates (certificate_t). - * - * @param cert kind of certificate - * @param key kind of key in certificate - * @param id identity (subject) this certificate belongs to - * @param trusted whether the certificate must be trustworthy - * @return enumerator as described above - */ - enumerator_t *(*create_cert_enumerator)(credential_set_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted); - /** - * Create an enumerator over shared keys (shared_key_t). - * - * The enumerator enumerates over: - * shared_key_t*, id_match_t me, id_match_t other - * But must accept NULL values for the id_matches. - * - * @param type kind of requested shared key - * @param me own identity - * @param other other identity who owns that secret - * @return enumerator as described above - */ - enumerator_t *(*create_shared_enumerator)(credential_set_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other); - - /** - * Create an enumerator over certificate distribution points. - * - * @param type type of the certificate to get a CDP - * @param id identification of the distributed certificate - * @return an enumerator over CDPs as char* - */ - enumerator_t *(*create_cdp_enumerator)(credential_set_t *this, - certificate_type_t type, identification_t *id); - - /** - * Cache a certificate in the credential set. - * - * The caching policy is implementation dependent, the sets may cache the - * certificate in-memory, persistent on disk or not at all. - * - * @param cert certificate to cache - */ - void (*cache_cert)(credential_set_t *this, certificate_t *cert); -}; - -#endif /** CREDENTIAL_SET_H_ @}*/ diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.c b/src/libcharon/credentials/sets/auth_cfg_wrapper.c deleted file mode 100644 index 82e33d283..000000000 --- a/src/libcharon/credentials/sets/auth_cfg_wrapper.c +++ /dev/null @@ -1,223 +0,0 @@ -/* - * Copyright (C) 2008-2009 Martin Willi - * Copyright (C) 2008 Tobias Brunner - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include "auth_cfg_wrapper.h" - -typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t; - -/** - * private data of auth_cfg_wrapper - */ -struct private_auth_cfg_wrapper_t { - - /** - * public functions - */ - auth_cfg_wrapper_t public; - - /** - * wrapped auth info - */ - auth_cfg_t *auth; -}; - -/** - * enumerator for auth_cfg_wrapper_t.create_cert_enumerator() - */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** inner enumerator from auth_cfg */ - enumerator_t *inner; - /** wrapped auth round */ - auth_cfg_t *auth; - /** enumerated cert type */ - certificate_type_t cert; - /** enumerated key type */ - key_type_t key; - /** enumerated id */ - identification_t *id; -} wrapper_enumerator_t; - -/** - * Tries to fetch a certificate that was supplied as "Hash and URL" - * (replaces rule type and value in place). - */ -static bool fetch_cert(wrapper_enumerator_t *enumerator, - auth_rule_t *rule, void **value) -{ - char *url = (char*)*value; - if (!url) - { - /* fetching the certificate previously failed */ - return FALSE; - } - - chunk_t data; - certificate_t *cert; - - DBG1(DBG_CFG, " fetching certificate from '%s' ...", url); - if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS) - { - DBG1(DBG_CFG, " fetching certificate failed"); - /* we set the item to NULL, so we can skip it */ - enumerator->auth->replace(enumerator->auth, enumerator->inner, - *rule, NULL); - return FALSE; - } - - cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, data, BUILD_END); - free(data.ptr); - - if (!cert) - { - DBG1(DBG_CFG, " parsing fetched certificate failed"); - /* we set the item to NULL, so we can skip it */ - enumerator->auth->replace(enumerator->auth, enumerator->inner, - *rule, NULL); - return FALSE; - } - - DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert)); - charon->credentials->cache_cert(charon->credentials, cert); - - if (*rule == AUTH_HELPER_IM_HASH_URL) - { - *rule = AUTH_HELPER_IM_CERT; - } - else - { - *rule = AUTH_HELPER_SUBJECT_CERT; - } - *value = cert; - enumerator->auth->replace(enumerator->auth, enumerator->inner, - *rule, cert->get_ref(cert)); - return TRUE; -} - -/** - * enumerate function for wrapper_enumerator_t - */ -static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) -{ - auth_rule_t rule; - certificate_t *current; - public_key_t *public; - - while (this->inner->enumerate(this->inner, &rule, ¤t)) - { - if (rule == AUTH_HELPER_IM_HASH_URL || - rule == AUTH_HELPER_SUBJECT_HASH_URL) - { /* on-demand fetching of hash and url certificates */ - if (!fetch_cert(this, &rule, (void**)¤t)) - { - continue; - } - } - else if (rule != AUTH_HELPER_SUBJECT_CERT && - rule != AUTH_HELPER_IM_CERT) - { /* handle only HELPER certificates */ - continue; - } - if (this->cert != CERT_ANY && this->cert != current->get_type(current)) - { /* CERT type requested, but does not match */ - continue; - } - public = current->get_public_key(current); - if (this->key != KEY_ANY && !public) - { /* key type requested, but no public key */ - DESTROY_IF(public); - continue; - } - if (this->key != KEY_ANY && public && this->key != public->get_type(public)) - { /* key type requested, but public key has another type */ - DESTROY_IF(public); - continue; - } - DESTROY_IF(public); - if (this->id && !current->has_subject(current, this->id)) - { /* subject requested, but does not match */ - continue; - } - *cert = current; - return TRUE; - } - return FALSE; -} - -/** - * destroy function for wrapper_enumerator_t - */ -static void wrapper_enumerator_destroy(wrapper_enumerator_t *this) -{ - this->inner->destroy(this->inner); - free(this); -} - -/** - * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - wrapper_enumerator_t *enumerator; - - if (trusted) - { - return NULL; - } - enumerator = malloc_thing(wrapper_enumerator_t); - enumerator->auth = this->auth; - enumerator->cert = cert; - enumerator->key = key; - enumerator->id = id; - enumerator->inner = this->auth->create_enumerator(this->auth); - enumerator->public.enumerate = (void*)enumerate; - enumerator->public.destroy = (void*)wrapper_enumerator_destroy; - return &enumerator->public; -} - -/** - * Implementation of auth_cfg_wrapper_t.destroy - */ -static void destroy(private_auth_cfg_wrapper_t *this) -{ - free(this); -} - -/* - * see header file - */ -auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth) -{ - private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy; - - this->auth = auth; - - return &this->public; -} - diff --git a/src/libcharon/credentials/sets/auth_cfg_wrapper.h b/src/libcharon/credentials/sets/auth_cfg_wrapper.h deleted file mode 100644 index 7653fcdbf..000000000 --- a/src/libcharon/credentials/sets/auth_cfg_wrapper.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (C) 2008-2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup auth_cfg_wrapper auth_cfg_wrapper - * @{ @ingroup sets - */ - -#ifndef AUTH_CFG_WRAPPER_H_ -#define AUTH_CFG_WRAPPER_H_ - -#include -#include - -typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t; - -/** - * A wrapper around auth_cfg_t to handle it as a credential set. - */ -struct auth_cfg_wrapper_t { - - /** - * implements credential_set_t - */ - credential_set_t set; - - /** - * Destroy a auth_cfg_wrapper instance. - */ - void (*destroy)(auth_cfg_wrapper_t *this); -}; - -/** - * Create a auth_cfg_wrapper instance. - * - * @param auth the wrapped auth info - * @return wrapper around auth - */ -auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth); - -#endif /** AUTH_CFG_WRAPPER_H_ @}*/ diff --git a/src/libcharon/credentials/sets/cert_cache.c b/src/libcharon/credentials/sets/cert_cache.c deleted file mode 100644 index 176accce2..000000000 --- a/src/libcharon/credentials/sets/cert_cache.c +++ /dev/null @@ -1,390 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "cert_cache.h" - -#include -#include - -#include -#include -#include - -/** cache size, a power of 2 for fast modulo */ -#define CACHE_SIZE 32 - -/** attempts to acquire a cache lock */ -#define REPLACE_TRIES 5 - -typedef struct private_cert_cache_t private_cert_cache_t; -typedef struct relation_t relation_t; - -/** - * A trusted relation between subject and issuer - */ -struct relation_t { - - /** - * subject of this relation - */ - certificate_t *subject; - - /** - * issuer of this relation - */ - certificate_t *issuer; - - /** - * Cache hits - */ - u_int hits; - - /** - * Lock for this relation - */ - rwlock_t *lock; -}; - -/** - * private data of cert_cache - */ -struct private_cert_cache_t { - - /** - * public functions - */ - cert_cache_t public; - - /** - * array of trusted subject-issuer relations - */ - relation_t relations[CACHE_SIZE]; -}; - -/** - * Cache relation in a free slot/replace an other - */ -static void cache(private_cert_cache_t *this, - certificate_t *subject, certificate_t *issuer) -{ - relation_t *rel; - int i, offset, try; - u_int total_hits = 0; - - /* check for a unused relation slot first */ - for (i = 0; i < CACHE_SIZE; i++) - { - rel = &this->relations[i]; - - if (!rel->subject && rel->lock->try_write_lock(rel->lock)) - { - /* double-check having lock */ - if (!rel->subject) - { - rel->subject = subject->get_ref(subject); - rel->issuer = issuer->get_ref(issuer); - return rel->lock->unlock(rel->lock); - } - rel->lock->unlock(rel->lock); - } - total_hits += rel->hits; - } - /* run several attempts to replace a random slot, never block. */ - for (try = 0; try < REPLACE_TRIES; try++) - { - /* replace a random relation */ - offset = random(); - for (i = 0; i < CACHE_SIZE; i++) - { - rel = &this->relations[(i + offset) % CACHE_SIZE]; - - if (rel->hits > total_hits / CACHE_SIZE) - { /* skip often used slots */ - continue; - } - if (rel->lock->try_write_lock(rel->lock)) - { - if (rel->subject) - { - rel->subject->destroy(rel->subject); - rel->issuer->destroy(rel->issuer); - } - rel->subject = subject->get_ref(subject); - rel->issuer = issuer->get_ref(issuer); - rel->hits = 0; - return rel->lock->unlock(rel->lock); - } - } - /* give other threads a chance to release locks */ - sched_yield(); - } -} - -/** - * Implementation of cert_cache_t.issued_by. - */ -static bool issued_by(private_cert_cache_t *this, - certificate_t *subject, certificate_t *issuer) -{ - relation_t *found = NULL, *current; - int i; - - for (i = 0; i < CACHE_SIZE; i++) - { - current = &this->relations[i]; - - current->lock->read_lock(current->lock); - if (current->subject) - { - /* check for equal issuer */ - if (issuer->equals(issuer, current->issuer)) - { - /* reuse issuer instance in cache() */ - issuer = current->issuer; - if (subject->equals(subject, current->subject)) - { - /* write hit counter is not locked, but not critical */ - current->hits++; - found = current; - } - } - } - current->lock->unlock(current->lock); - if (found) - { - return TRUE; - } - } - /* no cache hit, check and cache signature */ - if (subject->issued_by(subject, issuer)) - { - cache(this, subject, issuer); - return TRUE; - } - return FALSE; -} - -/** - * certificate enumerator implemenation - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** type of requested certificate */ - certificate_type_t cert; - /** type of requested key */ - key_type_t key; - /** ID to get a cert for */ - identification_t *id; - /** cache */ - relation_t *relations; - /** current position in array cache */ - int index; - /** currently locked relation */ - int locked; -} cert_enumerator_t; - -/** - * filter function for certs enumerator - */ -static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out) -{ - public_key_t *public; - relation_t *rel; - - if (this->locked >= 0) - { - rel = &this->relations[this->locked]; - rel->lock->unlock(rel->lock); - this->locked = -1; - } - - while (++this->index < CACHE_SIZE) - { - rel = &this->relations[this->index]; - rel->lock->read_lock(rel->lock); - this->locked = this->index; - if (rel->subject) - { - /* CRL lookup is done using issuer/authkeyidentifier */ - if (this->key == KEY_ANY && this->id && - (this->cert == CERT_ANY || this->cert == CERT_X509_CRL) && - rel->subject->get_type(rel->subject) == CERT_X509_CRL && - rel->subject->has_issuer(rel->subject, this->id)) - { - *out = rel->subject; - return TRUE; - } - if ((this->cert == CERT_ANY || - rel->subject->get_type(rel->subject) == this->cert) && - (!this->id || rel->subject->has_subject(rel->subject, this->id))) - { - if (this->key == KEY_ANY) - { - *out = rel->subject; - return TRUE; - } - public = rel->subject->get_public_key(rel->subject); - if (public) - { - if (public->get_type(public) == this->key) - { - public->destroy(public); - *out = rel->subject; - return TRUE; - } - public->destroy(public); - } - } - } - this->locked = -1; - rel->lock->unlock(rel->lock); - } - return FALSE; -} - -/** - * clean up enumeration data - */ -static void cert_enumerator_destroy(cert_enumerator_t *this) -{ - relation_t *rel; - - if (this->locked >= 0) - { - rel = &this->relations[this->locked]; - rel->lock->unlock(rel->lock); - } - free(this); -} - -/** - * implementation of credential_set_t.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_cert_cache_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - cert_enumerator_t *enumerator; - - if (trusted) - { - return NULL; - } - enumerator = malloc_thing(cert_enumerator_t); - enumerator->public.enumerate = (void*)cert_enumerate; - enumerator->public.destroy = (void*)cert_enumerator_destroy; - enumerator->cert = cert; - enumerator->key = key; - enumerator->id = id; - enumerator->relations = this->relations; - enumerator->index = -1; - enumerator->locked = -1; - - return &enumerator->public; -} - -/** - * Implementation of cert_cache_t.flush. - */ -static void flush(private_cert_cache_t *this, certificate_type_t type) -{ - relation_t *rel; - int i; - - for (i = 0; i < CACHE_SIZE; i++) - { - rel = &this->relations[i]; - if (!rel->subject) - { - continue; - } - /* check with cheap read lock first */ - if (type != CERT_ANY) - { - rel->lock->read_lock(rel->lock); - if (!rel->subject || type != rel->subject->get_type(rel->subject)) - { - rel->lock->unlock(rel->lock); - continue; - } - rel->lock->unlock(rel->lock); - } - /* double check in write lock */ - rel->lock->write_lock(rel->lock); - if (rel->subject) - { - if (type == CERT_ANY || type == rel->subject->get_type(rel->subject)) - { - rel->subject->destroy(rel->subject); - rel->issuer->destroy(rel->issuer); - rel->subject = NULL; - rel->issuer = NULL; - rel->hits = 0; - } - } - rel->lock->unlock(rel->lock); - } -} - -/** - * Implementation of cert_cache_t.destroy - */ -static void destroy(private_cert_cache_t *this) -{ - relation_t *rel; - int i; - - for (i = 0; i < CACHE_SIZE; i++) - { - rel = &this->relations[i]; - if (rel->subject) - { - rel->subject->destroy(rel->subject); - rel->issuer->destroy(rel->issuer); - } - rel->lock->destroy(rel->lock); - } - free(this); -} - -/* - * see header file - */ -cert_cache_t *cert_cache_create() -{ - private_cert_cache_t *this; - int i; - - this = malloc_thing(private_cert_cache_t); - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by; - this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush; - this->public.destroy = (void(*)(cert_cache_t*))destroy; - - for (i = 0; i < CACHE_SIZE; i++) - { - this->relations[i].subject = NULL; - this->relations[i].issuer = NULL; - this->relations[i].hits = 0; - this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - } - return &this->public; -} - diff --git a/src/libcharon/credentials/sets/cert_cache.h b/src/libcharon/credentials/sets/cert_cache.h deleted file mode 100644 index d2721866e..000000000 --- a/src/libcharon/credentials/sets/cert_cache.h +++ /dev/null @@ -1,71 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup cert_cache cert_cache - * @{ @ingroup sets - */ - -#ifndef CERT_CACHE_H_ -#define CERT_CACHE_H_ - -#include - -typedef struct cert_cache_t cert_cache_t; - -/** - * Certificate signature verification and certificate cache. - * - * This cache serves all certificates seen in its issued_by method - * and serves them as untrusted through the credential set interface. Further, - * it caches valid subject-issuer relationships to speed up the issued_by - * method. - */ -struct cert_cache_t { - - /** - * Implements credential_set_t. - */ - credential_set_t set; - - /** - * Caching wrapper around certificate_t.issued_by. - * - * @param subject certificate to verify - * @param issuer issuing certificate to verify subject - * @return TRUE if subject issued by issuer - */ - bool (*issued_by)(cert_cache_t *this, - certificate_t *subject, certificate_t *issuer); - - /** - * Flush the certificate cache. - * - * @param type type of certificate to flush, or CERT_ANY - */ - void (*flush)(cert_cache_t *this, certificate_type_t type); - - /** - * Destroy a cert_cache instance. - */ - void (*destroy)(cert_cache_t *this); -}; - -/** - * Create a cert_cache instance. - */ -cert_cache_t *cert_cache_create(); - -#endif /** CERT_CACHE_H_ @}*/ diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.c b/src/libcharon/credentials/sets/ocsp_response_wrapper.c deleted file mode 100644 index 82079209a..000000000 --- a/src/libcharon/credentials/sets/ocsp_response_wrapper.c +++ /dev/null @@ -1,147 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "ocsp_response_wrapper.h" - -typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t; - -/** - * private data of ocsp_response_wrapper - */ -struct private_ocsp_response_wrapper_t { - - /** - * public functions - */ - ocsp_response_wrapper_t public; - - /** - * wrapped OCSP response - */ - ocsp_response_t *response; -}; - -/** - * enumerator for ocsp_response_wrapper_t.create_cert_enumerator() - */ -typedef struct { - /** implements enumerator_t */ - enumerator_t public; - /** enumerator over ocsp response */ - enumerator_t *inner; - /** type of cert */ - certificate_type_t cert; - /** type of key */ - key_type_t key; - /** filtering identity */ - identification_t *id; -} wrapper_enumerator_t; - -/** - * enumerate function wrapper_enumerator_t - */ -static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) -{ - certificate_t *current; - public_key_t *public; - - while (this->inner->enumerate(this->inner, ¤t)) - { - if (this->cert != CERT_ANY && this->cert != current->get_type(current)) - { /* CERT type requested, but does not match */ - continue; - } - public = current->get_public_key(current); - if (this->key != KEY_ANY && !public) - { /* key type requested, but no public key */ - DESTROY_IF(public); - continue; - } - if (this->key != KEY_ANY && public && this->key != public->get_type(public)) - { /* key type requested, but public key has another type */ - DESTROY_IF(public); - continue; - } - DESTROY_IF(public); - if (this->id && !current->has_subject(current, this->id)) - { /* subject requested, but does not match */ - continue; - } - *cert = current; - return TRUE; - } - return FALSE; -} - -/** - * destroy function for wrapper_enumerator_t - */ -static void enumerator_destroy(wrapper_enumerator_t *this) -{ - this->inner->destroy(this->inner); - free(this); -} - -/** - * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator - */ -static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - wrapper_enumerator_t *enumerator; - - if (trusted) - { - return NULL; - } - - enumerator = malloc_thing(wrapper_enumerator_t); - enumerator->cert = cert; - enumerator->key = key; - enumerator->id = id; - enumerator->inner = this->response->create_cert_enumerator(this->response); - enumerator->public.enumerate = (void*)enumerate; - enumerator->public.destroy = (void*)enumerator_destroy; - return &enumerator->public; -} - -/** - * Implementation of ocsp_response_wrapper_t.destroy - */ -static void destroy(private_ocsp_response_wrapper_t *this) -{ - free(this); -} - -/* - * see header file - */ -ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response) -{ - private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)create_enumerator; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)nop; - this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy; - - this->response = response; - - return &this->public; -} - diff --git a/src/libcharon/credentials/sets/ocsp_response_wrapper.h b/src/libcharon/credentials/sets/ocsp_response_wrapper.h deleted file mode 100644 index dc4b451df..000000000 --- a/src/libcharon/credentials/sets/ocsp_response_wrapper.h +++ /dev/null @@ -1,53 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup ocsp_response_wrapper ocsp_response_wrapper - * @{ @ingroup sets - */ - -#ifndef OCSP_RESPONSE_WRAPPER_H_ -#define OCSP_RESPONSE_WRAPPER_H_ - -#include -#include - -typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t; - -/** - * A wrapper around ocsp_response_t to handle it like a credential set. - */ -struct ocsp_response_wrapper_t { - - /** - * implements credential_set_t - */ - credential_set_t set; - - /** - * Destroy a ocsp_response_wrapper instance. - */ - void (*destroy)(ocsp_response_wrapper_t *this); -}; - -/** - * Create a ocsp_response_wrapper instance. - * - * @param response the wrapped OCSP response - * @return wrapper around response - */ -ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response); - -#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/ diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 11c94beb9..c0227027c 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -19,16 +19,19 @@ #include #include #include +#include #include #include + #ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H #include +#endif /* HAVE_SYS_CAPABILITY_H */ #endif /* CAPABILITIES */ #include "daemon.h" #include -#include #include #ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ @@ -46,12 +49,16 @@ struct private_daemon_t { */ daemon_t public; -#ifdef CAPABILITIES /** * capabilities to keep */ +#ifdef CAPABILITIES_LIBCAP cap_t caps; -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_data_struct caps; +#endif /* CAPABILITIES_NATIVE */ + }; /** @@ -97,11 +104,12 @@ static void destroy(private_daemon_t *this) this->public.ike_sa_manager->flush(this->public.ike_sa_manager); } DESTROY_IF(this->public.receiver); + DESTROY_IF(this->public.sender); /* unload plugins to release threads */ lib->plugins->unload(lib->plugins); -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP cap_free(this->caps); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ DESTROY_IF(this->public.traps); DESTROY_IF(this->public.ike_sa_manager); DESTROY_IF(this->public.kernel_interface); @@ -114,8 +122,6 @@ static void destroy(private_daemon_t *this) DESTROY_IF(this->public.mediation_manager); #endif /* ME */ DESTROY_IF(this->public.backends); - DESTROY_IF(this->public.credentials); - DESTROY_IF(this->public.sender); DESTROY_IF(this->public.socket); /* wait until all threads are gone */ DESTROY_IF(this->public.processor); @@ -133,22 +139,36 @@ static void destroy(private_daemon_t *this) METHOD(daemon_t, keep_cap, void, private_daemon_t *this, u_int cap) { -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP cap_set_flag(this->caps, CAP_EFFECTIVE, 1, &cap, CAP_SET); cap_set_flag(this->caps, CAP_INHERITABLE, 1, &cap, CAP_SET); cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + this->caps.effective |= 1 << cap; + this->caps.permitted |= 1 << cap; + this->caps.inheritable |= 1 << cap; +#endif /* CAPABILITIES_NATIVE */ } METHOD(daemon_t, drop_capabilities, bool, private_daemon_t *this) { -#ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP if (cap_set_proc(this->caps) != 0) { return FALSE; } -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION, + }; + if (capset(&header, &this->caps) != 0) + { + return FALSE; + } +#endif /* CAPABILITIES_NATIVE */ return TRUE; } @@ -254,8 +274,15 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, filename, strerror(errno)); continue; } + if (lib->settings->get_bool(lib->settings, + "charon.filelog.%s.flush_line", FALSE, filename)) + { + setlinebuf(file); + } } - file_logger = file_logger_create(file); + file_logger = file_logger_create(file, + lib->settings->get_str(lib->settings, + "charon.filelog.%s.time_format", NULL, filename)); def = lib->settings->get_int(lib->settings, "charon.filelog.%s.default", 1, filename); for (group = 0; group < DBG_MAX; group++) @@ -276,7 +303,7 @@ static void initialize_loggers(private_daemon_t *this, bool use_stderr, if (!loggers_defined) { /* set up default stdout file_logger */ - file_logger = file_logger_create(stdout); + file_logger = file_logger_create(stdout, NULL); this->public.bus->add_listener(this->public.bus, &file_logger->listener); this->public.file_loggers->insert_last(this->public.file_loggers, file_logger); @@ -331,7 +358,6 @@ METHOD(daemon_t, initialize, bool, /* load secrets, ca certificates and crls */ this->public.processor = processor_create(); this->public.scheduler = scheduler_create(); - this->public.credentials = credential_manager_create(); this->public.controller = controller_create(); this->public.eap = eap_manager_create(); this->public.sim = sim_manager_create(); @@ -392,7 +418,9 @@ private_daemon_t *daemon_create() ); #ifdef CAPABILITIES +#ifdef CAPABILITIES_LIBCAP this->caps = cap_init(); +#endif /* CAPABILITIES_LIBCAP */ keep_cap(this, CAP_NET_ADMIN); if (lib->leak_detective) { @@ -423,10 +451,6 @@ bool libcharon_init() this = daemon_create(); charon = &this->public; - lib->printf_hook->add_handler(lib->printf_hook, 'R', - traffic_selector_printf_hook, - PRINTF_HOOK_ARGTYPE_POINTER, - PRINTF_HOOK_ARGTYPE_END); lib->printf_hook->add_handler(lib->printf_hook, 'P', proposal_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index 9b6d97060..38f0256e7 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -31,12 +31,6 @@ * @defgroup control control * @ingroup libcharon * - * @defgroup ccredentials credentials - * @ingroup libcharon - * - * @defgroup sets sets - * @ingroup ccredentials - * * @defgroup encoding encoding * @ingroup libcharon * @@ -156,7 +150,6 @@ typedef struct daemon_t daemon_t; #include #include #include -#include #include #include @@ -205,11 +198,6 @@ struct daemon_t { */ backend_manager_t *backends; - /** - * Manager for the credential backends - */ - credential_manager_t *credentials; - /** * The Sender-Thread. */ diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index acfc0fd44..ee49a6686 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -31,6 +31,7 @@ #include #include #include +#include /** * Max number of notify payloads per IKEv2 Message @@ -975,6 +976,39 @@ static char* get_string(private_message_t *this, char *buf, int len) pos += written; len -= written; } + if (payload->get_type(payload) == CONFIGURATION) + { + cp_payload_t *cp = (cp_payload_t*)payload; + enumerator_t *attributes; + configuration_attribute_t *attribute; + bool first = TRUE; + + attributes = cp->create_attribute_enumerator(cp); + while (attributes->enumerate(attributes, &attribute)) + { + written = snprintf(pos, len, "%s%N", first ? "(" : " ", + configuration_attribute_type_short_names, + attribute->get_type(attribute)); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + first = FALSE; + } + attributes->destroy(attributes); + if (!first) + { + written = snprintf(pos, len, ")"); + if (written >= len || written < 0) + { + return buf; + } + pos += written; + len -= written; + } + } } enumerator->destroy(enumerator); diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index 6dd3141f0..80239f654 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -320,7 +320,12 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert) free(this); return NULL; } - this->data = cert->get_encoding(cert); + if (!cert->get_encoding(cert, CERT_ASN1_DER, &this->data)) + { + DBG1(DBG_ENC, "encoding certificate for cert payload failed"); + free(this); + return NULL; + } this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; return &this->public; } diff --git a/src/libcharon/kernel/kernel_interface.c b/src/libcharon/kernel/kernel_interface.c index 64a43a7fc..837e628bc 100644 --- a/src/libcharon/kernel/kernel_interface.c +++ b/src/libcharon/kernel/kernel_interface.c @@ -67,8 +67,8 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { @@ -77,82 +77,84 @@ METHOD(kernel_interface_t, add_sa, status_t, return NOT_SUPPORTED; } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, - lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, cpi, - encap, inbound, src_ts, dst_ts); + mark, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, + cpi, encap, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, private_kernel_interface_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->update_sa(this->ipsec, spi, protocol, cpi, src, dst, - new_src, new_dst, encap, new_encap); + new_src, new_dst, encap, new_encap, mark); } METHOD(kernel_interface_t, query_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, bytes); + return this->ipsec->query_sa(this->ipsec, src, dst, spi, protocol, mark, bytes); } METHOD(kernel_interface_t, del_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int16_t cpi) + protocol_id_t protocol, u_int16_t cpi, mark_t mark) { if (!this->ipsec) { return NOT_SUPPORTED; } - return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi); + return this->ipsec->del_sa(this->ipsec, src, dst, spi, protocol, cpi, mark); } METHOD(kernel_interface_t, add_policy, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->add_policy(this->ipsec, src, dst, src_ts, dst_ts, - direction, spi, protocol, reqid, mode, ipcomp, cpi, routed); + direction, spi, protocol, reqid, mark, mode, ipcomp, cpi, routed); } METHOD(kernel_interface_t, query_policy, status_t, private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->query_policy(this->ipsec, src_ts, dst_ts, - direction, use_time); + direction, mark, use_time); } METHOD(kernel_interface_t, del_policy, status_t, private_kernel_interface_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { if (!this->ipsec) { return NOT_SUPPORTED; } return this->ipsec->del_policy(this->ipsec, src_ts, dst_ts, - direction, unrouted); + direction, mark, unrouted); } METHOD(kernel_interface_t, get_source_addr, host_t*, diff --git a/src/libcharon/kernel/kernel_interface.h b/src/libcharon/kernel/kernel_interface.h index 4a62e76b8..92d85f9c9 100644 --- a/src/libcharon/kernel/kernel_interface.h +++ b/src/libcharon/kernel/kernel_interface.h @@ -90,6 +90,7 @@ struct kernel_interface_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA + * @param mark optional mark for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -106,7 +107,7 @@ struct kernel_interface_t { */ status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, + protocol_id_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, @@ -131,6 +132,7 @@ struct kernel_interface_t { * @param new_dst new destination address * @param encap current use of UDP encapsulation * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA * @return SUCCESS if operation completed, NOT_SUPPORTED if * the kernel interface can't update the SA */ @@ -138,7 +140,7 @@ struct kernel_interface_t { u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap); + bool encap, bool new_encap, mark_t mark); /** * Query the number of bytes processed by an SA from the SAD. @@ -147,11 +149,13 @@ struct kernel_interface_t { * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int64_t *bytes); /** * Delete a previously installed SA from the SAD. @@ -161,10 +165,12 @@ struct kernel_interface_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + mark_t mark); /** * Add a policy to the SPD. @@ -180,6 +186,7 @@ struct kernel_interface_t { * @param spi SPI of SA * @param protocol protocol to use to protect traffic (AH/ESP) * @param reqid unique ID of an SA to use to enforce policy + * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) * @param ipcomp the IPComp transform used * @param cpi CPI for IPComp @@ -192,8 +199,8 @@ struct kernel_interface_t { traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed); + mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed); /** * Query the use time of a policy. @@ -204,13 +211,15 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param[out] use_time the time of this SA's last use * @return SUCCESS if operation completed */ status_t (*query_policy) (kernel_interface_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); + policy_dir_t direction, mark_t mark, + u_int32_t *use_time); /** * Remove a policy from the SPD. @@ -223,13 +232,14 @@ struct kernel_interface_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_interface_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, + policy_dir_t direction, mark_t mark, bool unrouted); /** diff --git a/src/libcharon/kernel/kernel_ipsec.h b/src/libcharon/kernel/kernel_ipsec.h index 300464cf6..d09265cc9 100644 --- a/src/libcharon/kernel/kernel_ipsec.h +++ b/src/libcharon/kernel/kernel_ipsec.h @@ -121,6 +121,7 @@ struct kernel_ipsec_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA + * @param mark mark for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -138,7 +139,7 @@ struct kernel_ipsec_t { status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, + mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, @@ -162,6 +163,7 @@ struct kernel_ipsec_t { * @param new_dst new destination address * @param encap current use of UDP encapsulation * @param new_encap new use of UDP encapsulation + * @param mark optional mark for this SA * @return SUCCESS if operation completed, NOT_SUPPORTED if * the kernel interface can't update the SA */ @@ -169,7 +171,7 @@ struct kernel_ipsec_t { u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap); + bool encap, bool new_encap, mark_t mark); /** * Query the number of bytes processed by an SA from the SAD. @@ -178,11 +180,13 @@ struct kernel_ipsec_t { * @param dst destination address for this SA * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) + * @param mark optional mark for this SA * @param[out] bytes the number of bytes processed by SA * @return SUCCESS if operation completed */ status_t (*query_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes); + u_int32_t spi, protocol_id_t protocol, mark_t mark, + u_int64_t *bytes); /** * Delete a previusly installed SA from the SAD. @@ -192,10 +196,12 @@ struct kernel_ipsec_t { * @param spi SPI allocated by us or remote peer * @param protocol protocol for this SA (ESP/AH) * @param cpi CPI for IPComp or 0 + * @param mark optional mark for this SA * @return SUCCESS if operation completed */ status_t (*del_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi); + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, + mark_t mark); /** * Add a policy to the SPD. @@ -211,6 +217,7 @@ struct kernel_ipsec_t { * @param spi SPI of SA * @param protocol protocol to use to protect traffic (AH/ESP) * @param reqid unique ID of an SA to use to enforce policy + * @param mark mark for this policy * @param mode mode of SA (tunnel, transport) * @param ipcomp the IPComp transform used * @param cpi CPI for IPComp @@ -223,8 +230,8 @@ struct kernel_ipsec_t { traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed); + mark_t mark, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool routed); /** * Query the use time of a policy. @@ -236,13 +243,15 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param[out] use_time the monotonic timestamp of this SA's last use * @return SUCCESS if operation completed */ status_t (*query_policy) (kernel_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time); + policy_dir_t direction, mark_t mark, + u_int32_t *use_time); /** * Remove a policy from the SPD. @@ -255,13 +264,14 @@ struct kernel_ipsec_t { * @param src_ts traffic selector to match traffic source * @param dst_ts traffic selector to match traffic dest * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD + * @param mark optional mark * @param unrouted TRUE, if this policy is unrouted from the kernel * @return SUCCESS if operation completed */ status_t (*del_policy) (kernel_ipsec_t *this, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, - policy_dir_t direction, + policy_dir_t direction, mark_t mark, bool unrouted); /** diff --git a/src/libcharon/network/receiver.c b/src/libcharon/network/receiver.c index df897021a..63a8cab58 100644 --- a/src/libcharon/network/receiver.c +++ b/src/libcharon/network/receiver.c @@ -103,7 +103,22 @@ struct private_receiver_t { /** * Delay for receiving incoming packets, to simulate larger RTT */ - u_int receive_delay; + int receive_delay; + + /** + * Specific message type to delay, 0 for any + */ + int receive_delay_type; + + /** + * Delay request messages? + */ + bool receive_delay_request; + + /** + * Delay response messages? + */ + bool receive_delay_response; }; /** @@ -242,7 +257,7 @@ static bool cookie_required(private_receiver_t *this, message_t *message) /** * check if peer has to many half open IKE_SAs */ -static bool peer_to_aggressive(private_receiver_t *this, message_t *message) +static bool peer_too_aggressive(private_receiver_t *this, message_t *message) { if (charon->ike_sa_manager->get_half_open_count(charon->ike_sa_manager, message->get_source(message)) >= this->block_threshold) @@ -259,7 +274,6 @@ static job_requeue_t receive_packets(private_receiver_t *this) { packet_t *packet; message_t *message; - job_t *job; /* read in a packet */ if (charon->socket->receive(charon->socket, &packet) != SUCCESS) @@ -321,7 +335,7 @@ static job_requeue_t receive_packets(private_receiver_t *this) } /* check if peer has not too many IKE_SAs half open */ - if (this->block_threshold && peer_to_aggressive(this, message)) + if (this->block_threshold && peer_too_aggressive(this, message)) { DBG1(DBG_NET, "ignoring IKE_SA setup from %H, " "peer too aggressive", message->get_source(message)); @@ -329,16 +343,25 @@ static job_requeue_t receive_packets(private_receiver_t *this) return JOB_REQUEUE_DIRECT; } } - job = (job_t*)process_message_job_create(message); if (this->receive_delay) { - charon->scheduler->schedule_job_ms(charon->scheduler, - job, this->receive_delay); - } - else - { - charon->processor->queue_job(charon->processor, job); + if (this->receive_delay_type == 0 || + this->receive_delay_type == message->get_exchange_type(message)) + { + if ((message->get_request(message) && this->receive_delay_request) || + (!message->get_request(message) && this->receive_delay_response)) + { + DBG1(DBG_NET, "using receive delay: %dms", + this->receive_delay); + charon->scheduler->schedule_job_ms(charon->scheduler, + (job_t*)process_message_job_create(message), + this->receive_delay); + return JOB_REQUEUE_DIRECT; + } + } } + charon->processor->queue_job(charon->processor, + (job_t*)process_message_job_create(message)); return JOB_REQUEUE_DIRECT; } @@ -374,6 +397,12 @@ receiver_t *receiver_create() } this->receive_delay = lib->settings->get_int(lib->settings, "charon.receive_delay", 0); + this->receive_delay_type = lib->settings->get_int(lib->settings, + "charon.receive_delay_type", 0), + this->receive_delay_request = lib->settings->get_bool(lib->settings, + "charon.receive_delay_request", TRUE), + this->receive_delay_response = lib->settings->get_int(lib->settings, + "charon.receive_delay_response", TRUE), this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) diff --git a/src/libcharon/network/sender.c b/src/libcharon/network/sender.c index c18f1138e..bb6d50605 100644 --- a/src/libcharon/network/sender.c +++ b/src/libcharon/network/sender.c @@ -67,6 +67,21 @@ struct private_sender_t { * Delay for sending outgoing packets, to simulate larger RTT */ int send_delay; + + /** + * Specific message type to delay, 0 for any + */ + int send_delay_type; + + /** + * Delay request messages? + */ + bool send_delay_request; + + /** + * Delay response messages? + */ + bool send_delay_response; }; METHOD(sender_t, send_, void, @@ -80,7 +95,23 @@ METHOD(sender_t, send_, void, if (this->send_delay) { - usleep(this->send_delay * 1000); + message_t *message; + + message = message_create_from_packet(packet->clone(packet)); + if (message->parse_header(message) == SUCCESS) + { + if (this->send_delay_type == 0 || + this->send_delay_type == message->get_exchange_type(message)) + { + if ((message->get_request(message) && this->send_delay_request) || + (!message->get_request(message) && this->send_delay_response)) + { + DBG1(DBG_NET, "using send delay: %dms", this->send_delay); + usleep(this->send_delay * 1000); + } + } + } + message->destroy(message); } this->mutex->lock(this->mutex); @@ -155,7 +186,13 @@ sender_t * sender_create() .job = callback_job_create((callback_job_cb_t)send_packets, this, NULL, NULL), .send_delay = lib->settings->get_int(lib->settings, - "charon.send_delay", 0), + "charon.send_delay", 0), + .send_delay_type = lib->settings->get_int(lib->settings, + "charon.send_delay_type", 0), + .send_delay_request = lib->settings->get_bool(lib->settings, + "charon.send_delay_request", TRUE), + .send_delay_response = lib->settings->get_int(lib->settings, + "charon.send_delay_response", TRUE), ); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/addrblock/Makefile.am b/src/libcharon/plugins/addrblock/Makefile.am new file mode 100644 index 000000000..50d0457f8 --- /dev/null +++ b/src/libcharon/plugins/addrblock/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-addrblock.la +else +plugin_LTLIBRARIES = libstrongswan-addrblock.la +endif + +libstrongswan_addrblock_la_SOURCES = \ + addrblock_plugin.h addrblock_plugin.c \ + addrblock_narrow.h addrblock_narrow.c \ + addrblock_validator.h addrblock_validator.c + +libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in new file mode 100644 index 000000000..4cb047929 --- /dev/null +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -0,0 +1,592 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/addrblock +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_addrblock_la_LIBADD = +am_libstrongswan_addrblock_la_OBJECTS = addrblock_plugin.lo \ + addrblock_narrow.lo addrblock_validator.lo +libstrongswan_addrblock_la_OBJECTS = \ + $(am_libstrongswan_addrblock_la_OBJECTS) +libstrongswan_addrblock_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_addrblock_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_addrblock_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_addrblock_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_addrblock_la_SOURCES) +DIST_SOURCES = $(libstrongswan_addrblock_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-addrblock.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-addrblock.la +libstrongswan_addrblock_la_SOURCES = \ + addrblock_plugin.h addrblock_plugin.c \ + addrblock_narrow.h addrblock_narrow.c \ + addrblock_validator.h addrblock_validator.c + +libstrongswan_addrblock_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/addrblock/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-addrblock.la: $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_DEPENDENCIES) + $(libstrongswan_addrblock_la_LINK) $(am_libstrongswan_addrblock_la_rpath) $(libstrongswan_addrblock_la_OBJECTS) $(libstrongswan_addrblock_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_narrow.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/addrblock_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.c b/src/libcharon/plugins/addrblock/addrblock_narrow.c new file mode 100644 index 000000000..f85fa78d6 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.c @@ -0,0 +1,154 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_narrow.h" + +#include +#include + +typedef struct private_addrblock_narrow_t private_addrblock_narrow_t; + +/** + * Private data of an addrblock_narrow_t object. + */ +struct private_addrblock_narrow_t { + + /** + * Public addrblock_narrow_t interface. + */ + addrblock_narrow_t public; +}; + +/** + * Check if the negotiated TS list is acceptable by X509 ipAddrBlock constraints + */ +static bool check_constraints(ike_sa_t *ike_sa, linked_list_t *list) +{ + auth_cfg_t *auth; + enumerator_t *auth_enum; + certificate_t *cert = NULL; + + auth_enum = ike_sa->create_auth_cfg_enumerator(ike_sa, FALSE); + while (auth_enum->enumerate(auth_enum, &auth)) + { + cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { + break; + } + } + auth_enum->destroy(auth_enum); + + if (cert && cert->get_type(cert) == CERT_X509) + { + x509_t *x509 = (x509_t*)cert; + + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + enumerator_t *enumerator, *block_enum; + traffic_selector_t *ts, *block_ts; + + DBG1(DBG_IKE, "checking certificate-based traffic selector " + "constraints [RFC 3779]"); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &ts)) + { + bool contained = FALSE; + + block_enum = x509->create_ipAddrBlock_enumerator(x509); + while (block_enum->enumerate(block_enum, &block_ts)) + { + if (ts->is_contained_in(ts, block_ts)) + { + DBG1(DBG_IKE, " TS %R is contained in address block" + " constraint %R", ts, block_ts); + contained = TRUE; + break; + } + } + block_enum->destroy(block_enum); + + if (!contained) + { + DBG1(DBG_IKE, " TS %R is not contained in any" + " address block constraint", ts); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + } + } + return TRUE; +} + +/** + * Delete all traffic selectors in a list + */ +static void flush_ts_list(linked_list_t *list) +{ + traffic_selector_t *ts; + + while (list->remove_last(list, (void**)&ts) == SUCCESS) + { + ts->destroy(ts); + } +} + +METHOD(listener_t, narrow, bool, + private_addrblock_narrow_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + narrow_hook_t type, linked_list_t *local, linked_list_t *remote) +{ + switch (type) + { + case NARROW_RESPONDER: + case NARROW_INITIATOR_POST_AUTH: + case NARROW_INITIATOR_POST_NOAUTH: + if (!check_constraints(ike_sa, remote)) + { + flush_ts_list(local); + flush_ts_list(remote); + } + break; + default: + break; + } + return TRUE; +} + +METHOD(addrblock_narrow_t, destroy, void, + private_addrblock_narrow_t *this) +{ + free(this); +} + +/** + * See header + */ +addrblock_narrow_t *addrblock_narrow_create() +{ + private_addrblock_narrow_t *this; + + INIT(this, + .public = { + .listener.narrow = _narrow, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_narrow.h b/src/libcharon/plugins/addrblock/addrblock_narrow.h new file mode 100644 index 000000000..9ab32e671 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_narrow.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock_narrow addrblock_narrow + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_NARROW_H_ +#define ADDRBLOCK_NARROW_H_ + +#include + +typedef struct addrblock_narrow_t addrblock_narrow_t; + +/** + * Listener that checks traffic selectors against addrblock constraints. + */ +struct addrblock_narrow_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a addrblock_narrow_t. + */ + void (*destroy)(addrblock_narrow_t *this); +}; + +/** + * Create a addrblock_narrow instance. + */ +addrblock_narrow_t *addrblock_narrow_create(); + +#endif /** ADDRBLOCK_NARROW_H_ @}*/ diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.c b/src/libcharon/plugins/addrblock/addrblock_plugin.c new file mode 100644 index 000000000..1c407035d --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_plugin.h" + +#include + +#include "addrblock_validator.h" +#include "addrblock_narrow.h" + +typedef struct private_addrblock_plugin_t private_addrblock_plugin_t; + +/** + * private data of addrblock_plugin + */ +struct private_addrblock_plugin_t { + + /** + * public functions + */ + addrblock_plugin_t public; + + /** + * Validator implementation instance. + */ + addrblock_validator_t *validator; + + /** + * Listener to check TS list + */ + addrblock_narrow_t *narrower; +}; + +METHOD(plugin_t, destroy, void, + private_addrblock_plugin_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->narrower->listener); + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->narrower->destroy(this->narrower); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *addrblock_plugin_create() +{ + private_addrblock_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .validator = addrblock_validator_create(), + .narrower = addrblock_narrow_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + charon->bus->add_listener(charon->bus, &this->narrower->listener); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_plugin.h b/src/libcharon/plugins/addrblock/addrblock_plugin.h new file mode 100644 index 000000000..87bd516f9 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock addrblock + * @ingroup cplugins + * + * @defgroup addrblock_plugin addrblock_plugin + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_PLUGIN_H_ +#define ADDRBLOCK_PLUGIN_H_ + +#include + +typedef struct addrblock_plugin_t addrblock_plugin_t; + +/** + * RFC 3779 address block checking. + */ +struct addrblock_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** ADDRBLOCK_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c new file mode 100644 index 000000000..44ef38d85 --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -0,0 +1,124 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "addrblock_validator.h" + +#include +#include +#include + +typedef struct private_addrblock_validator_t private_addrblock_validator_t; + +/** + * Private data of an addrblock_validator_t object. + */ +struct private_addrblock_validator_t { + + /** + * Public addrblock_validator_t interface. + */ + addrblock_validator_t public; +}; + +/** + * Do the addrblock check for two x509 plugins + */ +static bool check_addrblock(x509_t *subject, x509_t *issuer) +{ + bool subject_const, issuer_const, contained = TRUE; + enumerator_t *subject_enumerator, *issuer_enumerator; + traffic_selector_t *subject_ts, *issuer_ts; + + subject_const = subject->get_flags(subject) & X509_IP_ADDR_BLOCKS; + issuer_const = issuer->get_flags(issuer) & X509_IP_ADDR_BLOCKS; + + if (!subject_const && !issuer_const) + { + return TRUE; + } + if (!subject_const) + { + DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); + return FALSE; + } + if (!issuer_const) + { + DBG1(DBG_CFG, "issuer certficate lacks ipAddrBlocks extension"); + return FALSE; + } + subject_enumerator = subject->create_ipAddrBlock_enumerator(subject); + while (subject_enumerator->enumerate(subject_enumerator, &subject_ts)) + { + contained = FALSE; + + issuer_enumerator = issuer->create_ipAddrBlock_enumerator(issuer); + while (issuer_enumerator->enumerate(issuer_enumerator, &issuer_ts)) + { + if (subject_ts->is_contained_in(subject_ts, issuer_ts)) + { + DBG2(DBG_CFG, " subject address block %R is contained in " + "issuer address block %R", subject_ts, issuer_ts); + contained = TRUE; + break; + } + } + issuer_enumerator->destroy(issuer_enumerator); + if (!contained) + { + DBG1(DBG_CFG, "subject address block %R is not contained in any " + "issuer address block", subject_ts); + break; + } + } + subject_enumerator->destroy(subject_enumerator); + return contained; +} + +METHOD(cert_validator_t, validate, bool, + private_addrblock_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +{ + if (subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509) + { + return check_addrblock((x509_t*)subject, (x509_t*)issuer); + } + return TRUE; +} + +METHOD(addrblock_validator_t, destroy, void, + private_addrblock_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +addrblock_validator_t *addrblock_validator_create() +{ + private_addrblock_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.h b/src/libcharon/plugins/addrblock/addrblock_validator.h new file mode 100644 index 000000000..423f0d41a --- /dev/null +++ b/src/libcharon/plugins/addrblock/addrblock_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup addrblock_validator addrblock_validator + * @{ @ingroup addrblock + */ + +#ifndef ADDRBLOCK_VALIDATOR_H_ +#define ADDRBLOCK_VALIDATOR_H_ + +#include + +typedef struct addrblock_validator_t addrblock_validator_t; + +/** + * RFC 3779 address block X509 certificate validator. + */ +struct addrblock_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a addrblock_validator_t. + */ + void (*destroy)(addrblock_validator_t *this); +}; + +/** + * Create a addrblock_validator instance. + */ +addrblock_validator_t *addrblock_validator_create(); + +#endif /** ADDRBLOCK_VALIDATOR_H_ @}*/ diff --git a/src/libcharon/plugins/android/Makefile.am b/src/libcharon/plugins/android/Makefile.am index e8423589c..b922ef4af 100644 --- a/src/libcharon/plugins/android/Makefile.am +++ b/src/libcharon/plugins/android/Makefile.am @@ -12,7 +12,10 @@ endif libstrongswan_android_la_SOURCES = \ android_plugin.c android_plugin.h \ - android_handler.c android_handler.h + android_service.c android_service.h \ + android_handler.c android_handler.h \ + android_logger.c android_logger.h \ + android_creds.c android_creds.h libstrongswan_android_la_LDFLAGS = -module -avoid-version libstrongswan_android_la_LIBADD = -lcutils diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index 9f12a9c75..6e4903ee1 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_android_la_DEPENDENCIES = am_libstrongswan_android_la_OBJECTS = android_plugin.lo \ - android_handler.lo + android_service.lo android_handler.lo android_logger.lo \ + android_creds.lo libstrongswan_android_la_OBJECTS = \ $(am_libstrongswan_android_la_OBJECTS) libstrongswan_android_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -265,7 +266,10 @@ AM_CFLAGS = -rdynamic @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-android.la libstrongswan_android_la_SOURCES = \ android_plugin.c android_plugin.h \ - android_handler.c android_handler.h + android_service.c android_service.h \ + android_handler.c android_handler.h \ + android_logger.c android_logger.h \ + android_creds.c android_creds.h libstrongswan_android_la_LDFLAGS = -module -avoid-version libstrongswan_android_la_LIBADD = -lcutils @@ -352,8 +356,11 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_creds.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_handler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/android_service.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c new file mode 100644 index 000000000..aa7fc6f92 --- /dev/null +++ b/src/libcharon/plugins/android/android_creds.c @@ -0,0 +1,294 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "android_creds.h" + +#include +#include + +typedef struct private_android_creds_t private_android_creds_t; + +/** + * Private data of an android_creds_t object + */ +struct private_android_creds_t { + + /** + * Public interface + */ + android_creds_t public; + + /** + * List of trusted certificates, certificate_t* + */ + linked_list_t *certs; + + /** + * User name (ID) + */ + identification_t *user; + + /** + * User password + */ + char *pass; + + /** + * read/write lock + */ + rwlock_t *lock; + +}; + +/** + * Certificate enumerator data + */ +typedef struct { + private_android_creds_t *this; + key_type_t key; + identification_t *id; +} cert_data_t; + +/** + * Filter function for certificates enumerator + */ +static bool cert_filter(cert_data_t *data, certificate_t **in, + certificate_t **out) +{ + certificate_t *cert = *in; + public_key_t *public; + + public = cert->get_public_key(cert); + if (!public) + { + return FALSE; + } + if (data->key != KEY_ANY && public->get_type(public) != data->key) + { + public->destroy(public); + return FALSE; + } + if (data->id && data->id->get_type(data->id) == ID_KEY_ID && + public->has_fingerprint(public, data->id->get_encoding(data->id))) + { + public->destroy(public); + *out = cert; + return TRUE; + } + public->destroy(public); + if (data->id && !cert->has_subject(cert, data->id)) + { + return FALSE; + } + *out = cert; + return TRUE; +} + +/** + * Destroy certificate enumerator data + */ +static void cert_data_destroy(cert_data_t *this) +{ + this->this->lock->unlock(this->this->lock); + free(this); +} + +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_android_creds_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + if (cert == CERT_X509 || cert == CERT_ANY) + { + cert_data_t *data; + this->lock->read_lock(this->lock); + INIT(data, .this = this, .id = id, .key = key); + return enumerator_create_filter( + this->certs->create_enumerator(this->certs), + (void*)cert_filter, data, (void*)cert_data_destroy); + } + return NULL; +} + +/** + * Shared key enumerator implementation + */ +typedef struct { + enumerator_t public; + private_android_creds_t *this; + shared_key_t *key; + bool done; +} shared_enumerator_t; + +METHOD(enumerator_t, shared_enumerate, bool, + shared_enumerator_t *this, shared_key_t **key, id_match_t *me, + id_match_t *other) +{ + if (this->done) + { + return FALSE; + } + *key = this->key; + *me = ID_MATCH_PERFECT; + *other = ID_MATCH_ANY; + this->done = TRUE; + return TRUE; +} + +METHOD(enumerator_t, shared_destroy, void, + shared_enumerator_t *this) +{ + this->key->destroy(this->key); + this->this->lock->unlock(this->this->lock); + free(this); +} + +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_android_creds_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_enumerator_t *enumerator; + + this->lock->read_lock(this->lock); + + if (!this->user || !this->pass) + { + this->lock->unlock(this->lock); + return NULL; + } + if (type != SHARED_EAP && type != SHARED_IKE) + { + this->lock->unlock(this->lock); + return NULL; + } + if (me && !me->equals(me, this->user)) + { + this->lock->unlock(this->lock); + return NULL; + } + + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = _shared_destroy, + }, + .this = this, + .done = FALSE, + .key = shared_key_create(type, chunk_clone(chunk_create(this->pass, + strlen(this->pass)))), + ); + return &enumerator->public; +} + +METHOD(android_creds_t, add_certificate, bool, + private_android_creds_t *this, char *name) +{ + certificate_t *cert = NULL; + bool status = FALSE; + chunk_t chunk; +#ifdef KEYSTORE_MESSAGE_SIZE + /* most current interface, the eclair interface (without key length) is + * currently not supported */ + char value[KEYSTORE_MESSAGE_SIZE]; + chunk.ptr = value; + chunk.len = keystore_get(name, strlen(name), chunk.ptr); + if (chunk.len > 0) +#else + /* 1.6 interface, allocates memory */ + chunk.ptr = keystore_get(name, &chunk.len); + if (chunk.ptr) +#endif /* KEYSTORE_MESSAGE_SIZE */ + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_PEM, chunk, BUILD_END); + if (cert) + { + this->lock->write_lock(this->lock); + this->certs->insert_last(this->certs, cert); + this->lock->unlock(this->lock); + status = TRUE; + } +#ifndef KEYSTORE_MESSAGE_SIZE + free(chunk.ptr); +#endif /* KEYSTORE_MESSAGE_SIZE */ + } + return status; +} + +METHOD(android_creds_t, set_username_password, void, + private_android_creds_t *this, identification_t *id, char *password) +{ + this->lock->write_lock(this->lock); + DESTROY_IF(this->user); + this->user = id->clone(id); + free(this->pass); + this->pass = password ? strdup(password) : NULL; + this->lock->unlock(this->lock); +} + +METHOD(android_creds_t, clear, void, + private_android_creds_t *this) +{ + certificate_t *cert; + this->lock->write_lock(this->lock); + while (this->certs->remove_last(this->certs, (void**)&cert) == SUCCESS) + { + cert->destroy(cert); + } + DESTROY_IF(this->user); + free(this->pass); + this->user = NULL; + this->pass = NULL; + this->lock->unlock(this->lock); +} + +METHOD(android_creds_t, destroy, void, + private_android_creds_t *this) +{ + clear(this); + this->certs->destroy(this->certs); + this->lock->destroy(this->lock); + free(this); +} + +/** + * Described in header. + */ +android_creds_t *android_creds_create() +{ + private_android_creds_t *this; + + INIT(this, + .public = { + .set = { + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_private_enumerator = (void*)return_null, + .create_cdp_enumerator = (void*)return_null, + .cache_cert = (void*)nop, + }, + .add_certificate = _add_certificate, + .set_username_password = _set_username_password, + .clear = _clear, + .destroy = _destroy, + }, + .certs = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_creds.h b/src/libcharon/plugins/android/android_creds.h new file mode 100644 index 000000000..0f7b8e0ea --- /dev/null +++ b/src/libcharon/plugins/android/android_creds.h @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_creds android_creds + * @{ @ingroup android + */ + +#ifndef ANDROID_CREDS_H_ +#define ANDROID_CREDS_H_ + +#include + +typedef struct android_creds_t android_creds_t; + +/** + * Android credentials helper. + */ +struct android_creds_t { + + /** + * Implements credential_set_t + */ + credential_set_t set; + + /** + * Add a trusted CA certificate from the Android keystore to serve by + * this set. + * + * @param name name/ID of the certificate in the keystore + * @return FALSE if the certificate does not exist or is invalid + */ + bool (*add_certificate)(android_creds_t *this, char *name); + + /** + * Set the username and password for authentication. + * + * @param id ID of the user + * @param password password to use for authentication + */ + void (*set_username_password)(android_creds_t *this, identification_t *id, + char *password); + + /** + * Clear the stored credentials. + */ + void (*clear)(android_creds_t *this); + + /** + * Destroy a android_creds instance. + */ + void (*destroy)(android_creds_t *this); + +}; + +/** + * Create an android_creds instance. + */ +android_creds_t *android_creds_create(); + +#endif /** ANDROID_CREDS_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_handler.c b/src/libcharon/plugins/android/android_handler.c index a475eeaab..ec3ff7a51 100644 --- a/src/libcharon/plugins/android/android_handler.c +++ b/src/libcharon/plugins/android/android_handler.c @@ -75,7 +75,7 @@ host_t *get_dns_server(int index) host_t *dns = NULL; char key[10], value[PROPERTY_VALUE_MAX]; - if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key)) + if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key)) { return NULL; } @@ -94,7 +94,7 @@ bool set_dns_server(int index, host_t *dns) { char key[10], value[PROPERTY_VALUE_MAX]; - if (snprintf(key, sizeof(key), "net.dns%d", index) >= sizeof(key)) + if (snprintf(key, sizeof(key), "vpn.dns%d", index) >= sizeof(key)) { return FALSE; } diff --git a/src/libcharon/plugins/android/android_logger.c b/src/libcharon/plugins/android/android_logger.c new file mode 100644 index 000000000..43c56e656 --- /dev/null +++ b/src/libcharon/plugins/android/android_logger.c @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "android_logger.h" + +#include +#include + +typedef struct private_android_logger_t private_android_logger_t; + +/** + * Private data of an android_logger_t object + */ +struct private_android_logger_t { + + /** + * Public interface + */ + android_logger_t public; + + /** + * logging level + */ + int level; + +}; + + +METHOD(listener_t, log_, bool, + private_android_logger_t *this, debug_t group, level_t level, + int thread, ike_sa_t* ike_sa, char *format, va_list args) +{ + if (level <= this->level) + { + char sgroup[16], buffer[8192]; + char *current = buffer, *next; + snprintf(sgroup, sizeof(sgroup), "%N", debug_names, group); + vsnprintf(buffer, sizeof(buffer), format, args); + while (current) + { /* log each line seperately */ + next = strchr(current, '\n'); + if (next) + { + *(next++) = '\0'; + } + __android_log_print(ANDROID_LOG_INFO, "charon", "%.2d[%s] %s\n", + thread, sgroup, current); + current = next; + } + } + /* always stay registered */ + return TRUE; +} + +METHOD(android_logger_t, destroy, void, + private_android_logger_t *this) +{ + free(this); +} + +/** + * Described in header. + */ +android_logger_t *android_logger_create() +{ + private_android_logger_t *this; + + INIT(this, + .public = { + .listener = { + .log = _log_, + }, + .destroy = _destroy, + }, + .level = lib->settings->get_int(lib->settings, + "charon.plugins.android.loglevel", 1), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_logger.h b/src/libcharon/plugins/android/android_logger.h new file mode 100644 index 000000000..c6fe5aff3 --- /dev/null +++ b/src/libcharon/plugins/android/android_logger.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_logger android_logger + * @{ @ingroup android + */ + +#ifndef ANDROID_LOGGER_H_ +#define ANDROID_LOGGER_H_ + +#include + +typedef struct android_logger_t android_logger_t; + +/** + * Android specific logger. + */ +struct android_logger_t { + + /** + * Implements bus_listener_t interface + */ + listener_t listener; + + /** + * Destroy the logger. + */ + void (*destroy)(android_logger_t *this); + +}; + +/** + * Create an Android specific logger instance. + * + * @return logger instance + */ +android_logger_t *android_logger_create(); + +#endif /** ANDROID_LOGGER_H_ @}*/ diff --git a/src/libcharon/plugins/android/android_plugin.c b/src/libcharon/plugins/android/android_plugin.c index 9a558f53b..e2c8572ef 100644 --- a/src/libcharon/plugins/android/android_plugin.c +++ b/src/libcharon/plugins/android/android_plugin.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2010 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -14,7 +15,10 @@ */ #include "android_plugin.h" +#include "android_logger.h" #include "android_handler.h" +#include "android_creds.h" +#include "android_service.h" #include #include @@ -31,17 +35,39 @@ struct private_android_plugin_t { */ android_plugin_t public; + /** + * Android specific logger + */ + android_logger_t *logger; + /** * Android specific DNS handler */ android_handler_t *handler; + + /** + * Android specific credential set + */ + android_creds_t *creds; + + /** + * Service that interacts with the Android Settings frontend + */ + android_service_t *service; + }; METHOD(plugin_t, destroy, void, - private_android_plugin_t *this) + private_android_plugin_t *this) { - hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); + hydra->attributes->remove_handler(hydra->attributes, + &this->handler->handler); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + charon->bus->remove_listener(charon->bus, &this->logger->listener); + this->creds->destroy(this->creds); this->handler->destroy(this->handler); + this->logger->destroy(this->logger); + DESTROY_IF(this->service); free(this); } @@ -56,11 +82,22 @@ plugin_t *android_plugin_create() .public.plugin = { .destroy = _destroy, }, + .logger = android_logger_create(), .handler = android_handler_create(), + .creds = android_creds_create(), ); + charon->bus->add_listener(charon->bus, &this->logger->listener); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); + this->service = android_service_create(this->creds); + if (!this->service) + { + destroy(this); + return NULL; + } + return &this->public.plugin; } diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c new file mode 100644 index 000000000..538c4a9a2 --- /dev/null +++ b/src/libcharon/plugins/android/android_service.c @@ -0,0 +1,385 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include + +#include "android_service.h" + +#include +#include +#include + +typedef struct private_android_service_t private_android_service_t; + +/** + * private data of Android service + */ +struct private_android_service_t { + + /** + * public interface + */ + android_service_t public; + + /** + * current IKE_SA + */ + ike_sa_t *ike_sa; + + /** + * job that handles requests from the Android control socket + */ + callback_job_t *job; + + /** + * android credentials + */ + android_creds_t *creds; + + /** + * android control socket + */ + int control; + +}; + +/** + * Some of the error codes defined in VpnManager.java + */ +typedef enum { + /** Error code to indicate an error from authentication. */ + VPN_ERROR_AUTH = 51, + /** Error code to indicate the connection attempt failed. */ + VPN_ERROR_CONNECTION_FAILED = 101, + /** Error code to indicate an error of remote server hanging up. */ + VPN_ERROR_REMOTE_HUNG_UP = 7, + /** Error code to indicate an error of losing connectivity. */ + VPN_ERROR_CONNECTION_LOST = 103, +} android_vpn_errors_t; + +/** + * send a status code back to the Android app + */ +static void send_status(private_android_service_t *this, u_char code) +{ + DBG1(DBG_CFG, "status of Android plugin changed: %d", code); + send(this->control, &code, 1, 0); +} + +METHOD(listener_t, ike_updown, bool, + private_android_service_t *this, ike_sa_t *ike_sa, bool up) +{ + /* this callback is only registered during initiation, so if the IKE_SA + * goes down we assume an authentication error */ + if (this->ike_sa == ike_sa && !up) + { + send_status(this, VPN_ERROR_AUTH); + return FALSE; + } + return TRUE; +} + +METHOD(listener_t, child_state_change, bool, + private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + child_sa_state_t state) +{ + /* this callback is only registered during initiation, so we still have + * the control socket open */ + if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + { + send_status(this, VPN_ERROR_CONNECTION_FAILED); + return FALSE; + } + return TRUE; +} + +/** + * Callback used to shutdown the daemon + */ +static job_requeue_t shutdown_callback(void *data) +{ + kill(0, SIGTERM); + return JOB_REQUEUE_NONE; +} + +METHOD(listener_t, child_updown, bool, + private_android_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (this->ike_sa == ike_sa) + { + if (up) + { + /* disable the hooks registered to catch initiation failures */ + this->public.listener.ike_updown = NULL; + this->public.listener.child_state_change = NULL; + property_set("vpn.status", "ok"); + } + else + { + callback_job_t *job; + /* the control socket is closed as soon as vpn.status is set to "ok" + * and the daemon proxy then only checks for terminated daemons to + * detect lost connections, so... */ + DBG1(DBG_CFG, "connection lost, raising delayed SIGTERM"); + /* to avoid any conflicts we send the SIGTERM not directly from this + * callback, but from a different thread. we also delay it to avoid + * a race condition during a regular shutdown */ + job = callback_job_create(shutdown_callback, NULL, NULL, NULL); + charon->scheduler->schedule_job(charon->scheduler, (job_t*)job, 1); + return FALSE; + } + } + return TRUE; +} + +METHOD(listener_t, ike_rekey, bool, + private_android_service_t *this, ike_sa_t *old, ike_sa_t *new) +{ + if (this->ike_sa == old) + { + this->ike_sa = new; + } + return TRUE; +} + +/** + * Read a string argument from the Android control socket + */ +static char *read_argument(int fd, u_char length) +{ + int offset = 0; + char *data = malloc(length + 1); + while (offset < length) + { + int n = recv(fd, &data[offset], length - offset, 0); + if (n < 0) + { + DBG1(DBG_CFG, "failed to read argument from Android" + " control socket: %s", strerror(errno)); + free(data); + return NULL; + } + offset += n; + } + data[length] = '\0'; + DBG3(DBG_CFG, "received argument from Android control socket: %s", data); + return data; +} + +/** + * handle the request received from the Android control socket + */ +static job_requeue_t initiate(private_android_service_t *this) +{ + bool oldstate; + int fd, i = 0; + char *hostname = NULL, *cacert = NULL, *username = NULL, *password = NULL; + identification_t *gateway = NULL, *user = NULL; + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + traffic_selector_t *ts; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + lifetime_cfg_t lifetime = { + .time = { + .life = 10800, /* 3h */ + .rekey = 10200, /* 2h50min */ + .jitter = 300 /* 5min */ + } + }; + + fd = accept(this->control, NULL, 0); + if (fd < 0) + { + DBG1(DBG_CFG, "accept on Android control socket failed: %s", + strerror(errno)); + return JOB_REQUEUE_NONE; + } + /* the original control socket is not used anymore */ + close(this->control); + this->control = fd; + + while (TRUE) + { + u_char length; + if (recv(fd, &length, 1, 0) != 1) + { + DBG1(DBG_CFG, "failed to read from Android control socket: %s", + strerror(errno)); + return JOB_REQUEUE_NONE; + } + + if (length == 0xFF) + { /* last argument */ + break; + } + else + { + switch (i++) + { + case 0: /* gateway */ + hostname = read_argument(fd, length); + break; + case 1: /* CA certificate name */ + cacert = read_argument(fd, length); + break; + case 2: /* username */ + username = read_argument(fd, length); + break; + case 3: /* password */ + password = read_argument(fd, length); + break; + } + } + } + + if (cacert) + { + if (!this->creds->add_certificate(this->creds, cacert)) + { + DBG1(DBG_CFG, "failed to load CA certificate"); + } + /* if this is a server cert we could use the cert subject as id + * but we have to test first if that possible to configure */ + } + + gateway = identification_create_from_string(hostname); + DBG1(DBG_CFG, "using CA certificate, gateway identitiy '%Y'", gateway); + + if (username) + { + user = identification_create_from_string(username); + this->creds->set_username_password(this->creds, user, password); + } + + ike_cfg = ike_cfg_create(TRUE, FALSE, "0.0.0.0", IKEV2_UDP_PORT, + hostname, IKEV2_UDP_PORT); + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + + peer_cfg = peer_cfg_create("android", 2, ike_cfg, CERT_SEND_IF_ASKED, + UNIQUE_REPLACE, 1, /* keyingtries */ + 36000, 0, /* rekey 10h, reauth none */ + 600, 600, /* jitter, over 10min */ + TRUE, 0, /* mobike, DPD */ + host_create_from_string("0.0.0.0", 0) /* virt */, + NULL, FALSE, NULL, NULL); /* pool, mediation */ + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_EAP); + auth->add(auth, AUTH_RULE_IDENTITY, user); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + auth->add(auth, AUTH_RULE_IDENTITY, gateway); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + ts = traffic_selector_create_from_string(0, TS_IPV4_ADDR_RANGE, "0.0.0.0", + 0, "255.255.255.255", 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + /* get an additional reference because initiate consumes one */ + child_cfg->get_ref(child_cfg); + + /* get us an IKE_SA */ + ike_sa = charon->ike_sa_manager->checkout_by_config(charon->ike_sa_manager, + peer_cfg); + if (!ike_sa->get_peer_cfg(ike_sa)) + { + ike_sa->set_peer_cfg(ike_sa, peer_cfg); + } + peer_cfg->destroy(peer_cfg); + + /* store the IKE_SA so we can track its progress */ + this->ike_sa = ike_sa; + + /* confirm that we received the request */ + send_status(this, i); + + if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) + { + DBG1(DBG_CFG, "failed to initiate tunnel"); + charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, + ike_sa); + send_status(this, VPN_ERROR_CONNECTION_FAILED); + return JOB_REQUEUE_NONE; + } + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + return JOB_REQUEUE_NONE; +} + +METHOD(android_service_t, destroy, void, + private_android_service_t *this) +{ + charon->bus->remove_listener(charon->bus, &this->public.listener); + close(this->control); + free(this); +} + +/** + * See header + */ +android_service_t *android_service_create(android_creds_t *creds) +{ + private_android_service_t *this; + + INIT(this, + .public = { + .listener = { + .ike_updown = _ike_updown, + .child_state_change = _child_state_change, + .child_updown = _child_updown, + .ike_rekey = _ike_rekey, + }, + .destroy = _destroy, + }, + .creds = creds, + ); + + this->control = android_get_control_socket("charon"); + if (this->control == -1) + { + DBG1(DBG_CFG, "failed to get Android control socket"); + free(this); + return NULL; + } + + if (listen(this->control, 1) < 0) + { + DBG1(DBG_CFG, "failed to listen on Android control socket: %s", + strerror(errno)); + close(this->control); + free(this); + return NULL; + } + + charon->bus->add_listener(charon->bus, &this->public.listener); + this->job = callback_job_create((callback_job_cb_t)initiate, this, + NULL, NULL); + charon->processor->queue_job(charon->processor, (job_t*)this->job); + + return &this->public; +} + diff --git a/src/libcharon/plugins/android/android_service.h b/src/libcharon/plugins/android/android_service.h new file mode 100644 index 000000000..d096d6cd5 --- /dev/null +++ b/src/libcharon/plugins/android/android_service.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup android_service android_service + * @{ @ingroup android + */ + +#ifndef ANDROID_SERVICE_H_ +#define ANDROID_SERVICE_H_ + +typedef struct android_service_t android_service_t; + +#include + +#include "android_creds.h" + +/** + * Service that interacts with the Android Settings frontend. + */ +struct android_service_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a android_service_t. + */ + void (*destroy)(android_service_t *this); + +}; + +/** + * Create an Android service instance. + * + * @param creds Android credentials + */ +android_service_t *android_service_create(android_creds_t *creds); + +#endif /** ANDROID_SERVICE_H_ @}*/ diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index 7606b963c..b34654fb7 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/dhcp/dhcp_provider.c b/src/libcharon/plugins/dhcp/dhcp_provider.c index dbcceb6ce..a6a887780 100644 --- a/src/libcharon/plugins/dhcp/dhcp_provider.c +++ b/src/libcharon/plugins/dhcp/dhcp_provider.c @@ -129,7 +129,8 @@ METHOD(attribute_provider_t, release_address, bool, } METHOD(attribute_provider_t, create_attribute_enumerator, enumerator_t*, - private_dhcp_provider_t *this, identification_t *id, host_t *vip) + private_dhcp_provider_t *this, char *pool, identification_t *id, + host_t *vip) { dhcp_transaction_t *transaction; diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index 1cea81a9b..14bf3f15d 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_aka/eap_aka_peer.c b/src/libcharon/plugins/eap_aka/eap_aka_peer.c index 26546809d..dfcc69710 100644 --- a/src/libcharon/plugins/eap_aka/eap_aka_peer.c +++ b/src/libcharon/plugins/eap_aka/eap_aka_peer.c @@ -421,7 +421,6 @@ static status_t process_notification(private_eap_aka_peer_t *this, /* test success bit */ if (!(data.ptr[0] & 0x80)) { - success = FALSE; DBG1(DBG_IKE, "received EAP-AKA notification error '%N'", simaka_notification_names, code); } diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index d0b0f5601..b41b59616 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c index 9817fff8f..a9767ad91 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c +++ b/src/libcharon/plugins/eap_aka_3gpp2/eap_aka_3gpp2_provider.c @@ -52,8 +52,7 @@ bool eap_aka_3gpp2_get_k(identification_t *id, char k[AKA_K_LEN]) shared_key_t *shared; chunk_t key; - shared = charon->credentials->get_shared(charon->credentials, - SHARED_EAP, id, NULL); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); if (shared == NULL) { return FALSE; diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 110e1528b..57952f621 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_gtc/eap_gtc.c b/src/libcharon/plugins/eap_gtc/eap_gtc.c index c7f55fa70..f641ad13a 100644 --- a/src/libcharon/plugins/eap_gtc/eap_gtc.c +++ b/src/libcharon/plugins/eap_gtc/eap_gtc.c @@ -168,8 +168,8 @@ static status_t process_peer(private_eap_gtc_t *this, chunk_t key; size_t len; - shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, - this->peer, this->server); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, + this->peer, this->server); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for '%Y' - '%Y'", diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index bbb987dd6..d78957438 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 943811604..5bfc59fa4 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_md5/eap_md5.c b/src/libcharon/plugins/eap_md5/eap_md5.c index 0eda8f755..3554ae12e 100644 --- a/src/libcharon/plugins/eap_md5/eap_md5.c +++ b/src/libcharon/plugins/eap_md5/eap_md5.c @@ -85,8 +85,7 @@ static status_t hash_challenge(private_eap_md5_t *this, chunk_t *response, chunk_t concat; hasher_t *hasher; - shared = charon->credentials->get_shared(charon->credentials, SHARED_EAP, - me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); if (shared == NULL) { DBG1(DBG_IKE, "no EAP key found for hosts '%Y' - '%Y'", me, other); diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 2f6c65df4..d61cc9e5d 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c index c1ccf72eb..3cd8d994c 100644 --- a/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c +++ b/src/libcharon/plugins/eap_mschapv2/eap_mschapv2.c @@ -614,8 +614,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, chunk_t password; /* try to find a stored NT_HASH first */ - shared = charon->credentials->get_shared(charon->credentials, - SHARED_NT_HASH, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_NT_HASH, me, other); if (shared ) { *nt_hash = chunk_clone(shared->get_key(shared)); @@ -624,8 +623,7 @@ static bool get_nt_hash(private_eap_mschapv2_t *this, identification_t *me, } /* fallback to plaintext password */ - shared = charon->credentials->get_shared(charon->credentials, - SHARED_EAP, me, other); + shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, me, other); if (shared) { password = ascii_to_unicode(shared->get_key(shared)); @@ -820,7 +818,7 @@ static status_t process_peer_failure(private_eap_mschapv2_t *this, eap_mschapv2_header_t *eap; chunk_t data; char *message, *token, *msg = NULL; - int message_len, error, retryable; + int message_len, error = 0, retryable; chunk_t challenge = chunk_empty; data = in->get_data(in); diff --git a/src/libcharon/plugins/eap_radius/Makefile.am b/src/libcharon/plugins/eap_radius/Makefile.am index a3abd4124..afc50bced 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.am +++ b/src/libcharon/plugins/eap_radius/Makefile.am @@ -13,6 +13,8 @@ endif libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + radius_server.h radius_server.c \ + radius_socket.h radius_socket.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 18427adef..bb372d13c 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -75,7 +75,8 @@ am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_eap_radius_la_LIBADD = am_libstrongswan_eap_radius_la_OBJECTS = eap_radius_plugin.lo \ - eap_radius.lo radius_client.lo radius_message.lo + eap_radius.lo radius_server.lo radius_socket.lo \ + radius_client.lo radius_message.lo libstrongswan_eap_radius_la_OBJECTS = \ $(am_libstrongswan_eap_radius_la_OBJECTS) libstrongswan_eap_radius_la_LINK = $(LIBTOOL) --tag=CC \ @@ -267,6 +268,8 @@ AM_CFLAGS = -rdynamic libstrongswan_eap_radius_la_SOURCES = \ eap_radius_plugin.h eap_radius_plugin.c \ eap_radius.h eap_radius.c \ + radius_server.h radius_server.c \ + radius_socket.h radius_socket.c \ radius_client.h radius_client.c \ radius_message.h radius_message.c @@ -358,6 +361,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_radius_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_client.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_message.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_server.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radius_socket.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/eap_radius/eap_radius.c b/src/libcharon/plugins/eap_radius/eap_radius.c index f041fda54..65b868bc6 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius.c +++ b/src/libcharon/plugins/eap_radius/eap_radius.c @@ -52,11 +52,6 @@ struct private_eap_radius_t { */ u_int32_t vendor; - /** - * EAP MSK, if method established one - */ - chunk_t msk; - /** * RADIUS client instance */ @@ -71,6 +66,11 @@ struct private_eap_radius_t { * Prefix to prepend to EAP identity */ char *id_prefix; + + /** + * Handle the Class attribute as group membership information? + */ + bool class_group; }; /** @@ -140,10 +140,8 @@ static bool radius2ike(private_eap_radius_t *this, return FALSE; } -/** - * Implementation of eap_method_t.initiate - */ -static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) +METHOD(eap_method_t, initiate, status_t, + private_eap_radius_t *this, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; @@ -177,10 +175,44 @@ static status_t initiate(private_eap_radius_t *this, eap_payload_t **out) } /** - * Implementation of eap_method_t.process + * Handle the Class attribute as group membership information */ -static status_t process(private_eap_radius_t *this, - eap_payload_t *in, eap_payload_t **out) +static void process_class(private_eap_radius_t *this, radius_message_t *msg) +{ + enumerator_t *enumerator; + chunk_t data; + int type; + + enumerator = msg->create_enumerator(msg); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_CLASS) + { + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + if (data.len >= 44) + { /* quirk: ignore long class attributes, these are used for + * other purposes by some RADIUS servers (such as NPS). */ + continue; + } + + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_data(data); + DBG1(DBG_CFG, "received group membership '%Y' from RADIUS", id); + auth->add(auth, AUTH_RULE_GROUP, id); + } + } + } + enumerator->destroy(enumerator); +} + +METHOD(eap_method_t, process, status_t, + private_eap_radius_t *this, eap_payload_t *in, eap_payload_t **out) { radius_message_t *request, *response; status_t status = FAILED; @@ -211,8 +243,10 @@ static status_t process(private_eap_radius_t *this, status = FAILED; break; case RMC_ACCESS_ACCEPT: - this->msk = this->client->decrypt_msk(this->client, - response, request); + if (this->class_group) + { + process_class(this, response); + } status = SUCCESS; break; case RMC_ACCESS_REJECT: @@ -228,32 +262,29 @@ static status_t process(private_eap_radius_t *this, return status; } -/** - * Implementation of eap_method_t.get_type. - */ -static eap_type_t get_type(private_eap_radius_t *this, u_int32_t *vendor) +METHOD(eap_method_t, get_type, eap_type_t, + private_eap_radius_t *this, u_int32_t *vendor) { *vendor = this->vendor; return this->type; } -/** - * Implementation of eap_method_t.get_msk. - */ -static status_t get_msk(private_eap_radius_t *this, chunk_t *msk) +METHOD(eap_method_t, get_msk, status_t, + private_eap_radius_t *this, chunk_t *out) { - if (this->msk.ptr) + chunk_t msk; + + msk = this->client->get_msk(this->client); + if (msk.len) { - *msk = this->msk; + *out = msk; return SUCCESS; } return FAILED; } -/** - * Implementation of eap_method_t.is_mutual. - */ -static bool is_mutual(private_eap_radius_t *this) +METHOD(eap_method_t, is_mutual, bool, + private_eap_radius_t *this) { switch (this->type) { @@ -265,15 +296,12 @@ static bool is_mutual(private_eap_radius_t *this) } } -/** - * Implementation of eap_method_t.destroy. - */ -static void destroy(private_eap_radius_t *this) +METHOD(eap_method_t, destroy, void, + private_eap_radius_t *this) { this->peer->destroy(this->peer); this->server->destroy(this->server); this->client->destroy(this->client); - chunk_clear(&this->msk); free(this); } @@ -282,15 +310,26 @@ static void destroy(private_eap_radius_t *this) */ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer) { - private_eap_radius_t *this = malloc_thing(private_eap_radius_t); - - this->public.eap_method_interface.initiate = (status_t(*)(eap_method_t*,eap_payload_t**))initiate; - this->public.eap_method_interface.process = (status_t(*)(eap_method_t*,eap_payload_t*,eap_payload_t**))process; - this->public.eap_method_interface.get_type = (eap_type_t(*)(eap_method_t*,u_int32_t*))get_type; - this->public.eap_method_interface.is_mutual = (bool(*)(eap_method_t*))is_mutual; - this->public.eap_method_interface.get_msk = (status_t(*)(eap_method_t*,chunk_t*))get_msk; - this->public.eap_method_interface.destroy = (void(*)(eap_method_t*))destroy; - + private_eap_radius_t *this; + + INIT(this, + .public.eap_method_interface = { + .initiate = _initiate, + .process = _process, + .get_type = _get_type, + .is_mutual = _is_mutual, + .get_msk = _get_msk, + .destroy = _destroy, + }, + /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ + .type = EAP_RADIUS, + .eap_start = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.eap_start", FALSE), + .id_prefix = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.id_prefix", ""), + .class_group = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-radius.class_group", FALSE), + ); this->client = radius_client_create(); if (!this->client) { @@ -299,14 +338,6 @@ eap_radius_t *eap_radius_create(identification_t *server, identification_t *peer } this->peer = peer->clone(peer); this->server = server->clone(server); - /* initially EAP_RADIUS, but is set to the method selected by RADIUS */ - this->type = EAP_RADIUS; - this->vendor = 0; - this->msk = chunk_empty; - this->eap_start = lib->settings->get_bool(lib->settings, - "charon.plugins.eap-radius.eap_start", FALSE); - this->id_prefix = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.id_prefix", ""); return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c index 7d2788c3e..91aae2f62 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.c +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.c @@ -17,17 +17,130 @@ #include "eap_radius.h" #include "radius_client.h" +#include "radius_server.h" #include /** - * Implementation of plugin_t.destroy + * Default RADIUS server port, when not configured */ -static void destroy(eap_radius_plugin_t *this) +#define RADIUS_PORT 1812 + +typedef struct private_eap_radius_plugin_t private_eap_radius_plugin_t; + +/** + * Private data of an eap_radius_plugin_t object. + */ +struct private_eap_radius_plugin_t { + + /** + * Public radius_plugin_t interface. + */ + eap_radius_plugin_t public; + + /** + * List of RADIUS servers + */ + linked_list_t *servers; +}; + +/** + * Instance of the EAP plugin + */ +static private_eap_radius_plugin_t *instance = NULL; + +METHOD(plugin_t, destroy, void, + private_eap_radius_plugin_t *this) { charon->eap->remove_method(charon->eap, (eap_constructor_t)eap_radius_create); - radius_client_cleanup(); + this->servers->destroy_offset(this->servers, + offsetof(radius_server_t, destroy)); free(this); + instance = NULL; +} + +/** + * Load RADIUS servers from configuration + */ +static bool load_servers(private_eap_radius_plugin_t *this) +{ + enumerator_t *enumerator; + radius_server_t *server; + char *nas_identifier, *secret, *address, *section; + int port, sockets, preference; + + address = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.server", NULL); + if (address) + { /* legacy configuration */ + secret = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.secret", NULL); + if (!secret) + { + DBG1(DBG_CFG, "no RADUIS secret defined"); + return FALSE; + } + nas_identifier = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.nas_identifier", "strongSwan"); + port = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.port", RADIUS_PORT); + sockets = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.sockets", 1); + server = radius_server_create(address, port, nas_identifier, + secret, sockets, 0); + if (!server) + { + DBG1(DBG_CFG, "no RADUIS server defined"); + return FALSE; + } + this->servers->insert_last(this->servers, server); + return TRUE; + } + + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.plugins.eap-radius.servers"); + while (enumerator->enumerate(enumerator, §ion)) + { + address = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.address", NULL, section); + if (!address) + { + DBG1(DBG_CFG, "RADIUS server '%s' misses address, skipped", section); + continue; + } + secret = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.secret", NULL, section); + if (!secret) + { + DBG1(DBG_CFG, "RADIUS server '%s' misses secret, skipped", section); + continue; + } + nas_identifier = lib->settings->get_str(lib->settings, + "charon.plugins.eap-radius.servers.%s.nas_identifier", + "strongSwan", section); + port = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.port", RADIUS_PORT, section); + sockets = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.sockets", 1, section); + preference = lib->settings->get_int(lib->settings, + "charon.plugins.eap-radius.servers.%s.preference", 0, section); + server = radius_server_create(address, port, nas_identifier, + secret, sockets, preference); + if (!server) + { + DBG1(DBG_CFG, "loading RADIUS server '%s' failed, skipped", section); + continue; + } + this->servers->insert_last(this->servers, server); + } + enumerator->destroy(enumerator); + + if (this->servers->get_count(this->servers) == 0) + { + DBG1(DBG_CFG, "no valid RADIUS server configuration found"); + return FALSE; + } + return TRUE; } /* @@ -35,20 +148,35 @@ static void destroy(eap_radius_plugin_t *this) */ plugin_t *eap_radius_plugin_create() { - eap_radius_plugin_t *this; + private_eap_radius_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .servers = linked_list_create(), + ); - if (!radius_client_init()) + if (!load_servers(this)) { - DBG1(DBG_CFG, "RADIUS plugin initialization failed"); + destroy(this); return NULL; } - - this = malloc_thing(eap_radius_plugin_t); - this->plugin.destroy = (void(*)(plugin_t*))destroy; - charon->eap->add_method(charon->eap, EAP_RADIUS, 0, EAP_SERVER, (eap_constructor_t)eap_radius_create); - return &this->plugin; + instance = this; + + return &this->public.plugin; +} + +/** + * See header + */ +enumerator_t *eap_radius_create_server_enumerator() +{ + if (instance) + { + return instance->servers->create_enumerator(instance->servers); + } + return enumerator_create_empty(); } diff --git a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h index f2b8b5082..cb724364a 100644 --- a/src/libcharon/plugins/eap_radius/eap_radius_plugin.h +++ b/src/libcharon/plugins/eap_radius/eap_radius_plugin.h @@ -25,6 +25,7 @@ #define EAP_RADIUS_PLUGIN_H_ #include +#include typedef struct eap_radius_plugin_t eap_radius_plugin_t; @@ -42,4 +43,11 @@ struct eap_radius_plugin_t { plugin_t plugin; }; +/** + * Create an enumerator over all loaded RADIUS servers. + * + * @return enumerator over radius_server_t + */ +enumerator_t *eap_radius_create_server_enumerator(); + #endif /** EAP_RADIUS_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_client.c b/src/libcharon/plugins/eap_radius/radius_client.c index 1d1f21742..232b9135e 100644 --- a/src/libcharon/plugins/eap_radius/radius_client.c +++ b/src/libcharon/plugins/eap_radius/radius_client.c @@ -15,6 +15,9 @@ #include "radius_client.h" +#include "eap_radius_plugin.h" +#include "radius_server.h" + #include #include @@ -24,42 +27,8 @@ #include #include -/** - * Default RADIUS server port, when not configured - */ -#define RADIUS_PORT 1812 - -/** - * Vendor-Id of Microsoft specific attributes - */ -#define VENDOR_ID_MICROSOFT 311 - -/** - * Microsoft specific vendor attributes - */ -#define MS_MPPE_SEND_KEY 16 -#define MS_MPPE_RECV_KEY 17 - typedef struct private_radius_client_t private_radius_client_t; -typedef struct entry_t entry_t; - -/** - * A socket pool entry. - */ -struct entry_t { - /** socket file descriptor */ - int fd; - /** current RADIUS identifier */ - u_int8_t identifier; - /** hasher to use for response verification */ - hasher_t *hasher; - /** HMAC-MD5 signer to build Message-Authenticator attribute */ - signer_t *signer; - /** random number generator for RADIUS request authenticator */ - rng_t *rng; -}; - /** * Private data of an radius_client_t object. */ @@ -70,171 +39,21 @@ struct private_radius_client_t { */ radius_client_t public; + /** + * Selected RADIUS server + */ + radius_server_t *server; + /** * RADIUS servers State attribute */ chunk_t state; -}; -/** - * Global list of radius sockets, contains entry_t's - */ -static linked_list_t *sockets; - -/** - * mutex to lock sockets list - */ -static mutex_t *mutex; - -/** - * condvar to wait for sockets - */ -static condvar_t *condvar; - -/** - * RADIUS secret - */ -static chunk_t secret; - -/** - * NAS-Identifier - */ -static chunk_t nas_identifier; - -/** - * Clean up socket list - */ -void radius_client_cleanup() -{ - entry_t *entry; - - mutex->destroy(mutex); - condvar->destroy(condvar); - while (sockets->remove_last(sockets, (void**)&entry) == SUCCESS) - { - entry->rng->destroy(entry->rng); - entry->hasher->destroy(entry->hasher); - entry->signer->destroy(entry->signer); - close(entry->fd); - free(entry); - } - sockets->destroy(sockets); -} - -/** - * Initialize the socket list - */ -bool radius_client_init() -{ - int i, count, fd; - u_int16_t port; - entry_t *entry; - host_t *host; - char *server; - - nas_identifier.ptr = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.nas_identifier", "strongSwan"); - nas_identifier.len = strlen(nas_identifier.ptr); - - secret.ptr = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.secret", NULL); - if (!secret.ptr) - { - DBG1(DBG_CFG, "no RADUIS secret defined"); - return FALSE; - } - secret.len = strlen(secret.ptr); - server = lib->settings->get_str(lib->settings, - "charon.plugins.eap-radius.server", NULL); - if (!server) - { - DBG1(DBG_CFG, "no RADUIS server defined"); - return FALSE; - } - port = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.port", RADIUS_PORT); - host = host_create_from_dns(server, 0, port); - if (!host) - { - return FALSE; - } - count = lib->settings->get_int(lib->settings, - "charon.plugins.eap-radius.sockets", 1); - - sockets = linked_list_create(); - mutex = mutex_create(MUTEX_TYPE_DEFAULT); - condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - for (i = 0; i < count; i++) - { - fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); - if (fd < 0) - { - DBG1(DBG_CFG, "opening RADIUS socket failed"); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - if (connect(fd, host->get_sockaddr(host), - *host->get_sockaddr_len(host)) < 0) - { - DBG1(DBG_CFG, "connecting RADIUS socket failed"); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - entry = malloc_thing(entry_t); - entry->fd = fd; - /* we use per-socket crypto elements: this reduces overhead, but - * is still thread-save. */ - entry->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - entry->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128); - entry->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); - if (!entry->hasher || !entry->signer || !entry->rng) - { - DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required"); - DESTROY_IF(entry->hasher); - DESTROY_IF(entry->signer); - DESTROY_IF(entry->rng); - free(entry); - host->destroy(host); - radius_client_cleanup(); - return FALSE; - } - entry->signer->set_key(entry->signer, secret); - /* we use a random identifier, helps if we restart often (testing) */ - entry->identifier = random(); - sockets->insert_last(sockets, entry); - } - host->destroy(host); - return TRUE; -} - -/** - * Get a socket from the pool, block if none available - */ -static entry_t* get_socket() -{ - entry_t *entry; - - mutex->lock(mutex); - while (sockets->remove_first(sockets, (void**)&entry) != SUCCESS) - { - condvar->wait(condvar, mutex); - } - mutex->unlock(mutex); - return entry; -} - -/** - * Release a socket to the pool - */ -static void put_socket(entry_t *entry) -{ - mutex->lock(mutex); - sockets->insert_last(sockets, entry); - mutex->unlock(mutex); - condvar->signal(condvar); -} + /** + * EAP MSK, from MPPE keys + */ + chunk_t msk; +}; /** * Save the state attribute to include in further request @@ -261,234 +80,103 @@ static void save_state(private_radius_client_t *this, radius_message_t *msg) chunk_free(&this->state); } -/** - * Implementation of radius_client_t.request - */ -static radius_message_t* request(private_radius_client_t *this, - radius_message_t *req) +METHOD(radius_client_t, request, radius_message_t*, + private_radius_client_t *this, radius_message_t *req) { char virtual[] = {0x00,0x00,0x00,0x05}; - entry_t *socket; - chunk_t data; - int i; + radius_socket_t *socket; + radius_message_t *res; - socket = get_socket(); - - /* set Message Identifier */ - req->set_identifier(req, socket->identifier++); /* we add the "Virtual" NAS-Port-Type, as we SHOULD include one */ req->add(req, RAT_NAS_PORT_TYPE, chunk_create(virtual, sizeof(virtual))); /* add our NAS-Identifier */ - req->add(req, RAT_NAS_IDENTIFIER, nas_identifier); + req->add(req, RAT_NAS_IDENTIFIER, + this->server->get_nas_identifier(this->server)); /* add State attribute, if server sent one */ if (this->state.ptr) { req->add(req, RAT_STATE, this->state); } - /* sign the request */ - req->sign(req, socket->rng, socket->signer); - - data = req->get_encoding(req); - /* timeout after 2, 3, 4, 5 seconds */ - for (i = 2; i <= 5; i++) + socket = this->server->get_socket(this->server); + DBG1(DBG_CFG, "sending RADIUS %N to %#H", radius_message_code_names, + req->get_code(req), this->server->get_address(this->server)); + res = socket->request(socket, req); + if (res) { - radius_message_t *response; - bool retransmit = FALSE; - struct timeval tv; - char buf[4096]; - fd_set fds; - int res; - - if (send(socket->fd, data.ptr, data.len, 0) != data.len) - { - DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); - put_socket(socket); - return NULL; - } - tv.tv_sec = i; - tv.tv_usec = 0; - - while (TRUE) + DBG1(DBG_CFG, "received RADIUS %N from %#H", radius_message_code_names, + res->get_code(res), this->server->get_address(this->server)); + save_state(this, res); + if (res->get_code(res) == RMC_ACCESS_ACCEPT) { - FD_ZERO(&fds); - FD_SET(socket->fd, &fds); - res = select(socket->fd + 1, &fds, NULL, NULL, &tv); - /* TODO: updated tv to time not waited. Linux does this for us. */ - if (res < 0) - { /* failed */ - DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", - strerror(errno)); - break; - } - if (res == 0) - { /* timeout */ - DBG1(DBG_CFG, "retransmitting RADIUS message"); - retransmit = TRUE; - break; - } - res = recv(socket->fd, buf, sizeof(buf), MSG_DONTWAIT); - if (res <= 0) - { - DBG1(DBG_CFG, "receiving RADIUS message failed: %s", - strerror(errno)); - break; - } - response = radius_message_parse_response(chunk_create(buf, res)); - if (response) - { - if (response->verify(response, req->get_authenticator(req), - secret, socket->hasher, socket->signer)) - { - save_state(this, response); - put_socket(socket); - return response; - } - response->destroy(response); - } - DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); - } - if (!retransmit) - { - break; + chunk_clear(&this->msk); + this->msk = socket->decrypt_msk(socket, req, res); } + this->server->put_socket(this->server, socket, TRUE); + return res; } - DBG1(DBG_CFG, "RADIUS server is not responding"); - put_socket(socket); + this->server->put_socket(this->server, socket, FALSE); charon->bus->alert(charon->bus, ALERT_RADIUS_NOT_RESPONDING); return NULL; } -/** - * Decrypt a MS-MPPE-Send/Recv-Key - */ -static chunk_t decrypt_mppe_key(private_radius_client_t *this, u_int16_t salt, - chunk_t C, radius_message_t *request) +METHOD(radius_client_t, get_msk, chunk_t, + private_radius_client_t *this) { - chunk_t A, R, P, seed; - u_char *c, *p; - hasher_t *hasher; - - /** - * From RFC2548 (encryption): - * b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) - * b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) - * . . . - * b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) - */ - - if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5) - { - return chunk_empty; - } - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); - if (!hasher) - { - return chunk_empty; - } - - A = chunk_create((u_char*)&salt, sizeof(salt)); - R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5); - P = chunk_alloca(C.len); - p = P.ptr; - c = C.ptr; - - seed = chunk_cata("cc", R, A); - - while (c < C.ptr + C.len) - { - /* b(i) = MD5(S + c(i-1)) */ - hasher->get_hash(hasher, secret, NULL); - hasher->get_hash(hasher, seed, p); - - /* p(i) = b(i) xor c(1) */ - memxor(p, c, HASH_SIZE_MD5); - - /* prepare next round */ - seed = chunk_create(c, HASH_SIZE_MD5); - c += HASH_SIZE_MD5; - p += HASH_SIZE_MD5; - } - hasher->destroy(hasher); + return this->msk; +} - /* remove truncation, first byte is key length */ - if (*P.ptr >= P.len) - { /* decryption failed? */ - return chunk_empty; - } - return chunk_clone(chunk_create(P.ptr + 1, *P.ptr)); +METHOD(radius_client_t, destroy, void, + private_radius_client_t *this) +{ + chunk_clear(&this->msk); + free(this->state.ptr); + free(this); } /** - * Implementation of radius_client_t.decrypt_msk + * See header */ -static chunk_t decrypt_msk(private_radius_client_t *this, - radius_message_t *response, radius_message_t *request) +radius_client_t *radius_client_create() { - struct { - u_int32_t id; - u_int8_t type; - u_int8_t length; - u_int16_t salt; - u_int8_t key[]; - } __attribute__((packed)) *mppe_key; + private_radius_client_t *this; enumerator_t *enumerator; - chunk_t data, send = chunk_empty, recv = chunk_empty; - int type; - - enumerator = response->create_enumerator(response); - while (enumerator->enumerate(enumerator, &type, &data)) + radius_server_t *server; + int current, best = -1; + + INIT(this, + .public = { + .request = _request, + .get_msk = _get_msk, + .destroy = _destroy, + }, + ); + + enumerator = eap_radius_create_server_enumerator(); + while (enumerator->enumerate(enumerator, &server)) { - if (type == RAT_VENDOR_SPECIFIC && - data.len > sizeof(*mppe_key)) + current = server->get_preference(server); + if (current > best || + /* for two with equal preference, 50-50 chance */ + (current == best && random() % 2 == 0)) + { + DBG2(DBG_CFG, "RADIUS server %H is candidate: %d", + server->get_address(server), current); + best = current; + this->server = server; + } + else { - mppe_key = (void*)data.ptr; - if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT && - mppe_key->length == data.len - sizeof(mppe_key->id)) - { - data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key)); - if (mppe_key->type == MS_MPPE_SEND_KEY) - { - send = decrypt_mppe_key(this, mppe_key->salt, data, request); - } - if (mppe_key->type == MS_MPPE_RECV_KEY) - { - recv = decrypt_mppe_key(this, mppe_key->salt, data, request); - } - } + DBG2(DBG_CFG, "RADIUS server %H skipped: %d", + server->get_address(server), current); } } enumerator->destroy(enumerator); - if (send.ptr && recv.ptr) + + if (!this->server) { - return chunk_cat("mm", recv, send); + free(this); + return NULL; } - chunk_clear(&send); - chunk_clear(&recv); - return chunk_empty; -} - -/** - * Implementation of radius_client_t.destroy. - */ -static void destroy(private_radius_client_t *this) -{ - free(this->state.ptr); - free(this); -} - -/** - * See header - */ -radius_client_t *radius_client_create() -{ - private_radius_client_t *this = malloc_thing(private_radius_client_t); - - this->public.request = (radius_message_t*(*)(radius_client_t*, radius_message_t *msg))request; - this->public.decrypt_msk = (chunk_t(*)(radius_client_t*, radius_message_t *, radius_message_t *))decrypt_msk; - this->public.destroy = (void(*)(radius_client_t*))destroy; - - this->state = chunk_empty; return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/radius_client.h b/src/libcharon/plugins/eap_radius/radius_client.h index 77ba94807..e4f3a7222 100644 --- a/src/libcharon/plugins/eap_radius/radius_client.h +++ b/src/libcharon/plugins/eap_radius/radius_client.h @@ -29,19 +29,14 @@ typedef struct radius_client_t radius_client_t; * RADIUS client functionality. * * To communicate with a RADIUS server, create a client and send messages over - * it. All instances share a fixed size pool of sockets. The client reserves - * a socket during request() and releases it afterwards. + * it. The client allocates a socket from the best RADIUS server abailable. */ struct radius_client_t { /** * Send a RADIUS request and wait for the response. * - * The client fills in RADIUS Message identifier, NAS-Identifier, - * NAS-Port-Type, builds a Request-Authenticator and calculates the - * Message-Authenticator attribute. - * The received response gets verified using the Response-Identifier - * and the Message-Authenticator attribute. + * The client fills in NAS-Identifier nad NAS-Port-Type * * @param msg RADIUS request message to send * @return response, NULL if timed out/verification failed @@ -49,14 +44,11 @@ struct radius_client_t { radius_message_t* (*request)(radius_client_t *this, radius_message_t *msg); /** - * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key. + * Get the EAP MSK after successful RADIUS authentication. * - * @param response RADIUS response message containing attributes - * @param request associated RADIUS request message - * @return allocated MSK, empty chunk if none found + * @return MSK, allocated */ - chunk_t (*decrypt_msk)(radius_client_t *this, radius_message_t *response, - radius_message_t *request); + chunk_t (*get_msk)(radius_client_t *this); /** * Destroy the client, release the socket. @@ -65,24 +57,10 @@ struct radius_client_t { }; /** - * Create a RADIUS client, acquire a socket. - * - * This call might block if the socket pool is empty. + * Create a RADIUS client. * * @return radius_client_t object */ radius_client_t *radius_client_create(); -/** - * Initialize the socket pool. - * - * @return TRUE if initialization successful - */ -bool radius_client_init(); - -/** - * Cleanup the socket pool. - */ -void radius_client_cleanup(); - #endif /** RADIUS_CLIENT_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_message.c b/src/libcharon/plugins/eap_radius/radius_message.c index 11a1d8dfc..23a29b772 100644 --- a/src/libcharon/plugins/eap_radius/radius_message.c +++ b/src/libcharon/plugins/eap_radius/radius_message.c @@ -215,13 +215,8 @@ typedef struct { int left; } attribute_enumerator_t; - -/** - * Implementation of attribute_enumerator_t.enumerate - */ -static bool attribute_enumerate(attribute_enumerator_t *this, - int *type, chunk_t *data) - +METHOD(enumerator_t, attribute_enumerate, bool, + attribute_enumerator_t *this, int *type, chunk_t *data) { if (this->left == 0) { @@ -241,10 +236,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this, return TRUE; } -/** - * Implementation of radius_message_t.create_enumerator - */ -static enumerator_t* create_enumerator(private_radius_message_t *this) +METHOD(radius_message_t, create_enumerator, enumerator_t*, + private_radius_message_t *this) { attribute_enumerator_t *e; @@ -252,20 +245,19 @@ static enumerator_t* create_enumerator(private_radius_message_t *this) { return enumerator_create_empty(); } - - e = malloc_thing(attribute_enumerator_t); - e->public.enumerate = (void*)attribute_enumerate; - e->public.destroy = (void*)free; - e->next = (rattr_t*)this->msg->attributes; - e->left = ntohs(this->msg->length) - sizeof(rmsg_t); + INIT(e, + .public = { + .enumerate = (void*)_attribute_enumerate, + .destroy = (void*)free, + }, + .next = (rattr_t*)this->msg->attributes, + .left = ntohs(this->msg->length) - sizeof(rmsg_t), + ); return &e->public; } -/** - * Implementation of radius_message_t.add - */ -static void add(private_radius_message_t *this, radius_attribute_type_t type, - chunk_t data) +METHOD(radius_message_t, add, void, + private_radius_message_t *this, radius_attribute_type_t type, chunk_t data) { rattr_t *attribute; @@ -279,10 +271,8 @@ static void add(private_radius_message_t *this, radius_attribute_type_t type, this->msg->length = htons(ntohs(this->msg->length) + attribute->length); } -/** - * Implementation of radius_message_t.sign - */ -static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer) +METHOD(radius_message_t, sign, void, + private_radius_message_t *this, rng_t *rng, signer_t *signer) { char buf[HASH_SIZE_MD5]; @@ -297,11 +287,9 @@ static void sign(private_radius_message_t *this, rng_t *rng, signer_t *signer) ((u_char*)this->msg) + ntohs(this->msg->length) - HASH_SIZE_MD5); } -/** - * Implementation of radius_message_t.verify - */ -static bool verify(private_radius_message_t *this, u_int8_t *req_auth, - chunk_t secret, hasher_t *hasher, signer_t *signer) +METHOD(radius_message_t, verify, bool, + private_radius_message_t *this, u_int8_t *req_auth, chunk_t secret, + hasher_t *hasher, signer_t *signer) { char buf[HASH_SIZE_MD5], res_auth[HASH_SIZE_MD5]; enumerator_t *enumerator; @@ -369,51 +357,39 @@ static bool verify(private_radius_message_t *this, u_int8_t *req_auth, return TRUE; } -/** - * Implementation of radius_message_t.get_code - */ -static radius_message_code_t get_code(private_radius_message_t *this) +METHOD(radius_message_t, get_code, radius_message_code_t, + private_radius_message_t *this) { return this->msg->code; } -/** - * Implementation of radius_message_t.get_identifier - */ -static u_int8_t get_identifier(private_radius_message_t *this) +METHOD(radius_message_t, get_identifier, u_int8_t, + private_radius_message_t *this) { return this->msg->identifier; } -/** - * Implementation of radius_message_t.set_identifier - */ -static void set_identifier(private_radius_message_t *this, u_int8_t identifier) +METHOD(radius_message_t, set_identifier, void, + private_radius_message_t *this, u_int8_t identifier) { this->msg->identifier = identifier; } -/** - * Implementation of radius_message_t.get_authenticator - */ -static u_int8_t* get_authenticator(private_radius_message_t *this) +METHOD(radius_message_t, get_authenticator, u_int8_t*, + private_radius_message_t *this) { return this->msg->authenticator; } -/** - * Implementation of radius_message_t.get_encoding - */ -static chunk_t get_encoding(private_radius_message_t *this) +METHOD(radius_message_t, get_encoding, chunk_t, + private_radius_message_t *this) { return chunk_create((u_char*)this->msg, ntohs(this->msg->length)); } -/** - * Implementation of radius_message_t.destroy. - */ -static void destroy(private_radius_message_t *this) +METHOD(radius_message_t, destroy, void, + private_radius_message_t *this) { free(this->msg); free(this); @@ -424,18 +400,22 @@ static void destroy(private_radius_message_t *this) */ static private_radius_message_t *radius_message_create() { - private_radius_message_t *this = malloc_thing(private_radius_message_t); - - this->public.create_enumerator = (enumerator_t*(*)(radius_message_t*))create_enumerator; - this->public.add = (void(*)(radius_message_t*, radius_attribute_type_t,chunk_t))add; - this->public.get_code = (radius_message_code_t(*)(radius_message_t*))get_code; - this->public.get_identifier = (u_int8_t(*)(radius_message_t*))get_identifier; - this->public.set_identifier = (void(*)(radius_message_t*, u_int8_t identifier))set_identifier; - this->public.get_authenticator = (u_int8_t*(*)(radius_message_t*))get_authenticator; - this->public.get_encoding = (chunk_t(*)(radius_message_t*))get_encoding; - this->public.sign = (void(*)(radius_message_t*, rng_t *rng, signer_t *signer))sign; - this->public.verify = (bool(*)(radius_message_t*, u_int8_t *req_auth, chunk_t secret, hasher_t *hasher, signer_t *signer))verify; - this->public.destroy = (void(*)(radius_message_t*))destroy; + private_radius_message_t *this; + + INIT(this, + .public = { + .create_enumerator = _create_enumerator, + .add = _add, + .get_code = _get_code, + .get_identifier = _get_identifier, + .set_identifier = _set_identifier, + .get_authenticator = _get_authenticator, + .get_encoding = _get_encoding, + .sign = _sign, + .verify = _verify, + .destroy = _destroy, + }, + ); return this; } @@ -447,10 +427,11 @@ radius_message_t *radius_message_create_request() { private_radius_message_t *this = radius_message_create(); - this->msg = malloc_thing(rmsg_t); - this->msg->code = RMC_ACCESS_REQUEST; - this->msg->identifier = 0; - this->msg->length = htons(sizeof(rmsg_t)); + INIT(this->msg, + .code = RMC_ACCESS_REQUEST, + .identifier = 0, + .length = htons(sizeof(rmsg_t)), + ); return &this->public; } diff --git a/src/libcharon/plugins/eap_radius/radius_server.c b/src/libcharon/plugins/eap_radius/radius_server.c new file mode 100644 index 000000000..f54b8b2cd --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_server.c @@ -0,0 +1,212 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "radius_server.h" + +#include +#include +#include + +typedef struct private_radius_server_t private_radius_server_t; + +/** + * Private data of an radius_server_t object. + */ +struct private_radius_server_t { + + /** + * Public radius_server_t interface. + */ + radius_server_t public; + + /** + * RADIUS server address + */ + host_t *host; + + /** + * list of radius sockets, as radius_socket_t + */ + linked_list_t *sockets; + + /** + * Total number of sockets, in list + currently in use + */ + int socket_count; + + /** + * mutex to lock sockets list + */ + mutex_t *mutex; + + /** + * condvar to wait for sockets + */ + condvar_t *condvar; + + /** + * RADIUS secret + */ + chunk_t secret; + + /** + * NAS-Identifier + */ + chunk_t nas_identifier; + + /** + * Preference boost for this server + */ + int preference; + + /** + * Is the server currently reachable + */ + bool reachable; + + /** + * Retry counter for unreachable servers + */ + int retry; +}; + +METHOD(radius_server_t, get_socket, radius_socket_t*, + private_radius_server_t *this) +{ + radius_socket_t *skt; + + this->mutex->lock(this->mutex); + while (this->sockets->remove_first(this->sockets, (void**)&skt) != SUCCESS) + { + this->condvar->wait(this->condvar, this->mutex); + } + this->mutex->unlock(this->mutex); + return skt; +} + +METHOD(radius_server_t, put_socket, void, + private_radius_server_t *this, radius_socket_t *skt, bool result) +{ + this->mutex->lock(this->mutex); + this->sockets->insert_last(this->sockets, skt); + this->mutex->unlock(this->mutex); + this->condvar->signal(this->condvar); + this->reachable = result; +} + +METHOD(radius_server_t, get_nas_identifier, chunk_t, + private_radius_server_t *this) +{ + return this->nas_identifier; +} + +METHOD(radius_server_t, get_preference, int, + private_radius_server_t *this) +{ + int pref; + + if (this->socket_count == 0) + { /* don't have sockets, huh? */ + return -1; + } + /* calculate preference between 0-100 + boost */ + pref = this->preference; + pref += this->sockets->get_count(this->sockets) * 100 / this->socket_count; + if (this->reachable) + { /* reachable server get a boost: pref = 110-210 + boost */ + return pref + 110; + } + /* Not reachable. Increase preference randomly to let it retry from + * time to time, especially if other servers have high load. */ + this->retry++; + if (this->retry % 128 == 0) + { /* every 64th request gets 210, same as unloaded reachable */ + return pref + 110; + } + if (this->retry % 32 == 0) + { /* every 32th request gets 190, wins against average loaded */ + return pref + 90; + } + if (this->retry % 8 == 0) + { /* every 8th request gets 110, same as server under load */ + return pref + 10; + } + /* other get ~100, less than fully loaded */ + return pref; +} + +METHOD(radius_server_t, get_address, host_t*, + private_radius_server_t *this) +{ + return this->host; +} + +METHOD(radius_server_t, destroy, void, + private_radius_server_t *this) +{ + DESTROY_IF(this->host); + this->mutex->destroy(this->mutex); + this->condvar->destroy(this->condvar); + this->sockets->destroy_offset(this->sockets, + offsetof(radius_socket_t, destroy)); + free(this); +} + +/** + * See header + */ +radius_server_t *radius_server_create(char *server, u_int16_t port, + char *nas_identifier, char *secret, int sockets, int preference) +{ + private_radius_server_t *this; + radius_socket_t *socket; + + INIT(this, + .public = { + .get_socket = _get_socket, + .put_socket = _put_socket, + .get_nas_identifier = _get_nas_identifier, + .get_preference = _get_preference, + .get_address = _get_address, + .destroy = _destroy, + }, + .reachable = TRUE, + .nas_identifier = chunk_create(nas_identifier, strlen(nas_identifier)), + .socket_count = sockets, + .sockets = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .host = host_create_from_dns(server, 0, port), + .preference = preference, + ); + + if (!this->host) + { + destroy(this); + return NULL; + } + while (sockets--) + { + socket = radius_socket_create(this->host, + chunk_create(secret, strlen(secret))); + if (!socket) + { + destroy(this); + return NULL; + } + this->sockets->insert_last(this->sockets, socket); + } + return &this->public; +} diff --git a/src/libcharon/plugins/eap_radius/radius_server.h b/src/libcharon/plugins/eap_radius/radius_server.h new file mode 100644 index 000000000..b820cb583 --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_server.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup radius_server radius_server + * @{ @ingroup eap_radius + */ + +#ifndef RADIUS_SERVER_H_ +#define RADIUS_SERVER_H_ + +typedef struct radius_server_t radius_server_t; + +#include "radius_socket.h" + +/** + * RADIUS server configuration. + */ +struct radius_server_t { + + /** + * Get a RADIUS socket from the pool to communicate with this server. + * + * @return RADIUS socket + */ + radius_socket_t* (*get_socket)(radius_server_t *this); + + /** + * Release a socket to the pool after use. + * + * @param skt RADIUS socket to release + * @param result result of the socket use, TRUE for success + */ + void (*put_socket)(radius_server_t *this, radius_socket_t *skt, bool result); + + /** + * Get the NAS-Identifier to use with this server. + * + * @return NAS-Identifier, internal data + */ + chunk_t (*get_nas_identifier)(radius_server_t *this); + + /** + * Get the preference of this server. + * + * Based on the available sockets and the server reachability a preference + * value is calculated: better servers return a higher value. + */ + int (*get_preference)(radius_server_t *this); + + /** + * Get the address of the RADIUS server. + * + * @return address, internal data + */ + host_t* (*get_address)(radius_server_t *this); + + /** + * Destroy a radius_server_t. + */ + void (*destroy)(radius_server_t *this); +}; + +/** + * Create a radius_server instance. + * + * @param server server address + * @param port server port + * @param nas_identifier NAS-Identifier to use with this server + * @param sockets number of sockets to create in pool + * @param preference preference boost for this server + */ +radius_server_t *radius_server_create(char *server, u_int16_t port, + char *nas_identifier, char *secret, int sockets, int preference); + +#endif /** RADIUS_SERVER_H_ @}*/ diff --git a/src/libcharon/plugins/eap_radius/radius_socket.c b/src/libcharon/plugins/eap_radius/radius_socket.c new file mode 100644 index 000000000..f46c27ede --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_socket.c @@ -0,0 +1,309 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "radius_socket.h" + +#include +#include + +#include + +/** + * Vendor-Id of Microsoft specific attributes + */ +#define VENDOR_ID_MICROSOFT 311 + +/** + * Microsoft specific vendor attributes + */ +#define MS_MPPE_SEND_KEY 16 +#define MS_MPPE_RECV_KEY 17 + +typedef struct private_radius_socket_t private_radius_socket_t; + +/** + * Private data of an radius_socket_t object. + */ +struct private_radius_socket_t { + + /** + * Public radius_socket_t interface. + */ + radius_socket_t public; + + /** + * socket file descriptor + */ + int fd; + + /** + * current RADIUS identifier + */ + u_int8_t identifier; + + /** + * hasher to use for response verification + */ + hasher_t *hasher; + + /** + * HMAC-MD5 signer to build Message-Authenticator attribute + */ + signer_t *signer; + + /** + * random number generator for RADIUS request authenticator + */ + rng_t *rng; + + /** + * RADIUS secret + */ + chunk_t secret; +}; + +METHOD(radius_socket_t, request, radius_message_t*, + private_radius_socket_t *this, radius_message_t *request) +{ + chunk_t data; + int i; + + /* set Message Identifier */ + request->set_identifier(request, this->identifier++); + /* sign the request */ + request->sign(request, this->rng, this->signer); + + data = request->get_encoding(request); + /* timeout after 2, 3, 4, 5 seconds */ + for (i = 2; i <= 5; i++) + { + radius_message_t *response; + bool retransmit = FALSE; + struct timeval tv; + char buf[4096]; + fd_set fds; + int res; + + if (send(this->fd, data.ptr, data.len, 0) != data.len) + { + DBG1(DBG_CFG, "sending RADIUS message failed: %s", strerror(errno)); + return NULL; + } + tv.tv_sec = i; + tv.tv_usec = 0; + + while (TRUE) + { + FD_ZERO(&fds); + FD_SET(this->fd, &fds); + res = select(this->fd + 1, &fds, NULL, NULL, &tv); + /* TODO: updated tv to time not waited. Linux does this for us. */ + if (res < 0) + { /* failed */ + DBG1(DBG_CFG, "waiting for RADIUS message failed: %s", + strerror(errno)); + break; + } + if (res == 0) + { /* timeout */ + DBG1(DBG_CFG, "retransmitting RADIUS message"); + retransmit = TRUE; + break; + } + res = recv(this->fd, buf, sizeof(buf), MSG_DONTWAIT); + if (res <= 0) + { + DBG1(DBG_CFG, "receiving RADIUS message failed: %s", + strerror(errno)); + break; + } + response = radius_message_parse_response(chunk_create(buf, res)); + if (response) + { + if (response->verify(response, + request->get_authenticator(request), this->secret, + this->hasher, this->signer)) + { + return response; + } + response->destroy(response); + } + DBG1(DBG_CFG, "received invalid RADIUS message, ignored"); + } + if (!retransmit) + { + break; + } + } + DBG1(DBG_CFG, "RADIUS server is not responding"); + return NULL; +} + +/** + * Decrypt a MS-MPPE-Send/Recv-Key + */ +static chunk_t decrypt_mppe_key(private_radius_socket_t *this, u_int16_t salt, + chunk_t C, radius_message_t *request) +{ + chunk_t A, R, P, seed; + u_char *c, *p; + + /** + * From RFC2548 (encryption): + * b(1) = MD5(S + R + A) c(1) = p(1) xor b(1) C = c(1) + * b(2) = MD5(S + c(1)) c(2) = p(2) xor b(2) C = C + c(2) + * . . . + * b(i) = MD5(S + c(i-1)) c(i) = p(i) xor b(i) C = C + c(i) + */ + + if (C.len % HASH_SIZE_MD5 || C.len < HASH_SIZE_MD5) + { + return chunk_empty; + } + + A = chunk_create((u_char*)&salt, sizeof(salt)); + R = chunk_create(request->get_authenticator(request), HASH_SIZE_MD5); + P = chunk_alloca(C.len); + p = P.ptr; + c = C.ptr; + + seed = chunk_cata("cc", R, A); + + while (c < C.ptr + C.len) + { + /* b(i) = MD5(S + c(i-1)) */ + this->hasher->get_hash(this->hasher, this->secret, NULL); + this->hasher->get_hash(this->hasher, seed, p); + + /* p(i) = b(i) xor c(1) */ + memxor(p, c, HASH_SIZE_MD5); + + /* prepare next round */ + seed = chunk_create(c, HASH_SIZE_MD5); + c += HASH_SIZE_MD5; + p += HASH_SIZE_MD5; + } + + /* remove truncation, first byte is key length */ + if (*P.ptr >= P.len) + { /* decryption failed? */ + return chunk_empty; + } + return chunk_clone(chunk_create(P.ptr + 1, *P.ptr)); +} + +METHOD(radius_socket_t, decrypt_msk, chunk_t, + private_radius_socket_t *this, radius_message_t *request, + radius_message_t *response) +{ + struct { + u_int32_t id; + u_int8_t type; + u_int8_t length; + u_int16_t salt; + u_int8_t key[]; + } __attribute__((packed)) *mppe_key; + enumerator_t *enumerator; + chunk_t data, send = chunk_empty, recv = chunk_empty; + int type; + + enumerator = response->create_enumerator(response); + while (enumerator->enumerate(enumerator, &type, &data)) + { + if (type == RAT_VENDOR_SPECIFIC && + data.len > sizeof(*mppe_key)) + { + mppe_key = (void*)data.ptr; + if (ntohl(mppe_key->id) == VENDOR_ID_MICROSOFT && + mppe_key->length == data.len - sizeof(mppe_key->id)) + { + data = chunk_create(mppe_key->key, data.len - sizeof(*mppe_key)); + if (mppe_key->type == MS_MPPE_SEND_KEY) + { + send = decrypt_mppe_key(this, mppe_key->salt, data, request); + } + if (mppe_key->type == MS_MPPE_RECV_KEY) + { + recv = decrypt_mppe_key(this, mppe_key->salt, data, request); + } + } + } + } + enumerator->destroy(enumerator); + if (send.ptr && recv.ptr) + { + return chunk_cat("mm", recv, send); + } + chunk_clear(&send); + chunk_clear(&recv); + return chunk_empty; +} + +METHOD(radius_socket_t, destroy, void, + private_radius_socket_t *this) +{ + DESTROY_IF(this->hasher); + DESTROY_IF(this->signer); + DESTROY_IF(this->rng); + close(this->fd); + free(this); +} + +/** + * See header + */ +radius_socket_t *radius_socket_create(host_t *host, chunk_t secret) +{ + private_radius_socket_t *this; + + INIT(this, + .public = { + .request = _request, + .decrypt_msk = _decrypt_msk, + .destroy = _destroy, + }, + ); + + this->fd = socket(host->get_family(host), SOCK_DGRAM, IPPROTO_UDP); + if (this->fd < 0) + { + DBG1(DBG_CFG, "opening RADIUS socket failed: %s", strerror(errno)); + free(this); + return NULL; + } + if (connect(this->fd, host->get_sockaddr(host), + *host->get_sockaddr_len(host)) < 0) + { + DBG1(DBG_CFG, "connecting RADIUS socket failed"); + close(this->fd); + free(this); + return NULL; + } + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + this->signer = lib->crypto->create_signer(lib->crypto, AUTH_HMAC_MD5_128); + this->rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK); + if (!this->hasher || !this->signer || !this->rng) + { + DBG1(DBG_CFG, "RADIUS initialization failed, HMAC/MD5/RNG required"); + destroy(this); + return NULL; + } + this->secret = secret; + this->signer->set_key(this->signer, secret); + /* we use a random identifier, helps if we restart often */ + this->identifier = random(); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_radius/radius_socket.h b/src/libcharon/plugins/eap_radius/radius_socket.h new file mode 100644 index 000000000..fe8491a8f --- /dev/null +++ b/src/libcharon/plugins/eap_radius/radius_socket.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup radius_socket radius_socket + * @{ @ingroup eap_radius + */ + +#ifndef RADIUS_SOCKET_H_ +#define RADIUS_SOCKET_H_ + +typedef struct radius_socket_t radius_socket_t; + +#include "radius_message.h" + +#include + +/** + * RADIUS socket to a server. + */ +struct radius_socket_t { + + /** + * Send a RADIUS request, wait for response. + + * The socket fills in RADIUS Message identifier, builds a + * Request-Authenticator and calculates the Message-Authenticator + * attribute. + * The received response gets verified using the Response-Identifier + * and the Message-Authenticator attribute. + * + * @param request request message + * @return response message, NULL if timed out + */ + radius_message_t* (*request)(radius_socket_t *this, + radius_message_t *request); + + /** + * Decrypt the MSK encoded in a messages MS-MPPE-Send/Recv-Key. + * + * @param request associated RADIUS request message + * @param response RADIUS response message containing attributes + * @return allocated MSK, empty chunk if none found + */ + chunk_t (*decrypt_msk)(radius_socket_t *this, radius_message_t *request, + radius_message_t *response); + + /** + * Destroy a radius_socket_t. + */ + void (*destroy)(radius_socket_t *this); +}; + +/** + * Create a radius_socket instance. + * + * @param host RADIUS server address to connect to + * @param secret RADIUS secret + */ +radius_socket_t *radius_socket_create(host_t *host, chunk_t secret); + +#endif /** RADIUS_SOCKET_H_ @}*/ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index 588965113..d0f44e925 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_sim/eap_sim_peer.c b/src/libcharon/plugins/eap_sim/eap_sim_peer.c index 961cfd30d..a3506f4ba 100644 --- a/src/libcharon/plugins/eap_sim/eap_sim_peer.c +++ b/src/libcharon/plugins/eap_sim/eap_sim_peer.c @@ -484,7 +484,6 @@ static status_t process_notification(private_eap_sim_peer_t *this, /* test success bit */ if (!(data.ptr[0] & 0x80)) { - success = FALSE; DBG1(DBG_IKE, "received EAP-SIM notification error '%N'", simaka_notification_names, code); } diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 2d998dbcc..2aa0ac832 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 6c44ea2bb..7d80f8019 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index 35d8e7c3b..fc26f4497 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.am b/src/libcharon/plugins/eap_simaka_sql/Makefile.am new file mode 100644 index 000000000..73768be0e --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\" + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +else +plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +endif + +libstrongswan_eap_simaka_sql_la_SOURCES = \ + eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \ + eap_simaka_sql_card.h eap_simaka_sql_card.c \ + eap_simaka_sql_provider.h eap_simaka_sql_provider.c + +libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in new file mode 100644 index 000000000..f2e82df0a --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -0,0 +1,592 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/eap_simaka_sql +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_eap_simaka_sql_la_LIBADD = +am_libstrongswan_eap_simaka_sql_la_OBJECTS = eap_simaka_sql_plugin.lo \ + eap_simaka_sql_card.lo eap_simaka_sql_provider.lo +libstrongswan_eap_simaka_sql_la_OBJECTS = \ + $(am_libstrongswan_eap_simaka_sql_la_OBJECTS) +libstrongswan_eap_simaka_sql_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_eap_simaka_sql_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_eap_simaka_sql_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_eap_simaka_sql_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES) +DIST_SOURCES = $(libstrongswan_eap_simaka_sql_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic -DIPSEC_CONFDIR=\"${sysconfdir}\" +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-eap-simaka-sql.la +libstrongswan_eap_simaka_sql_la_SOURCES = \ + eap_simaka_sql_plugin.h eap_simaka_sql_plugin.c \ + eap_simaka_sql_card.h eap_simaka_sql_card.c \ + eap_simaka_sql_provider.h eap_simaka_sql_provider.c + +libstrongswan_eap_simaka_sql_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/eap_simaka_sql/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-eap-simaka-sql.la: $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_DEPENDENCIES) + $(libstrongswan_eap_simaka_sql_la_LINK) $(am_libstrongswan_eap_simaka_sql_la_rpath) $(libstrongswan_eap_simaka_sql_la_OBJECTS) $(libstrongswan_eap_simaka_sql_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_card.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/eap_simaka_sql_provider.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c new file mode 100644 index 000000000..b7590405f --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.c @@ -0,0 +1,177 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_card.h" + +#include + +#include + +typedef struct private_eap_simaka_sql_card_t private_eap_simaka_sql_card_t; + +/** + * Private data of an eap_simaka_sql_card_t object. + */ +struct private_eap_simaka_sql_card_t { + + /** + * Public eap_simaka_sql_card_t interface. + */ + eap_simaka_sql_card_t public; + + /** + * Triplet/quintuplet database + */ + database_t *db; + + /** + * Remove used triplets/quintuplets from database + */ + bool remove_used; +}; + +METHOD(sim_card_t, get_triplet, bool, + private_eap_simaka_sql_card_t *this, identification_t *id, + char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]) +{ + chunk_t sres_chunk, kc_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, + "select sres, kc from triplets where rand = ? and id = ? " + "order by use limit 1", + DB_BLOB, chunk_create(rand, SIM_RAND_LEN), DB_TEXT, buf, + DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &sres_chunk, &kc_chunk)) + { + if (sres_chunk.len == SIM_SRES_LEN && + kc_chunk.len == SIM_KC_LEN) + { + memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN); + memcpy(kc, kc_chunk.ptr, SIM_KC_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from triplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update triplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + } + return found; +} + +METHOD(sim_card_t, get_quintuplet, status_t, + private_eap_simaka_sql_card_t *this, identification_t *id, + char rand[AKA_RAND_LEN], char autn[AKA_AUTN_LEN], char ck[AKA_CK_LEN], + char ik[AKA_IK_LEN], char res[AKA_RES_MAX], int *res_len) +{ + chunk_t ck_chunk, ik_chunk, res_chunk; + enumerator_t *query; + status_t found = FAILED; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, "select ck, ik, res from quintuplets " + "where rand = ? and autn = ? and id = ? order by use limit 1", + DB_BLOB, chunk_create(rand, AKA_RAND_LEN), + DB_BLOB, chunk_create(autn, AKA_AUTN_LEN), DB_TEXT, buf, + DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &ck_chunk, &ik_chunk, &res_chunk)) + { + if (ck_chunk.len == AKA_CK_LEN && + ik_chunk.len == AKA_IK_LEN && + res_chunk.len <= AKA_RES_MAX) + { + memcpy(ck, ck_chunk.ptr, AKA_CK_LEN); + memcpy(ik, ik_chunk.ptr, AKA_IK_LEN); + memcpy(res, res_chunk.ptr, res_chunk.len); + *res_len = res_chunk.len; + found = SUCCESS; + } + } + query->destroy(query); + } + if (found == SUCCESS) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from quintuplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update quintuplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, AKA_RAND_LEN)); + } + } + return found; +} + +METHOD(eap_simaka_sql_card_t, destroy, void, + private_eap_simaka_sql_card_t *this) +{ + free(this); +} + +/** + * See header + */ +eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db, + bool remove_used) +{ + private_eap_simaka_sql_card_t *this; + + INIT(this, + .public = { + .card = { + .get_triplet = _get_triplet, + .get_quintuplet = _get_quintuplet, + .resync = (void*)return_false, + .get_pseudonym = (void*)return_null, + .set_pseudonym = (void*)nop, + .get_reauth = (void*)return_null, + .set_reauth = (void*)nop, + }, + .destroy = _destroy, + }, + .db = db, + .remove_used = remove_used, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h new file mode 100644 index 000000000..46b7de25e --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_card.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql_card eap_simaka_sql_card + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_CARD_H_ +#define EAP_SIMAKA_SQL_CARD_H_ + +#include +#include + +typedef struct eap_simaka_sql_card_t eap_simaka_sql_card_t; + +/** + * SIM card implementation using a triplet/quintuplet database backend. + */ +struct eap_simaka_sql_card_t { + + /** + * Implements sim_card_t interface + */ + sim_card_t card; + + /** + * Destroy a eap_simaka_sql_card_t. + */ + void (*destroy)(eap_simaka_sql_card_t *this); +}; + +/** + * Create a eap_simaka_sql_card instance. + * + * @param db triplet/quintuplet database + * @param remove_used TRUE to remove used triplets/quintuplets from db + */ +eap_simaka_sql_card_t *eap_simaka_sql_card_create(database_t *db, + bool remove_used); + +#endif /** EAP_SIMAKA_SQL_CARD_H_ @}*/ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c new file mode 100644 index 000000000..0f5319792 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.c @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_plugin.h" +#include "eap_simaka_sql_card.h" +#include "eap_simaka_sql_provider.h" + +#include + +typedef struct private_eap_simaka_sql_t private_eap_simaka_sql_t; + +/** + * Private data of an eap_simaka_sql_t object. + */ +struct private_eap_simaka_sql_t { + + /** + * Public eap_simaka_sql_plugin_t interface. + */ + eap_simaka_sql_plugin_t public; + + /** + * (U)SIM card + */ + eap_simaka_sql_card_t *card; + + /** + * (U)SIM provider + */ + eap_simaka_sql_provider_t *provider; + + /** + * Database with triplets/quintuplets + */ + database_t *db; +}; + +METHOD(plugin_t, destroy, void, + private_eap_simaka_sql_t *this) +{ + charon->sim->remove_card(charon->sim, &this->card->card); + charon->sim->remove_provider(charon->sim, &this->provider->provider); + this->card->destroy(this->card); + this->provider->destroy(this->provider); + this->db->destroy(this->db); + free(this); +} + +/** + * See header + */ +plugin_t *eap_simaka_sql_plugin_create() +{ + private_eap_simaka_sql_t *this; + database_t *db; + bool remove_used; + char *uri; + + uri = lib->settings->get_str(lib->settings, + "charon.plugins.eap-simaka-sql.database", NULL); + if (!uri) + { + DBG1(DBG_CFG, "eap-simaka-sql database URI missing"); + return NULL; + } + db = lib->db->create(lib->db, uri); + if (!db) + { + DBG1(DBG_CFG, "opening eap-simaka-sql database failed"); + return NULL; + } + remove_used = lib->settings->get_bool(lib->settings, + "charon.plugins.eap-simaka-sql.remove_used", FALSE); + + INIT(this, + .public.plugin = { + .destroy = _destroy, + }, + .db = db, + .provider = eap_simaka_sql_provider_create(db, remove_used), + .card = eap_simaka_sql_card_create(db, remove_used), + ); + + charon->sim->add_card(charon->sim, &this->card->card); + charon->sim->add_provider(charon->sim, &this->provider->provider); + + return &this->public.plugin; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h new file mode 100644 index 000000000..3064580bf --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql eap_simaka_sql + * @ingroup cplugins + * + * @defgroup eap_simaka_sql_plugin eap_simaka_sql_plugin + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_PLUGIN_H_ +#define EAP_SIMAKA_SQL_PLUGIN_H_ + +#include + +typedef struct eap_simaka_sql_plugin_t eap_simaka_sql_plugin_t; + +/** + * Plugin to provide SIM/AKA cards/providers using triplets from a database. + */ +struct eap_simaka_sql_plugin_t { + + /** + * Implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** EAP_SIMAKA_SQL_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c new file mode 100644 index 000000000..73cccf549 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "eap_simaka_sql_provider.h" + +#include + +#include + +typedef struct private_eap_simaka_sql_provider_t private_eap_simaka_sql_provider_t; + +/** + * Private data of an eap_simaka_sql_provider_t object. + */ +struct private_eap_simaka_sql_provider_t { + + /** + * Public eap_simaka_sql_provider_t interface. + */ + eap_simaka_sql_provider_t public; + + /** + * Triplet/quintuplet database + */ + database_t *db; + + /** + * Remove used triplets/quintuplets from database + */ + bool remove_used; +}; + +METHOD(sim_provider_t, get_triplet, bool, + private_eap_simaka_sql_provider_t *this, identification_t *id, + char rand[SIM_RAND_LEN], char sres[SIM_SRES_LEN], char kc[SIM_KC_LEN]) +{ + chunk_t rand_chunk, sres_chunk, kc_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, + "select rand, sres, kc from triplets where id = ? order by use", + DB_TEXT, buf, DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &rand_chunk, &sres_chunk, &kc_chunk)) + { + if (rand_chunk.len == SIM_RAND_LEN && + sres_chunk.len == SIM_SRES_LEN && + kc_chunk.len == SIM_KC_LEN) + { + memcpy(rand, rand_chunk.ptr, SIM_RAND_LEN); + memcpy(sres, sres_chunk.ptr, SIM_SRES_LEN); + memcpy(kc, kc_chunk.ptr, SIM_KC_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from triplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update triplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + } + return found; +} + +METHOD(sim_provider_t, get_quintuplet, bool, + private_eap_simaka_sql_provider_t *this, identification_t *id, + char rand[AKA_RAND_LEN], char xres[AKA_RES_MAX], int *xres_len, + char ck[AKA_CK_LEN], char ik[AKA_IK_LEN], char autn[AKA_AUTN_LEN]) +{ + chunk_t rand_chunk, xres_chunk, ck_chunk, ik_chunk, autn_chunk; + enumerator_t *query; + bool found = FALSE; + char buf[128]; + + snprintf(buf, sizeof(buf), "%Y", id); + query = this->db->query(this->db, "select rand, res, ck, ik, autn " + "from quintuplets where id = ? order by use", DB_TEXT, buf, + DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB, DB_BLOB); + if (query) + { + if (query->enumerate(query, &rand_chunk, &xres_chunk, + &ck_chunk, &ik_chunk, &autn_chunk)) + { + if (rand_chunk.len == AKA_RAND_LEN && + xres_chunk.len <= AKA_RES_MAX && + ck_chunk.len == AKA_CK_LEN && + ik_chunk.len == AKA_IK_LEN && + autn_chunk.len == AKA_AUTN_LEN) + { + memcpy(rand, rand_chunk.ptr, AKA_RAND_LEN); + memcpy(xres, xres_chunk.ptr, xres_chunk.len); + *xres_len = xres_chunk.len; + memcpy(ck, ck_chunk.ptr, AKA_CK_LEN); + memcpy(ik, ik_chunk.ptr, AKA_IK_LEN); + memcpy(autn, autn_chunk.ptr, AKA_AUTN_LEN); + found = TRUE; + } + } + query->destroy(query); + } + if (found) + { + if (this->remove_used) + { + this->db->execute(this->db, NULL, + "delete from quintuplets where id = ? and rand = ?", + DB_TEXT, buf, DB_BLOB, chunk_create(rand, SIM_RAND_LEN)); + } + else + { + this->db->execute(this->db, NULL, + "update quintuplets set use = ? where id = ? and rand = ?", + DB_UINT, time(NULL), DB_TEXT, buf, + DB_BLOB, chunk_create(rand, AKA_RAND_LEN)); + } + } + return found; +} + +METHOD(eap_simaka_sql_provider_t, destroy, void, + private_eap_simaka_sql_provider_t *this) +{ + free(this); +} + +/** + * See header + */ +eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db, + bool remove_used) +{ + private_eap_simaka_sql_provider_t *this; + + INIT(this, + .public = { + .provider = { + .get_triplet = _get_triplet, + .get_quintuplet = _get_quintuplet, + .resync = (void*)return_false, + .is_pseudonym = (void*)return_null, + .gen_pseudonym = (void*)return_null, + .is_reauth = (void*)return_null, + .gen_reauth = (void*)return_null, + }, + .destroy = _destroy, + }, + .db = db, + .remove_used = remove_used, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h new file mode 100644 index 000000000..ecb0c8cb0 --- /dev/null +++ b/src/libcharon/plugins/eap_simaka_sql/eap_simaka_sql_provider.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup eap_simaka_sql_provider eap_simaka_sql_provider + * @{ @ingroup eap_simaka_sql + */ + +#ifndef EAP_SIMAKA_SQL_PROVIDER_H_ +#define EAP_SIMAKA_SQL_PROVIDER_H_ + +#include +#include + +typedef struct eap_simaka_sql_provider_t eap_simaka_sql_provider_t; + +/** + * SIM provider implementation using a triplet/quintuplet database backend. + */ +struct eap_simaka_sql_provider_t { + + /** + * Implements sim_provider_t interface + */ + sim_provider_t provider; + + /** + * Destroy a eap_simaka_sql_provider_t. + */ + void (*destroy)(eap_simaka_sql_provider_t *this); +}; + +/** + * Create a eap_simaka_sql_provider instance. + * + * @param db triplet/quintuplet database + * @param remove_used TRUE to remove used triplets/quintuplets from db + */ +eap_simaka_sql_provider_t *eap_simaka_sql_provider_create(database_t *db, + bool remove_used); + +#endif /** EAP_SIMAKA_SQL_PROVIDER_H_ @}*/ diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index 20ac77080..47952b99e 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/farp/farp_spoofer.c b/src/libcharon/plugins/farp/farp_spoofer.c index 29e64e32d..20bb44fd3 100644 --- a/src/libcharon/plugins/farp/farp_spoofer.c +++ b/src/libcharon/plugins/farp/farp_spoofer.c @@ -156,8 +156,8 @@ farp_spoofer_t *farp_spoofer_create(farp_listener_t *listener) BPF_STMT(BPF_LD+BPF_H+BPF_ABS, offsetof(arp_t, opcode)), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARPOP_REQUEST, 0, 3), BPF_STMT(BPF_LD+BPF_W+BPF_LEN, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 28, 0, 1), - BPF_STMT(BPF_RET+BPF_A, 0), + BPF_JUMP(BPF_JMP+BPF_JGE+BPF_K, sizeof(arp_t), 0, 1), + BPF_STMT(BPF_RET+BPF_K, sizeof(arp_t)), BPF_STMT(BPF_RET+BPF_K, 0), }; struct sock_fprog arp_request_filter = { diff --git a/src/libcharon/plugins/ha/Makefile.am b/src/libcharon/plugins/ha/Makefile.am index 74fe1f4c7..0df1b8d91 100644 --- a/src/libcharon/plugins/ha/Makefile.am +++ b/src/libcharon/plugins/ha/Makefile.am @@ -17,9 +17,11 @@ libstrongswan_ha_la_SOURCES = \ ha_tunnel.h ha_tunnel.c \ ha_dispatcher.h ha_dispatcher.c \ ha_segments.h ha_segments.c \ + ha_cache.h ha_cache.c \ ha_kernel.h ha_kernel.c \ ha_ctl.h ha_ctl.c \ ha_ike.h ha_ike.c \ - ha_child.h ha_child.c + ha_child.h ha_child.c \ + ha_attribute.h ha_attribute.c libstrongswan_ha_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index c60d3bf56..5ca9b464b 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -76,7 +76,8 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_ha_la_LIBADD = am_libstrongswan_ha_la_OBJECTS = ha_plugin.lo ha_message.lo \ ha_socket.lo ha_tunnel.lo ha_dispatcher.lo ha_segments.lo \ - ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo + ha_cache.lo ha_kernel.lo ha_ctl.lo ha_ike.lo ha_child.lo \ + ha_attribute.lo libstrongswan_ha_la_OBJECTS = $(am_libstrongswan_ha_la_OBJECTS) libstrongswan_ha_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -269,10 +270,12 @@ libstrongswan_ha_la_SOURCES = \ ha_tunnel.h ha_tunnel.c \ ha_dispatcher.h ha_dispatcher.c \ ha_segments.h ha_segments.c \ + ha_cache.h ha_cache.c \ ha_kernel.h ha_kernel.c \ ha_ctl.h ha_ctl.c \ ha_ike.h ha_ike.c \ - ha_child.h ha_child.c + ha_child.h ha_child.c \ + ha_attribute.h ha_attribute.c libstrongswan_ha_la_LDFLAGS = -module -avoid-version all: all-am @@ -358,6 +361,8 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_attribute.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_child.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_ctl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ha_dispatcher.Plo@am__quote@ diff --git a/src/libcharon/plugins/ha/ha_attribute.c b/src/libcharon/plugins/ha/ha_attribute.c new file mode 100644 index 000000000..b08abe1a9 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_attribute.c @@ -0,0 +1,364 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ha_attribute.h" + +#include +#include + +typedef struct private_ha_attribute_t private_ha_attribute_t; + +/** + * Private data of an ha_attribute_t object. + */ +struct private_ha_attribute_t { + + /** + * Public ha_attribute_t interface. + */ + ha_attribute_t public; + + /** + * List of pools, pool_t + */ + linked_list_t *pools; + + /** + * Mutex to lock mask + */ + mutex_t *mutex; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; + + /** + * Segment responsibility + */ + ha_segments_t *segments; +}; + +/** + * In-memory pool. + */ +typedef struct { + /** name of the pool */ + char *name; + /** base address of pool */ + host_t *base; + /** total number of addresses in this pool */ + int size; + /** bitmask for address usage */ + u_char *mask; +} pool_t; + +/** + * Clean up a pool entry + */ +static void pool_destroy(pool_t *pool) +{ + pool->base->destroy(pool->base); + free(pool->name); + free(pool->mask); + free(pool); +} + +/** + * convert a pool offset to an address + */ +static host_t* offset2host(pool_t *pool, int offset) +{ + chunk_t addr; + host_t *host; + u_int32_t *pos; + + if (offset > pool->size) + { + return NULL; + } + + addr = chunk_clone(pool->base->get_address(pool->base)); + if (pool->base->get_family(pool->base) == AF_INET6) + { + pos = (u_int32_t*)(addr.ptr + 12); + } + else + { + pos = (u_int32_t*)addr.ptr; + } + *pos = htonl(offset + ntohl(*pos)); + host = host_create_from_chunk(pool->base->get_family(pool->base), addr, 0); + free(addr.ptr); + return host; +} + +/** + * convert a host to a pool offset + */ +static int host2offset(pool_t *pool, host_t *addr) +{ + chunk_t host, base; + u_int32_t hosti, basei; + + if (addr->get_family(addr) != pool->base->get_family(pool->base)) + { + return -1; + } + host = addr->get_address(addr); + base = pool->base->get_address(pool->base); + if (addr->get_family(addr) == AF_INET6) + { + /* only look at last /32 block */ + if (!memeq(host.ptr, base.ptr, 12)) + { + return -1; + } + host = chunk_skip(host, 12); + base = chunk_skip(base, 12); + } + hosti = ntohl(*(u_int32_t*)(host.ptr)); + basei = ntohl(*(u_int32_t*)(base.ptr)); + if (hosti > basei + pool->size) + { + return -1; + } + return hosti - basei; +} + +/** + * Find a pool by its name + */ +static pool_t* get_pool(private_ha_attribute_t *this, char *name) +{ + enumerator_t *enumerator; + pool_t *pool, *found = NULL; + + enumerator = this->pools->create_enumerator(this->pools); + while (enumerator->enumerate(enumerator, &pool)) + { + if (streq(name, pool->name)) + { + found = pool; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * Check if we are responsible for a bit in our bitmask + */ +static bool responsible_for(private_ha_attribute_t *this, int bit) +{ + u_int segment; + + segment = this->kernel->get_segment_int(this->kernel, bit); + return this->segments->is_active(this->segments, segment); +} + +METHOD(attribute_provider_t, acquire_address, host_t*, + private_ha_attribute_t *this, char *name, identification_t *id, + host_t *requested) +{ + pool_t *pool; + int offset = -1, byte, bit; + host_t *address; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + for (byte = 0; byte < pool->size / 8; byte++) + { + if (pool->mask[byte] != 0xFF) + { + for (bit = 0; bit < 8; bit++) + { + if (!(pool->mask[byte] & 1 << bit) && + responsible_for(this, bit)) + { + offset = byte * 8 + bit; + pool->mask[byte] |= 1 << bit; + break; + } + } + } + if (offset != -1) + { + break; + } + } + if (offset == -1) + { + DBG1(DBG_CFG, "no address left in HA pool '%s' belonging to" + "a responsible segment", name); + } + } + this->mutex->unlock(this->mutex); + if (offset != -1) + { + address = offset2host(pool, offset); + DBG1(DBG_CFG, "acquired address %H from HA pool '%s'", address, name); + return address; + } + return NULL; +} + +METHOD(attribute_provider_t, release_address, bool, + private_ha_attribute_t *this, char *name, host_t *address, + identification_t *id) +{ + pool_t *pool; + int offset; + bool found = FALSE; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + offset = host2offset(pool, address); + if (offset > 0 && offset < pool->size) + { + pool->mask[offset / 8] &= ~(1 << (offset % 8)); + DBG1(DBG_CFG, "released address %H to HA pool '%s'", address, name); + found = TRUE; + } + } + this->mutex->unlock(this->mutex); + return found; +} + +METHOD(ha_attribute_t, reserve, void, + private_ha_attribute_t *this, char *name, host_t *address) +{ + pool_t *pool; + int offset; + + this->mutex->lock(this->mutex); + pool = get_pool(this, name); + if (pool) + { + offset = host2offset(pool, address); + if (offset > 0 && offset < pool->size) + { + pool->mask[offset / 8] |= 1 << (offset % 8); + DBG1(DBG_CFG, "reserved address %H in HA pool '%s'", address, name); + } + } + this->mutex->unlock(this->mutex); +} + +METHOD(ha_attribute_t, destroy, void, + private_ha_attribute_t *this) +{ + this->pools->destroy_function(this->pools, (void*)pool_destroy); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * Load the configured pools. + */ +static void load_pools(private_ha_attribute_t *this) +{ + enumerator_t *enumerator; + char *name, *net, *bits; + host_t *base; + int mask, maxbits; + pool_t *pool; + + enumerator = lib->settings->create_key_value_enumerator(lib->settings, + "charon.plugins.ha.pools"); + while (enumerator->enumerate(enumerator, &name, &net)) + { + net = strdup(net); + bits = strchr(net, '/'); + if (!bits) + { + DBG1(DBG_CFG, "invalid HA pool '%s' subnet, skipped", name); + free(net); + continue; + } + *bits++ = '\0'; + + base = host_create_from_string(net, 0); + mask = atoi(bits); + free(net); + if (!base || !mask) + { + DESTROY_IF(base); + DBG1(DBG_CFG, "invalid HA pool '%s', skipped", name); + continue; + } + maxbits = base->get_family(base) == AF_INET ? 32 : 128; + mask = maxbits - mask; + if (mask > 24) + { + mask = 24; + DBG1(DBG_CFG, "size of HA pool '%s' limited to /%d", + name, maxbits - mask); + } + if (mask < 3) + { + DBG1(DBG_CFG, "HA pool '%s' too small, skipped", name); + base->destroy(base); + continue; + } + + INIT(pool, + .name = strdup(name), + .base = base, + .size = (1 << mask), + ); + pool->mask = calloc(pool->size / 8, 1); + /* do not use first/last address of pool */ + pool->mask[0] |= 0x01; + pool->mask[pool->size / 8 - 1] |= 0x80; + + DBG1(DBG_CFG, "loaded HA pool '%s' %H/%d (%d addresses)", + pool->name, pool->base, maxbits - mask, pool->size - 2); + this->pools->insert_last(this->pools, pool); + } + enumerator->destroy(enumerator); +} + +/** + * See header + */ +ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments) +{ + private_ha_attribute_t *this; + + INIT(this, + .public = { + .provider = { + .acquire_address = _acquire_address, + .release_address = _release_address, + .create_attribute_enumerator = enumerator_create_empty, + }, + .reserve = _reserve, + .destroy = _destroy, + }, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .pools = linked_list_create(), + .kernel = kernel, + .segments = segments, + ); + + load_pools(this); + + return &this->public; +} diff --git a/src/libcharon/plugins/ha/ha_attribute.h b/src/libcharon/plugins/ha/ha_attribute.h new file mode 100644 index 000000000..d1e4f5e89 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_attribute.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ha_attribute ha_attribute + * @{ @ingroup ha + */ + +#ifndef HA_ATTRIBUTE_H_ +#define HA_ATTRIBUTE_H_ + +#include "ha_kernel.h" +#include "ha_segments.h" + +#include + +typedef struct ha_attribute_t ha_attribute_t; + +/** + * A HA enabled in memory address pool attribute provider. + */ +struct ha_attribute_t { + + /** + * Implements attribute provider interface. + */ + attribute_provider_t provider; + + /** + * Reserve an address for a passive IKE_SA. + * + * @param name pool name to reserve address in + * @param address address to reserve + */ + void (*reserve)(ha_attribute_t *this, char *name, host_t *address); + + /** + * Destroy a ha_attribute_t. + */ + void (*destroy)(ha_attribute_t *this); +}; + +/** + * Create a ha_attribute instance. + */ +ha_attribute_t *ha_attribute_create(ha_kernel_t *kernel, ha_segments_t *segments); + +#endif /** HA_ATTRIBUTE_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_cache.c b/src/libcharon/plugins/ha/ha_cache.c new file mode 100644 index 000000000..1ebc33ca4 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_cache.c @@ -0,0 +1,362 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ha_cache.h" + +#include +#include +#include +#include + +typedef struct private_ha_cache_t private_ha_cache_t; + +/** + * Private data of an ha_cache_t object. + */ +struct private_ha_cache_t { + + /** + * Public ha_cache_t interface. + */ + ha_cache_t public; + + /** + * Kernel helper functions + */ + ha_kernel_t *kernel; + + /** + * Socket to send sync messages over + */ + ha_socket_t *socket; + + /** + * Total number of segments + */ + u_int count; + + /** + * cached entries (ike_sa_t, entry_t) + */ + hashtable_t *cache; + + /** + * Mutex to lock cache + */ + mutex_t *mutex; +}; + +/** + * Hashtable hash function + */ +static u_int hash(void *key) +{ + return (uintptr_t)key; +} + +/** + * Hashtable equals function + */ +static bool equals(void *a, void *b) +{ + return a == b; +} + +/** + * Cache entry for an IKE_SA + */ +typedef struct { + /* segment this entry is associate to */ + u_int segment; + /* ADD message */ + ha_message_t *add; + /* list of updates UPDATE message */ + linked_list_t *updates; + /* last initiator mid */ + ha_message_t *midi; + /* last responder mid */ + ha_message_t *midr; +} entry_t; + +/** + * Create a entry with an add message + */ +static entry_t *entry_create(ha_message_t *add) +{ + entry_t *entry; + + INIT(entry, + .add = add, + .updates = linked_list_create(), + ); + return entry; +} + +/** + * clean up a entry + */ +static void entry_destroy(entry_t *entry) +{ + entry->updates->destroy_offset(entry->updates, + offsetof(ha_message_t, destroy)); + entry->add->destroy(entry->add); + DESTROY_IF(entry->midi); + DESTROY_IF(entry->midr); + free(entry); +} + +METHOD(ha_cache_t, cache, void, + private_ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message) +{ + entry_t *entry; + + this->mutex->lock(this->mutex); + switch (message->get_type(message)) + { + case HA_IKE_ADD: + entry = entry_create(message); + entry = this->cache->put(this->cache, ike_sa, entry); + if (entry) + { + entry_destroy(entry); + } + break; + case HA_IKE_UPDATE: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + entry->segment = this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)); + entry->updates->insert_last(entry->updates, message); + break; + } + message->destroy(message); + break; + case HA_IKE_MID_INITIATOR: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + DESTROY_IF(entry->midi); + entry->midi = message; + break; + } + message->destroy(message); + break; + case HA_IKE_MID_RESPONDER: + entry = this->cache->get(this->cache, ike_sa); + if (entry) + { + DESTROY_IF(entry->midr); + entry->midr = message; + break; + } + message->destroy(message); + break; + case HA_IKE_DELETE: + entry = this->cache->remove(this->cache, ike_sa); + if (entry) + { + entry_destroy(entry); + } + message->destroy(message); + break; + default: + message->destroy(message); + break; + } + this->mutex->unlock(this->mutex); +} + +METHOD(ha_cache_t, delete_, void, + private_ha_cache_t *this, ike_sa_t *ike_sa) +{ + entry_t *entry; + + entry = this->cache->remove(this->cache, ike_sa); + if (entry) + { + entry_destroy(entry); + } +} + +/** + * Rekey all children of an IKE_SA + */ +static status_t rekey_children(ike_sa_t *ike_sa) +{ + iterator_t *iterator; + child_sa_t *child_sa; + status_t status = SUCCESS; + + iterator = ike_sa->create_child_sa_iterator(ike_sa); + while (iterator->iterate(iterator, (void**)&child_sa)) + { + DBG1(DBG_CFG, "resyncing CHILD_SA"); + status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE)); + if (status == DESTROY_ME) + { + break; + } + } + iterator->destroy(iterator); + return status; +} + +/** + * Trigger rekeying of CHILD_SA in segment + */ +static void rekey_segment(private_ha_cache_t *this, u_int segment) +{ + ike_sa_t *ike_sa; + enumerator_t *enumerator; + linked_list_t *list; + ike_sa_id_t *id; + + list = linked_list_create(); + + enumerator = charon->ike_sa_manager->create_enumerator( + charon->ike_sa_manager); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)) == segment) + { + id = ike_sa->get_id(ike_sa); + list->insert_last(list, id->clone(id)); + } + } + enumerator->destroy(enumerator); + + while (list->remove_last(list, (void**)&id) == SUCCESS) + { + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); + if (ike_sa) + { + if (rekey_children(ike_sa) != DESTROY_ME) + { + charon->ike_sa_manager->checkin( + charon->ike_sa_manager, ike_sa); + } + else + { + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + } + id->destroy(id); + } + list->destroy(list); +} + +METHOD(ha_cache_t, resync, void, + private_ha_cache_t *this, u_int segment) +{ + enumerator_t *enumerator, *updates; + ike_sa_t *ike_sa; + entry_t *entry; + ha_message_t *message; + + DBG1(DBG_CFG, "resyncing HA segment %d", segment); + + this->mutex->lock(this->mutex); + enumerator = this->cache->create_enumerator(this->cache); + while (enumerator->enumerate(enumerator, &ike_sa, &entry)) + { + if (entry->segment == segment) + { + this->socket->push(this->socket, entry->add); + updates = entry->updates->create_enumerator(entry->updates); + while (updates->enumerate(updates, &message)) + { + this->socket->push(this->socket, message); + } + updates->destroy(updates); + if (entry->midi) + { + this->socket->push(this->socket, entry->midi); + } + if (entry->midr) + { + this->socket->push(this->socket, entry->midr); + } + } + } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); + + rekey_segment(this, segment); +} + +/** + * Request a resync of all segments + */ +static job_requeue_t request_resync(private_ha_cache_t *this) +{ + ha_message_t *message; + int i; + + DBG1(DBG_CFG, "requesting HA resynchronization"); + + message = ha_message_create(HA_RESYNC); + for (i = 1; i <= this->count; i++) + { + message->add_attribute(message, HA_SEGMENT, i); + } + this->socket->push(this->socket, message); + message->destroy(message); + return JOB_REQUEUE_NONE; +} + +METHOD(ha_cache_t, destroy, void, + private_ha_cache_t *this) +{ + this->cache->destroy(this->cache); + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, + bool sync, u_int count) +{ + private_ha_cache_t *this; + + INIT(this, + .public = { + .cache = _cache, + .delete = _delete_, + .resync = _resync, + .destroy = _destroy, + }, + .count = count, + .kernel = kernel, + .socket = socket, + .cache = hashtable_create(hash, equals, 8), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + if (sync) + { + /* request a resync as soon as we are up */ + charon->scheduler->schedule_job(charon->scheduler, (job_t*) + callback_job_create((callback_job_cb_t)request_resync, + this, NULL, NULL), 1); + } + return &this->public; +} diff --git a/src/libcharon/plugins/ha/ha_cache.h b/src/libcharon/plugins/ha/ha_cache.h new file mode 100644 index 000000000..39f1947a8 --- /dev/null +++ b/src/libcharon/plugins/ha/ha_cache.h @@ -0,0 +1,78 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ha_cache ha_cache + * @{ @ingroup ha + */ + +#ifndef HA_CACHE_H_ +#define HA_CACHE_H_ + +typedef struct ha_cache_t ha_cache_t; + +#include "ha_message.h" +#include "ha_kernel.h" +#include "ha_socket.h" + +#include + +#include + +/** + * HA message caching facility, allows reintegration of new nodes. + */ +struct ha_cache_t { + + /** + * Cache an IKE specific message. + * + * @param ike_sa associated IKE_SA + * @param message message to cache + */ + void (*cache)(ha_cache_t *this, ike_sa_t *ike_sa, ha_message_t *message); + + /** + * Delete a cache entry for an IKE_SA. + * + * @param ike_sa cache entry to delete + */ + void (*delete)(ha_cache_t *this, ike_sa_t *ike_sa); + + /** + * Resync a segment to the node using the cached messages. + * + * @param segment segment to resync + */ + void (*resync)(ha_cache_t *this, u_int segment); + + /** + * Destroy a ha_cache_t. + */ + void (*destroy)(ha_cache_t *this); +}; + +/** + * Create a ha_cache instance. + * + * @param kernel kernel helper + * @param socket socket to send resync messages + * @param resync request a resync during startup? + * @param count total number of segments + */ +ha_cache_t *ha_cache_create(ha_kernel_t *kernel, ha_socket_t *socket, + bool resync, u_int count); + +#endif /** HA_CACHE_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_child.c b/src/libcharon/plugins/ha/ha_child.c index 2eb8e27f6..1a9425423 100644 --- a/src/libcharon/plugins/ha/ha_child.c +++ b/src/libcharon/plugins/ha/ha_child.c @@ -36,22 +36,30 @@ struct private_ha_child_t { * tunnel securing sync messages */ ha_tunnel_t *tunnel; + + /** + * Segment handling + */ + ha_segments_t *segments; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; }; -/** - * Implementation of listener_t.child_keys - */ -static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, diffie_hellman_t *dh, - chunk_t nonce_i, chunk_t nonce_r) +METHOD(listener_t, child_keys, bool, + private_ha_child_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool initiator, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r) { ha_message_t *m; chunk_t secret; proposal_t *proposal; u_int16_t alg, len; - linked_list_t *list; + linked_list_t *local_ts, *remote_ts; enumerator_t *enumerator; traffic_selector_t *ts; + u_int seg_i, seg_o; if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) { /* do not sync SA between nodes */ @@ -61,6 +69,7 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, m = ha_message_create(HA_CHILD_ADD); m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); + m->add_attribute(m, HA_INITIATOR, (u_int8_t)initiator); m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE)); m->add_attribute(m, HA_OUTBOUND_SPI, child_sa->get_spi(child_sa, FALSE)); m->add_attribute(m, HA_INBOUND_CPI, child_sa->get_cpi(child_sa, TRUE)); @@ -90,31 +99,40 @@ static bool child_keys(private_ha_child_t *this, ike_sa_t *ike_sa, chunk_clear(&secret); } - list = child_sa->get_traffic_selectors(child_sa, TRUE); - enumerator = list->create_enumerator(list); + local_ts = child_sa->get_traffic_selectors(child_sa, TRUE); + enumerator = local_ts->create_enumerator(local_ts); while (enumerator->enumerate(enumerator, &ts)) { m->add_attribute(m, HA_LOCAL_TS, ts); } enumerator->destroy(enumerator); - list = child_sa->get_traffic_selectors(child_sa, FALSE); - enumerator = list->create_enumerator(list); + remote_ts = child_sa->get_traffic_selectors(child_sa, FALSE); + enumerator = remote_ts->create_enumerator(remote_ts); while (enumerator->enumerate(enumerator, &ts)) { m->add_attribute(m, HA_REMOTE_TS, ts); } enumerator->destroy(enumerator); + seg_i = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_my_host(ike_sa), child_sa->get_spi(child_sa, TRUE)); + seg_o = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_other_host(ike_sa), child_sa->get_spi(child_sa, FALSE)); + DBG1(DBG_CFG, "handling HA CHILD_SA %s{%d} %#R=== %#R " + "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa), local_ts, remote_ts, + seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", + seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); + this->socket->push(this->socket, m); + m->destroy(m); return TRUE; } -/** - * Implementation of listener_t.child_state_change - */ -static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa, - child_sa_t *child_sa, child_sa_state_t state) +METHOD(listener_t, child_state_change, bool, + private_ha_child_t *this, ike_sa_t *ike_sa, + child_sa_t *child_sa, child_sa_state_t state) { if (!ike_sa || ike_sa->get_state(ike_sa) == IKE_PASSIVE || @@ -138,14 +156,13 @@ static bool child_state_change(private_ha_child_t *this, ike_sa_t *ike_sa, m->add_attribute(m, HA_INBOUND_SPI, child_sa->get_spi(child_sa, TRUE)); this->socket->push(this->socket, m); + m->destroy(m); } return TRUE; } -/** - * Implementation of ha_child_t.destroy. - */ -static void destroy(private_ha_child_t *this) +METHOD(ha_child_t, destroy, void, + private_ha_child_t *this) { free(this); } @@ -153,17 +170,24 @@ static void destroy(private_ha_child_t *this) /** * See header */ -ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel) +ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_segments_t *segments, ha_kernel_t *kernel) { - private_ha_child_t *this = malloc_thing(private_ha_child_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.child_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, child_sa_t *child_sa, diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r))child_keys; - this->public.listener.child_state_change = (bool(*)(listener_t*,ike_sa_t *ike_sa, child_sa_t *child_sa, child_sa_state_t state))child_state_change; - this->public.destroy = (void(*)(ha_child_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; + private_ha_child_t *this; + + INIT(this, + .public = { + .listener = { + .child_keys = _child_keys, + .child_state_change = _child_state_change, + }, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .segments = segments, + .kernel = kernel, + ); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_child.h b/src/libcharon/plugins/ha/ha_child.h index ea83495f7..56cd769ba 100644 --- a/src/libcharon/plugins/ha/ha_child.h +++ b/src/libcharon/plugins/ha/ha_child.h @@ -21,14 +21,15 @@ #ifndef HA_CHILD_H_ #define HA_CHILD_H_ +typedef struct ha_child_t ha_child_t; + #include "ha_socket.h" #include "ha_tunnel.h" #include "ha_segments.h" +#include "ha_kernel.h" #include -typedef struct ha_child_t ha_child_t; - /** * Listener to synchronize CHILD_SAs. */ @@ -50,8 +51,11 @@ struct ha_child_t { * * @param socket socket to use for sending synchronization messages * @param tunnel tunnel securing sync messages, if any + * @param segments segment handling + * @param kernel kernel helper * @return CHILD listener */ -ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel); +ha_child_t *ha_child_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_segments_t *segments, ha_kernel_t *kernel); -#endif /* HA_CHILD_ @}*/ +#endif /** HA_CHILD_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index 441d26d9e..e188a8484 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -44,6 +44,11 @@ struct private_ha_ctl_t { */ ha_segments_t *segments; + /** + * Resynchronization message cache + */ + ha_cache_t *cache; + /** * FIFO reader thread */ @@ -84,7 +89,7 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) this->segments->deactivate(this->segments, segment, TRUE); break; case '*': - this->segments->resync(this->segments, segment); + this->cache->resync(this->cache, segment); break; default: break; @@ -96,10 +101,8 @@ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) return JOB_REQUEUE_DIRECT; } -/** - * Implementation of ha_ctl_t.destroy. - */ -static void destroy(private_ha_ctl_t *this) +METHOD(ha_ctl_t, destroy, void, + private_ha_ctl_t *this) { this->job->cancel(this->job); free(this); @@ -108,11 +111,17 @@ static void destroy(private_ha_ctl_t *this) /** * See header */ -ha_ctl_t *ha_ctl_create(ha_segments_t *segments) +ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache) { - private_ha_ctl_t *this = malloc_thing(private_ha_ctl_t); + private_ha_ctl_t *this; - this->public.destroy = (void(*)(ha_ctl_t*))destroy; + INIT(this, + .public = { + .destroy = _destroy, + }, + .segments = segments, + .cache = cache, + ); if (access(HA_FIFO, R_OK|W_OK) != 0) { @@ -123,7 +132,6 @@ ha_ctl_t *ha_ctl_create(ha_segments_t *segments) } } - this->segments = segments; this->job = callback_job_create((callback_job_cb_t)dispatch_fifo, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/ha/ha_ctl.h b/src/libcharon/plugins/ha/ha_ctl.h index f33a809be..1e717832a 100644 --- a/src/libcharon/plugins/ha/ha_ctl.h +++ b/src/libcharon/plugins/ha/ha_ctl.h @@ -22,6 +22,7 @@ #define HA_CTL_H_ #include "ha_segments.h" +#include "ha_cache.h" typedef struct ha_ctl_t ha_ctl_t; @@ -40,8 +41,9 @@ struct ha_ctl_t { * Create a ha_ctl instance. * * @param segments segments to control + * @param cache message cache for resynchronization * @return HA control interface */ -ha_ctl_t *ha_ctl_create(ha_segments_t *segments); +ha_ctl_t *ha_ctl_create(ha_segments_t *segments, ha_cache_t *cache); -#endif /* HA_CTL_ @}*/ +#endif /** HA_CTL_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index 7df2f1fa8..3bc426ea0 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -40,6 +40,21 @@ struct private_ha_dispatcher_t { */ ha_segments_t *segments; + /** + * Cache for resync + */ + ha_cache_t *cache; + + /** + * Kernel helper + */ + ha_kernel_t *kernel; + + /** + * HA enabled pool + */ + ha_attribute_t *attr; + /** * Dispatcher job */ @@ -153,6 +168,8 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message old_sa = NULL; } ike_sa->set_state(ike_sa, IKE_CONNECTING); + this->cache->cache(this->cache, ike_sa, message); + message = NULL; charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } else @@ -167,6 +184,7 @@ static void process_ike_add(private_ha_dispatcher_t *this, ha_message_t *message { charon->ike_sa_manager->checkin(charon->ike_sa_manager, old_sa); } + DESTROY_IF(message); } /** @@ -201,6 +219,8 @@ static void process_ike_update(private_ha_dispatcher_t *this, enumerator_t *enumerator; ike_sa_t *ike_sa = NULL; peer_cfg_t *peer_cfg = NULL; + auth_cfg_t *auth; + bool received_vip = FALSE; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -222,6 +242,11 @@ static void process_ike_update(private_ha_dispatcher_t *this, case HA_REMOTE_ID: ike_sa->set_other_id(ike_sa, value.id->clone(value.id)); break; + case HA_REMOTE_EAP_ID: + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_EAP_IDENTITY, value.id->clone(value.id)); + ike_sa->add_auth_cfg(ike_sa, FALSE, auth); + break; case HA_LOCAL_ADDR: ike_sa->set_my_host(ike_sa, value.host->clone(value.host)); break; @@ -233,6 +258,7 @@ static void process_ike_update(private_ha_dispatcher_t *this, break; case HA_REMOTE_VIP: ike_sa->set_virtual_ip(ike_sa, FALSE, value.host); + received_vip = TRUE; break; case HA_ADDITIONAL_ADDR: ike_sa->add_additional_address(ike_sa, @@ -265,12 +291,6 @@ static void process_ike_update(private_ha_dispatcher_t *this, set_condition(ike_sa, value.u32, COND_CERTREQ_SEEN); set_condition(ike_sa, value.u32, COND_ORIGINAL_INITIATOR); break; - case HA_INITIATE_MID: - ike_sa->set_message_id(ike_sa, TRUE, value.u32); - break; - case HA_RESPOND_MID: - ike_sa->set_message_id(ike_sa, FALSE, value.u32); - break; default: break; } @@ -282,10 +302,81 @@ static void process_ike_update(private_ha_dispatcher_t *this, if (ike_sa->get_state(ike_sa) == IKE_CONNECTING && ike_sa->get_peer_cfg(ike_sa)) { + DBG1(DBG_CFG, "installed HA passive IKE_SA '%s' %H[%Y]...%H[%Y]", + ike_sa->get_name(ike_sa), + ike_sa->get_my_host(ike_sa), ike_sa->get_my_id(ike_sa), + ike_sa->get_other_host(ike_sa), ike_sa->get_other_id(ike_sa)); ike_sa->set_state(ike_sa, IKE_PASSIVE); } + if (received_vip) + { + host_t *vip; + char *pool; + + peer_cfg = ike_sa->get_peer_cfg(ike_sa); + vip = ike_sa->get_virtual_ip(ike_sa, FALSE); + if (peer_cfg && vip) + { + pool = peer_cfg->get_pool(peer_cfg); + if (pool) + { + this->attr->reserve(this->attr, pool, vip); + } + } + } + this->cache->cache(this->cache, ike_sa, message); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } + else + { + DBG1(DBG_CFG, "passive HA IKE_SA to update not found"); + message->destroy(message); + } +} + +/** + * Process messages of type IKE_MID_INITIATOR/RESPONDER + */ +static void process_ike_mid(private_ha_dispatcher_t *this, + ha_message_t *message, bool initiator) +{ + ha_message_attribute_t attribute; + ha_message_value_t value; + enumerator_t *enumerator; + ike_sa_t *ike_sa = NULL; + u_int32_t mid = 0; + + enumerator = message->create_attribute_enumerator(message); + while (enumerator->enumerate(enumerator, &attribute, &value)) + { + switch (attribute) + { + case HA_IKE_ID: + ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, + value.ike_sa_id); + break; + case HA_MID: + mid = value.u32; + break; + default: + break; + } + } + enumerator->destroy(enumerator); + + if (ike_sa) + { + if (mid) + { + ike_sa->set_message_id(ike_sa, initiator, mid); + } + this->cache->cache(this->cache, ike_sa, message); + charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + } + else + { + message->destroy(message); + } } /** @@ -297,7 +388,7 @@ static void process_ike_delete(private_ha_dispatcher_t *this, ha_message_attribute_t attribute; ha_message_value_t value; enumerator_t *enumerator; - ike_sa_t *ike_sa; + ike_sa_t *ike_sa = NULL; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -307,17 +398,22 @@ static void process_ike_delete(private_ha_dispatcher_t *this, case HA_IKE_ID: ike_sa = charon->ike_sa_manager->checkout( charon->ike_sa_manager, value.ike_sa_id); - if (ike_sa) - { - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); - } break; default: break; } } enumerator->destroy(enumerator); + if (ike_sa) + { + this->cache->cache(this->cache, ike_sa, message); + charon->ike_sa_manager->checkin_and_destroy( + charon->ike_sa_manager, ike_sa); + } + else + { + message->destroy(message); + } } /** @@ -366,6 +462,7 @@ static void process_child_add(private_ha_dispatcher_t *this, u_int16_t inbound_cpi = 0, outbound_cpi = 0; u_int8_t mode = MODE_TUNNEL, ipcomp = 0; u_int16_t encr = ENCR_UNDEFINED, integ = AUTH_UNDEFINED, len = 0; + u_int seg_i, seg_o; chunk_t nonce_i = chunk_empty, nonce_r = chunk_empty, secret = chunk_empty; chunk_t encr_i, integ_i, encr_r, integ_r; linked_list_t *local_ts, *remote_ts; @@ -381,11 +478,13 @@ static void process_child_add(private_ha_dispatcher_t *this, case HA_IKE_ID: ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, value.ike_sa_id); - initiator = value.ike_sa_id->is_initiator(value.ike_sa_id); break; case HA_CONFIG_NAME: config_name = value.str; break; + case HA_INITIATOR: + initiator = value.u8; + break; case HA_INBOUND_SPI: inbound_spi = value.u32; break; @@ -431,6 +530,7 @@ static void process_child_add(private_ha_dispatcher_t *this, if (!ike_sa) { DBG1(DBG_CHD, "IKE_SA for HA CHILD_SA not found"); + message->destroy(message); return; } config = find_child_cfg(ike_sa, config_name); @@ -438,6 +538,7 @@ static void process_child_add(private_ha_dispatcher_t *this, { DBG1(DBG_CHD, "HA is missing nodes child configuration"); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + message->destroy(message); return; } @@ -524,15 +625,27 @@ static void process_child_add(private_ha_dispatcher_t *this, local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy)); remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy)); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); + message->destroy(message); return; } + seg_i = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_my_host(ike_sa), inbound_spi); + seg_o = this->kernel->get_segment_spi(this->kernel, + ike_sa->get_other_host(ike_sa), outbound_spi); + + DBG1(DBG_CFG, "installed HA CHILD_SA %s{%d} %#R=== %#R " + "(segment in: %d%s, out: %d%s)", child_sa->get_name(child_sa), + child_sa->get_reqid(child_sa), local_ts, remote_ts, + seg_i, this->segments->is_active(this->segments, seg_i) ? "*" : "", + seg_o, this->segments->is_active(this->segments, seg_o) ? "*" : ""); child_sa->add_policies(child_sa, local_ts, remote_ts); local_ts->destroy_offset(local_ts, offsetof(traffic_selector_t, destroy)); remote_ts->destroy_offset(remote_ts, offsetof(traffic_selector_t, destroy)); child_sa->set_state(child_sa, CHILD_INSTALLED); ike_sa->add_child_sa(ike_sa, child_sa); + message->destroy(message); charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -546,6 +659,8 @@ static void process_child_delete(private_ha_dispatcher_t *this, ha_message_value_t value; enumerator_t *enumerator; ike_sa_t *ike_sa = NULL; + child_sa_t *child_sa; + u_int32_t spi = 0; enumerator = message->create_attribute_enumerator(message); while (enumerator->enumerate(enumerator, &attribute, &value)) @@ -557,20 +672,24 @@ static void process_child_delete(private_ha_dispatcher_t *this, value.ike_sa_id); break; case HA_INBOUND_SPI: - if (ike_sa) - { - ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, value.u32); - } + spi = value.u32; break; default: break; } } + enumerator->destroy(enumerator); + if (ike_sa) { + child_sa = ike_sa->get_child_sa(ike_sa, PROTO_ESP, spi, TRUE); + if (child_sa) + { + ike_sa->destroy_child_sa(ike_sa, PROTO_ESP, spi); + } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } - enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -605,6 +724,7 @@ static void process_segment(private_ha_dispatcher_t *this, } } enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -633,6 +753,7 @@ static void process_status(private_ha_dispatcher_t *this, enumerator->destroy(enumerator); this->segments->handle_status(this->segments, mask); + message->destroy(message); } /** @@ -651,13 +772,14 @@ static void process_resync(private_ha_dispatcher_t *this, switch (attribute) { case HA_SEGMENT: - this->segments->resync(this->segments, value.u16); + this->cache->resync(this->cache, value.u16); break; default: break; } } enumerator->destroy(enumerator); + message->destroy(message); } /** @@ -666,9 +788,16 @@ static void process_resync(private_ha_dispatcher_t *this, static job_requeue_t dispatch(private_ha_dispatcher_t *this) { ha_message_t *message; + ha_message_type_t type; message = this->socket->pull(this->socket); - switch (message->get_type(message)) + type = message->get_type(message); + if (type != HA_STATUS) + { + DBG2(DBG_CFG, "received HA %N message", ha_message_type_names, + message->get_type(message)); + } + switch (type) { case HA_IKE_ADD: process_ike_add(this, message); @@ -676,6 +805,12 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this) case HA_IKE_UPDATE: process_ike_update(this, message); break; + case HA_IKE_MID_INITIATOR: + process_ike_mid(this, message, TRUE); + break; + case HA_IKE_MID_RESPONDER: + process_ike_mid(this, message, FALSE); + break; case HA_IKE_DELETE: process_ike_delete(this, message); break; @@ -698,19 +833,15 @@ static job_requeue_t dispatch(private_ha_dispatcher_t *this) process_resync(this, message); break; default: - DBG1(DBG_CFG, "received unknown HA message type %d", - message->get_type(message)); + DBG1(DBG_CFG, "received unknown HA message type %d", type); + message->destroy(message); break; } - message->destroy(message); - return JOB_REQUEUE_DIRECT; } -/** - * Implementation of ha_dispatcher_t.destroy. - */ -static void destroy(private_ha_dispatcher_t *this) +METHOD(ha_dispatcher_t, destroy, void, + private_ha_dispatcher_t *this) { this->job->cancel(this->job); free(this); @@ -720,14 +851,22 @@ static void destroy(private_ha_dispatcher_t *this) * See header */ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, - ha_segments_t *segments) + ha_segments_t *segments, ha_cache_t *cache, + ha_kernel_t *kernel, ha_attribute_t *attr) { - private_ha_dispatcher_t *this = malloc_thing(private_ha_dispatcher_t); - - this->public.destroy = (void(*)(ha_dispatcher_t*))destroy; - - this->socket = socket; - this->segments = segments; + private_ha_dispatcher_t *this; + + + INIT(this, + .public = { + .destroy = _destroy, + }, + .socket = socket, + .segments = segments, + .cache = cache, + .kernel = kernel, + .attr = attr, + ); this->job = callback_job_create((callback_job_cb_t)dispatch, this, NULL, NULL); charon->processor->queue_job(charon->processor, (job_t*)this->job); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.h b/src/libcharon/plugins/ha/ha_dispatcher.h index d2baace3f..105a40473 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.h +++ b/src/libcharon/plugins/ha/ha_dispatcher.h @@ -23,6 +23,9 @@ #include "ha_socket.h" #include "ha_segments.h" +#include "ha_cache.h" +#include "ha_kernel.h" +#include "ha_attribute.h" typedef struct ha_dispatcher_t ha_dispatcher_t; @@ -42,9 +45,13 @@ struct ha_dispatcher_t { * * @param socket socket to pull messages from * @param segments segments to control based on received messages + * @param cache message cache to use for resynchronization + * @param kernel kernel helper + * @param attr HA enabled pool * @return dispatcher object */ ha_dispatcher_t *ha_dispatcher_create(ha_socket_t *socket, - ha_segments_t *segments); + ha_segments_t *segments, ha_cache_t *cache, + ha_kernel_t *kernel, ha_attribute_t *attr); -#endif /* HA_DISPATCHER_ @}*/ +#endif /** HA_DISPATCHER_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_ike.c b/src/libcharon/plugins/ha/ha_ike.c index 1f025d0e5..1efba4e8f 100644 --- a/src/libcharon/plugins/ha/ha_ike.c +++ b/src/libcharon/plugins/ha/ha_ike.c @@ -36,6 +36,11 @@ struct private_ha_ike_t { * tunnel securing sync messages */ ha_tunnel_t *tunnel; + + /** + * message cache + */ + ha_cache_t *cache; }; /** @@ -62,12 +67,9 @@ static ike_extension_t copy_extension(ike_sa_t *ike_sa, ike_extension_t ext) return 0; } -/** - * Implementation of listener_t.ike_keys - */ -static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa, - diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r, - ike_sa_t *rekey) +METHOD(listener_t, ike_keys, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh, + chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey) { ha_message_t *m; chunk_t secret; @@ -120,14 +122,13 @@ static bool ike_keys(private_ha_ike_t *this, ike_sa_t *ike_sa, chunk_clear(&secret); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); return TRUE; } -/** - * Implementation of listener_t.ike_updown - */ -static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) +METHOD(listener_t, ike_updown, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) { ha_message_t *m; @@ -147,6 +148,7 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) u_int32_t extension, condition; host_t *addr; ike_sa_id_t *id; + identification_t *eap_id; peer_cfg = ike_sa->get_peer_cfg(ike_sa); @@ -168,6 +170,11 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) m->add_attribute(m, HA_IKE_ID, id); m->add_attribute(m, HA_LOCAL_ID, ike_sa->get_my_id(ike_sa)); m->add_attribute(m, HA_REMOTE_ID, ike_sa->get_other_id(ike_sa)); + eap_id = ike_sa->get_other_eap_id(ike_sa); + if (!eap_id->equals(eap_id, ike_sa->get_other_id(ike_sa))) + { + m->add_attribute(m, HA_REMOTE_EAP_ID, eap_id); + } m->add_attribute(m, HA_LOCAL_ADDR, ike_sa->get_my_host(ike_sa)); m->add_attribute(m, HA_REMOTE_ADDR, ike_sa->get_other_host(ike_sa)); m->add_attribute(m, HA_CONDITIONS, condition); @@ -186,24 +193,31 @@ static bool ike_updown(private_ha_ike_t *this, ike_sa_t *ike_sa, bool up) m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); } this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); return TRUE; } -/** - * Implementation of listener_t.ike_rekey - */ -static bool ike_rekey(private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new) +METHOD(listener_t, ike_rekey, bool, + private_ha_ike_t *this, ike_sa_t *old, ike_sa_t *new) { ike_updown(this, old, FALSE); ike_updown(this, new, TRUE); return TRUE; } -/** - * Implementation of listener_t.message - */ -static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, - message_t *message, bool incoming) +METHOD(listener_t, ike_state_change, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, ike_sa_state_t new) +{ + /* delete any remaining cache entry if IKE_SA gets destroyed */ + if (new == IKE_DESTROYING) + { + this->cache->delete(this->cache, ike_sa); + } + return TRUE; +} + +METHOD(listener_t, message_hook, bool, + private_ha_ike_t *this, ike_sa_t *ike_sa, message_t *message, bool incoming) { if (this->tunnel && this->tunnel->is_sa(this->tunnel, ike_sa)) { /* do not sync SA between nodes */ @@ -214,20 +228,19 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, message->get_request(message)) { /* we sync on requests, but skip it on IKE_SA_INIT */ ha_message_t *m; - u_int32_t mid; - m = ha_message_create(HA_IKE_UPDATE); - m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); - mid = message->get_message_id(message) + 1; if (incoming) { - m->add_attribute(m, HA_RESPOND_MID, mid); + m = ha_message_create(HA_IKE_MID_RESPONDER); } else { - m->add_attribute(m, HA_INITIATE_MID, mid); + m = ha_message_create(HA_IKE_MID_INITIATOR); } + m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); + m->add_attribute(m, HA_MID, message->get_message_id(message) + 1); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); } if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && message->get_exchange_type(message) == IKE_AUTH && @@ -245,15 +258,14 @@ static bool message_hook(private_ha_ike_t *this, ike_sa_t *ike_sa, m->add_attribute(m, HA_IKE_ID, ike_sa->get_id(ike_sa)); m->add_attribute(m, HA_REMOTE_VIP, vip); this->socket->push(this->socket, m); + this->cache->cache(this->cache, ike_sa, m); } } return TRUE; } -/** - * Implementation of ha_ike_t.destroy. - */ -static void destroy(private_ha_ike_t *this) +METHOD(ha_ike_t, destroy, void, + private_ha_ike_t *this) { free(this); } @@ -261,19 +273,26 @@ static void destroy(private_ha_ike_t *this) /** * See header */ -ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel) +ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_cache_t *cache) { - private_ha_ike_t *this = malloc_thing(private_ha_ike_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.ike_keys = (bool(*)(listener_t*, ike_sa_t *ike_sa, diffie_hellman_t *dh,chunk_t nonce_i, chunk_t nonce_r, ike_sa_t *rekey))ike_keys; - this->public.listener.ike_updown = (bool(*)(listener_t*,ike_sa_t *ike_sa, bool up))ike_updown; - this->public.listener.ike_rekey = (bool(*)(listener_t*,ike_sa_t *old, ike_sa_t *new))ike_rekey; - this->public.listener.message = (bool(*)(listener_t*, ike_sa_t *, message_t *,bool))message_hook; - this->public.destroy = (void(*)(ha_ike_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; + private_ha_ike_t *this; + + INIT(this, + .public = { + .listener = { + .ike_keys = _ike_keys, + .ike_updown = _ike_updown, + .ike_rekey = _ike_rekey, + .ike_state_change = _ike_state_change, + .message = _message_hook, + }, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .cache = cache, + ); return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_ike.h b/src/libcharon/plugins/ha/ha_ike.h index 9de210e67..b22cd6250 100644 --- a/src/libcharon/plugins/ha/ha_ike.h +++ b/src/libcharon/plugins/ha/ha_ike.h @@ -21,14 +21,15 @@ #ifndef HA_IKE_H_ #define HA_IKE_H_ +typedef struct ha_ike_t ha_ike_t; + #include "ha_socket.h" #include "ha_tunnel.h" #include "ha_segments.h" +#include "ha_cache.h" #include -typedef struct ha_ike_t ha_ike_t; - /** * Listener to synchronize IKE_SAs. */ @@ -50,8 +51,10 @@ struct ha_ike_t { * * @param socket socket to use for sending synchronization messages * @param tunnel tunnel securing sync messages, if any + * @param cache message cache * @return IKE listener */ -ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel); +ha_ike_t *ha_ike_create(ha_socket_t *socket, ha_tunnel_t *tunnel, + ha_cache_t *cache); -#endif /* HA_IKE_ @}*/ +#endif /** HA_IKE_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_kernel.c b/src/libcharon/plugins/ha/ha_kernel.c index 0ad9c22c3..10a63453a 100644 --- a/src/libcharon/plugins/ha/ha_kernel.c +++ b/src/libcharon/plugins/ha/ha_kernel.c @@ -52,24 +52,57 @@ struct private_ha_kernel_t { }; /** - * Implementation of ha_kernel_t.in_segment + * Segmentate a calculated hash */ -static bool in_segment(private_ha_kernel_t *this, host_t *host, u_int segment) +static u_int hash2segment(private_ha_kernel_t *this, u_int64_t hash) +{ + return ((hash * this->count) >> 32) + 1; +} + +/** + * Get a host as an integer for hashing + */ +static u_int32_t host2int(host_t *host) { if (host->get_family(host) == AF_INET) { - unsigned long hash; - u_int32_t addr; + return *(u_int32_t*)host->get_address(host).ptr; + } + return 0; +} - addr = *(u_int32_t*)host->get_address(host).ptr; - hash = jhash_1word(ntohl(addr), this->initval); +METHOD(ha_kernel_t, get_segment, u_int, + private_ha_kernel_t *this, host_t *host) +{ + unsigned long hash; + u_int32_t addr; - if ((((u_int64_t)hash * this->count) >> 32) + 1 == segment) - { - return TRUE; - } - } - return FALSE; + addr = host2int(host); + hash = jhash_1word(ntohl(addr), this->initval); + + return hash2segment(this, hash); +} + +METHOD(ha_kernel_t, get_segment_spi, u_int, + private_ha_kernel_t *this, host_t *host, u_int32_t spi) +{ + unsigned long hash; + u_int32_t addr; + + addr = host2int(host); + hash = jhash_2words(ntohl(addr), ntohl(spi), this->initval); + + return hash2segment(this, hash); +} + +METHOD(ha_kernel_t, get_segment_int, u_int, + private_ha_kernel_t *this, int n) +{ + unsigned long hash; + + hash = jhash_1word(ntohl(n), this->initval); + + return hash2segment(this, hash); } /** @@ -142,10 +175,8 @@ static segment_mask_t get_active(private_ha_kernel_t *this, char *file) return mask; } -/** - * Implementation of ha_kernel_t.activate - */ -static void activate(private_ha_kernel_t *this, u_int segment) +METHOD(ha_kernel_t, activate, void, + private_ha_kernel_t *this, u_int segment) { enumerator_t *enumerator; char *file; @@ -158,10 +189,8 @@ static void activate(private_ha_kernel_t *this, u_int segment) enumerator->destroy(enumerator); } -/** - * Implementation of ha_kernel_t.deactivate - */ -static void deactivate(private_ha_kernel_t *this, u_int segment) +METHOD(ha_kernel_t, deactivate, void, + private_ha_kernel_t *this, u_int segment) { enumerator_t *enumerator; char *file; @@ -199,10 +228,8 @@ static void disable_all(private_ha_kernel_t *this) enumerator->destroy(enumerator); } -/** - * Implementation of ha_kernel_t.destroy. - */ -static void destroy(private_ha_kernel_t *this) +METHOD(ha_kernel_t, destroy, void, + private_ha_kernel_t *this) { free(this); } @@ -212,15 +239,20 @@ static void destroy(private_ha_kernel_t *this) */ ha_kernel_t *ha_kernel_create(u_int count) { - private_ha_kernel_t *this = malloc_thing(private_ha_kernel_t); - - this->public.in_segment = (bool(*)(ha_kernel_t*, host_t *host, u_int segment))in_segment; - this->public.activate = (void(*)(ha_kernel_t*, u_int segment))activate; - this->public.deactivate = (void(*)(ha_kernel_t*, u_int segment))deactivate; - this->public.destroy = (void(*)(ha_kernel_t*))destroy; + private_ha_kernel_t *this; - this->initval = 0; - this->count = count; + INIT(this, + .public = { + .get_segment = _get_segment, + .get_segment_spi = _get_segment_spi, + .get_segment_int = _get_segment_int, + .activate = _activate, + .deactivate = _deactivate, + .destroy = _destroy, + }, + .initval = 0, + .count = count, + ); disable_all(this); diff --git a/src/libcharon/plugins/ha/ha_kernel.h b/src/libcharon/plugins/ha/ha_kernel.h index b37cc7667..7b56f1e3a 100644 --- a/src/libcharon/plugins/ha/ha_kernel.h +++ b/src/libcharon/plugins/ha/ha_kernel.h @@ -31,13 +31,28 @@ typedef struct ha_kernel_t ha_kernel_t; struct ha_kernel_t { /** - * Check if a host is in a segment. + * Get the segment a host is in. * - * @param host host to check - * @param segment segment - * @return TRUE if host belongs to segment + * @param host host to get segment for + * @return segment number */ - bool (*in_segment)(ha_kernel_t *this, host_t *host, u_int segment); + u_int (*get_segment)(ha_kernel_t *this, host_t *host); + + /** + * Get the segment a host/SPI is in, as used for CHILD_SA segmentation. + * + * @param host host to get segment for + * @param spi SPI to include in hash + * @return segment number + */ + u_int (*get_segment_spi)(ha_kernel_t *this, host_t *host, u_int32_t spi); + + /** + * Get the segment an arbitrary integer is in. + * + * @param n integer to segmentate + */ + u_int (*get_segment_int)(ha_kernel_t *this, int n); /** * Activate a segment at kernel level for all cluster addresses. @@ -63,8 +78,7 @@ struct ha_kernel_t { * Create a ha_kernel instance. * * @param count total number of segments to use - * @param active bitmask of initially active segments */ ha_kernel_t *ha_kernel_create(u_int count); -#endif /* HA_KERNEL_ @}*/ +#endif /** HA_KERNEL_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_message.c b/src/libcharon/plugins/ha/ha_message.c index 54b10f05d..7ce9cbe09 100644 --- a/src/libcharon/plugins/ha/ha_message.c +++ b/src/libcharon/plugins/ha/ha_message.c @@ -46,6 +46,20 @@ struct private_ha_message_t { chunk_t buf; }; +ENUM(ha_message_type_names, HA_IKE_ADD, HA_RESYNC, + "IKE_ADD", + "IKE_UPDATE", + "IKE_MID_INITIATOR", + "IKE_MID_RESPONDER", + "IKE_DELETE", + "CHILD_ADD", + "CHILD_DELETE", + "SEGMENT_DROP", + "SEGMENT_TAKE", + "STATUS", + "RESYNC", +); + typedef struct ike_sa_id_encoding_t ike_sa_id_encoding_t; /** @@ -93,10 +107,8 @@ struct ts_encoding_t { char encoding[]; } __attribute__((packed)); -/** - * Implementation of ha_message_t.get_type - */ -static ha_message_type_t get_type(private_ha_message_t *this) +METHOD(ha_message_t, get_type, ha_message_type_t, + private_ha_message_t *this) { return this->buf.ptr[1]; } @@ -119,11 +131,8 @@ static void check_buf(private_ha_message_t *this, size_t len) } } -/** - * Implementation of ha_message_t.add_attribute - */ -static void add_attribute(private_ha_message_t *this, - ha_message_attribute_t attribute, ...) +METHOD(ha_message_t, add_attribute, void, + private_ha_message_t *this, ha_message_attribute_t attribute, ...) { size_t len; va_list args; @@ -154,6 +163,7 @@ static void add_attribute(private_ha_message_t *this, /* identification_t* */ case HA_LOCAL_ID: case HA_REMOTE_ID: + case HA_REMOTE_EAP_ID: { identification_encoding_t *enc; identification_t *id; @@ -203,6 +213,7 @@ static void add_attribute(private_ha_message_t *this, break; } /* u_int8_t */ + case HA_INITIATOR: case HA_IPSEC_MODE: case HA_IPCOMP: { @@ -237,8 +248,7 @@ static void add_attribute(private_ha_message_t *this, case HA_EXTENSIONS: case HA_INBOUND_SPI: case HA_OUTBOUND_SPI: - case HA_INITIATE_MID: - case HA_RESPOND_MID: + case HA_MID: { u_int32_t val; @@ -310,12 +320,9 @@ typedef struct { void *cleanup_data; } attribute_enumerator_t; -/** - * Implementation of create_attribute_enumerator().enumerate - */ -static bool attribute_enumerate(attribute_enumerator_t *this, - ha_message_attribute_t *attr_out, - ha_message_value_t *value) +METHOD(enumerator_t, attribute_enumerate, bool, + attribute_enumerator_t *this, ha_message_attribute_t *attr_out, + ha_message_value_t *value) { ha_message_attribute_t attr; @@ -354,6 +361,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, /* identification_t* */ case HA_LOCAL_ID: case HA_REMOTE_ID: + case HA_REMOTE_EAP_ID: { identification_encoding_t *enc; @@ -417,6 +425,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, return TRUE; } /* u_int8_t */ + case HA_INITIATOR: case HA_IPSEC_MODE: case HA_IPCOMP: { @@ -453,8 +462,7 @@ static bool attribute_enumerate(attribute_enumerator_t *this, case HA_EXTENSIONS: case HA_INBOUND_SPI: case HA_OUTBOUND_SPI: - case HA_INITIATE_MID: - case HA_RESPOND_MID: + case HA_MID: { if (this->buf.len < sizeof(u_int32_t)) { @@ -559,10 +567,8 @@ static bool attribute_enumerate(attribute_enumerator_t *this, } } -/** - * Implementation of create_attribute_enumerator().destroy - */ -static void enum_destroy(attribute_enumerator_t *this) +METHOD(enumerator_t, enum_destroy, void, + attribute_enumerator_t *this) { if (this->cleanup) { @@ -571,35 +577,30 @@ static void enum_destroy(attribute_enumerator_t *this) free(this); } -/** - * Implementation of ha_message_t.create_attribute_enumerator - */ -static enumerator_t* create_attribute_enumerator(private_ha_message_t *this) +METHOD(ha_message_t, create_attribute_enumerator, enumerator_t*, + private_ha_message_t *this) { - attribute_enumerator_t *e = malloc_thing(attribute_enumerator_t); - - e->public.enumerate = (void*)attribute_enumerate; - e->public.destroy = (void*)enum_destroy; + attribute_enumerator_t *e; - e->buf = chunk_skip(this->buf, 2); - e->cleanup = NULL; - e->cleanup_data = NULL; + INIT(e, + .public = { + .enumerate = (void*)_attribute_enumerate, + .destroy = _enum_destroy, + }, + .buf = chunk_skip(this->buf, 2), + ); return &e->public; } -/** - * Implementation of ha_message_t.get_encoding - */ -static chunk_t get_encoding(private_ha_message_t *this) +METHOD(ha_message_t, get_encoding, chunk_t, + private_ha_message_t *this) { return this->buf; } -/** - * Implementation of ha_message_t.destroy. - */ -static void destroy(private_ha_message_t *this) +METHOD(ha_message_t, destroy, void, + private_ha_message_t *this) { free(this->buf.ptr); free(this); @@ -608,14 +609,17 @@ static void destroy(private_ha_message_t *this) static private_ha_message_t *ha_message_create_generic() { - private_ha_message_t *this = malloc_thing(private_ha_message_t); - - this->public.get_type = (ha_message_type_t(*)(ha_message_t*))get_type; - this->public.add_attribute = (void(*)(ha_message_t*, ha_message_attribute_t attribute, ...))add_attribute; - this->public.create_attribute_enumerator = (enumerator_t*(*)(ha_message_t*))create_attribute_enumerator; - this->public.get_encoding = (chunk_t(*)(ha_message_t*))get_encoding; - this->public.destroy = (void(*)(ha_message_t*))destroy; + private_ha_message_t *this; + INIT(this, + .public = { + .get_type = _get_type, + .add_attribute = _add_attribute, + .create_attribute_enumerator = _create_attribute_enumerator, + .get_encoding = _get_encoding, + .destroy = _destroy, + }, + ); return this; } diff --git a/src/libcharon/plugins/ha/ha_message.h b/src/libcharon/plugins/ha/ha_message.h index b2bc23724..50e11830f 100644 --- a/src/libcharon/plugins/ha/ha_message.h +++ b/src/libcharon/plugins/ha/ha_message.h @@ -30,7 +30,7 @@ /** * Protocol version of this implementation */ -#define HA_MESSAGE_VERSION 1 +#define HA_MESSAGE_VERSION 2 typedef struct ha_message_t ha_message_t; typedef enum ha_message_type_t ha_message_type_t; @@ -43,8 +43,12 @@ typedef union ha_message_value_t ha_message_value_t; enum ha_message_type_t { /** add a completely new IKE_SA */ HA_IKE_ADD = 1, - /** update an existing IKE_SA (message IDs, address update, ...) */ + /** update an existing IKE_SA (identities, address update, ...) */ HA_IKE_UPDATE, + /** update initiator message id */ + HA_IKE_MID_INITIATOR, + /** update responder message id */ + HA_IKE_MID_RESPONDER, /** delete an existing IKE_SA */ HA_IKE_DELETE, /** add a new CHILD_SA */ @@ -61,6 +65,11 @@ enum ha_message_type_t { HA_RESYNC, }; +/** + * Enum names for message types + */ +extern enum_name_t *ha_message_type_names; + /** * Type of attributes contained in a message */ @@ -73,6 +82,8 @@ enum ha_message_attribute_t { HA_LOCAL_ID, /** identification_t*, remote identity */ HA_REMOTE_ID, + /** identification_t*, remote EAP identity */ + HA_REMOTE_EAP_ID, /** host_t*, local address */ HA_LOCAL_ADDR, /** host_t*, remote address */ @@ -89,6 +100,8 @@ enum ha_message_attribute_t { HA_REMOTE_VIP, /** host_t*, additional MOBIKE peer address */ HA_ADDITIONAL_ADDR, + /** u_int8_t, initiator of an exchange, TRUE for local */ + HA_INITIATOR, /** chunk_t, initiators nonce */ HA_NONCE_I, /** chunk_t, responders nonce */ @@ -123,10 +136,8 @@ enum ha_message_attribute_t { HA_LOCAL_TS, /** traffic_selector_t*, remote traffic selector */ HA_REMOTE_TS, - /** u_int32_t, initiating message ID */ - HA_INITIATE_MID, - /** u_int32_t, responding message ID */ - HA_RESPOND_MID, + /** u_int32_t, message ID */ + HA_MID, /** u_int16_t, HA segment */ HA_SEGMENT, }; @@ -190,7 +201,6 @@ struct ha_message_t { /** * Create a new ha_message instance, ready for adding attributes * - * @param version protocol version to create a message from * @param type type of the message */ ha_message_t *ha_message_create(ha_message_type_t type); @@ -202,4 +212,4 @@ ha_message_t *ha_message_create(ha_message_type_t type); */ ha_message_t *ha_message_parse(chunk_t data); -#endif /* HA_MESSAGE_ @}*/ +#endif /** HA_MESSAGE_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_plugin.c b/src/libcharon/plugins/ha/ha_plugin.c index ea255c8ab..e722b4f3a 100644 --- a/src/libcharon/plugins/ha/ha_plugin.c +++ b/src/libcharon/plugins/ha/ha_plugin.c @@ -21,8 +21,11 @@ #include "ha_dispatcher.h" #include "ha_segments.h" #include "ha_ctl.h" +#include "ha_cache.h" +#include "ha_attribute.h" #include +#include #include typedef struct private_ha_plugin_t private_ha_plugin_t; @@ -76,20 +79,31 @@ struct private_ha_plugin_t { * Segment control interface via FIFO */ ha_ctl_t *ctl; + + /** + * Message cache for resynchronization + */ + ha_cache_t *cache; + + /** + * Attribute provider + */ + ha_attribute_t *attr; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_ha_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_ha_plugin_t *this) { DESTROY_IF(this->ctl); + hydra->attributes->remove_provider(hydra->attributes, &this->attr->provider); charon->bus->remove_listener(charon->bus, &this->segments->listener); charon->bus->remove_listener(charon->bus, &this->ike->listener); charon->bus->remove_listener(charon->bus, &this->child->listener); this->ike->destroy(this->ike); this->child->destroy(this->child); this->dispatcher->destroy(this->dispatcher); + this->attr->destroy(this->attr); + this->cache->destroy(this->cache); this->segments->destroy(this->segments); this->kernel->destroy(this->kernel); this->socket->destroy(this->socket); @@ -127,11 +141,9 @@ plugin_t *ha_plugin_create() return NULL; } - this = malloc_thing(private_ha_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->tunnel = NULL; - this->ctl = NULL; + INIT(this, + .public.plugin.destroy = _destroy, + ); if (secret) { @@ -146,17 +158,22 @@ plugin_t *ha_plugin_create() } this->kernel = ha_kernel_create(count); this->segments = ha_segments_create(this->socket, this->kernel, this->tunnel, - count, strcmp(local, remote) > 0, monitor, resync); + count, strcmp(local, remote) > 0, monitor); + this->cache = ha_cache_create(this->kernel, this->socket, resync, count); if (fifo) { - this->ctl = ha_ctl_create(this->segments); + this->ctl = ha_ctl_create(this->segments, this->cache); } - this->dispatcher = ha_dispatcher_create(this->socket, this->segments); - this->ike = ha_ike_create(this->socket, this->tunnel); - this->child = ha_child_create(this->socket, this->tunnel); + this->attr = ha_attribute_create(this->kernel, this->segments); + this->dispatcher = ha_dispatcher_create(this->socket, this->segments, + this->cache, this->kernel, this->attr); + this->ike = ha_ike_create(this->socket, this->tunnel, this->cache); + this->child = ha_child_create(this->socket, this->tunnel, this->segments, + this->kernel); charon->bus->add_listener(charon->bus, &this->segments->listener); charon->bus->add_listener(charon->bus, &this->ike->listener); charon->bus->add_listener(charon->bus, &this->child->listener); + hydra->attributes->add_provider(hydra->attributes, &this->attr->provider); return &this->public.plugin; } diff --git a/src/libcharon/plugins/ha/ha_plugin.h b/src/libcharon/plugins/ha/ha_plugin.h index 1ae2fe6dd..d4d746f91 100644 --- a/src/libcharon/plugins/ha/ha_plugin.h +++ b/src/libcharon/plugins/ha/ha_plugin.h @@ -44,4 +44,4 @@ struct ha_plugin_t { plugin_t plugin; }; -#endif /* HA_PLUGIN_H_ @}*/ +#endif /** HA_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 2199671fc..be2d7e428 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -22,8 +22,8 @@ #include #include -#define HEARTBEAT_DELAY 1000 -#define HEARTBEAT_TIMEOUT 2100 +#define DEFAULT_HEARTBEAT_DELAY 1000 +#define DEFAULT_HEARTBEAT_TIMEOUT 2100 typedef struct private_ha_segments_t private_ha_segments_t; @@ -81,6 +81,16 @@ struct private_ha_segments_t { * Node number */ u_int node; + + /** + * Interval we send hearbeats + */ + int heartbeat_delay; + + /** + * Timeout for heartbeats received from other node + */ + int heartbeat_timeout; }; /** @@ -168,8 +178,8 @@ static void enable_disable(private_ha_segments_t *this, u_int segment, { continue; } - if (this->kernel->in_segment(this->kernel, - ike_sa->get_other_host(ike_sa), segment)) + if (this->kernel->get_segment(this->kernel, + ike_sa->get_other_host(ike_sa)) == segment) { ike_sa->set_state(ike_sa, new); } @@ -183,6 +193,7 @@ static void enable_disable(private_ha_segments_t *this, u_int segment, message = ha_message_create(type); message->add_attribute(message, HA_SEGMENT, segment); this->socket->push(this->socket, message); + message->destroy(message); } } @@ -209,134 +220,36 @@ static void enable_disable_all(private_ha_segments_t *this, u_int segment, this->mutex->unlock(this->mutex); } -/** - * Implementation of ha_segments_t.activate - */ -static void activate(private_ha_segments_t *this, u_int segment, bool notify) +METHOD(ha_segments_t, activate, void, + private_ha_segments_t *this, u_int segment, bool notify) { enable_disable_all(this, segment, TRUE, notify); } -/** - * Implementation of ha_segments_t.deactivate - */ -static void deactivate(private_ha_segments_t *this, u_int segment, bool notify) +METHOD(ha_segments_t, deactivate, void, + private_ha_segments_t *this, u_int segment, bool notify) { enable_disable_all(this, segment, FALSE, notify); } -/** - * Rekey all children of an IKE_SA - */ -static status_t rekey_children(ike_sa_t *ike_sa) +METHOD(listener_t, alert_hook, bool, + private_ha_segments_t *this, ike_sa_t *ike_sa, alert_t alert, va_list args) { - iterator_t *iterator; - child_sa_t *child_sa; - status_t status = SUCCESS; - - iterator = ike_sa->create_child_sa_iterator(ike_sa); - while (iterator->iterate(iterator, (void**)&child_sa)) - { - DBG1(DBG_CFG, "resyncing CHILD_SA"); - status = ike_sa->rekey_child_sa(ike_sa, child_sa->get_protocol(child_sa), - child_sa->get_spi(child_sa, TRUE)); - if (status == DESTROY_ME) - { - break; - } - } - iterator->destroy(iterator); - return status; -} - -/** - * Implementation of ha_segments_t.resync - */ -static void resync(private_ha_segments_t *this, u_int segment) -{ - ike_sa_t *ike_sa; - enumerator_t *enumerator; - linked_list_t *list; - ike_sa_id_t *id; - - list = linked_list_create(); - this->mutex->lock(this->mutex); - - if (segment > 0 && segment <= this->count) + if (alert == ALERT_SHUTDOWN_SIGNAL) { - DBG1(DBG_CFG, "resyncing HA segment %d", segment); - - /* we do the actual rekeying in a seperate loop to avoid rekeying - * an SA twice. */ - enumerator = charon->ike_sa_manager->create_enumerator( - charon->ike_sa_manager); - while (enumerator->enumerate(enumerator, &ike_sa)) + if (this->job) { - if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && - this->kernel->in_segment(this->kernel, - ike_sa->get_other_host(ike_sa), segment)) - { - id = ike_sa->get_id(ike_sa); - list->insert_last(list, id->clone(id)); - } + DBG1(DBG_CFG, "HA heartbeat active, dropping all segments"); + deactivate(this, 0, TRUE); } - enumerator->destroy(enumerator); - } - this->mutex->unlock(this->mutex); - - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, id); - id->destroy(id); - if (ike_sa) + else { - DBG1(DBG_CFG, "resyncing IKE_SA"); - if (ike_sa->rekey(ike_sa) != DESTROY_ME) - { - if (rekey_children(ike_sa) != DESTROY_ME) - { - charon->ike_sa_manager->checkin( - charon->ike_sa_manager, ike_sa); - continue; - } - } - charon->ike_sa_manager->checkin_and_destroy( - charon->ike_sa_manager, ike_sa); + DBG1(DBG_CFG, "no HA heartbeat active, closing IKE_SAs"); } } - list->destroy(list); -} - -/** - * Implementation of listener_t.alert - */ -static bool alert_hook(private_ha_segments_t *this, ike_sa_t *ike_sa, - alert_t alert, va_list args) -{ - if (alert == ALERT_SHUTDOWN_SIGNAL) - { - deactivate(this, 0, TRUE); - } return TRUE; } -/** - * Request a resync of all segments - */ -static job_requeue_t request_resync(private_ha_segments_t *this) -{ - ha_message_t *message; - int i; - - message = ha_message_create(HA_RESYNC); - for (i = 1; i <= this->count; i++) - { - message->add_attribute(message, HA_SEGMENT, i); - } - this->socket->push(this->socket, message); - return JOB_REQUEUE_NONE; -} - /** * Monitor heartbeat activity of remote node */ @@ -349,7 +262,7 @@ static job_requeue_t watchdog(private_ha_segments_t *this) pthread_cleanup_push((void*)this->mutex->unlock, this->mutex); pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); timeout = this->condvar->timed_wait(this->condvar, this->mutex, - HEARTBEAT_TIMEOUT); + this->heartbeat_timeout); pthread_setcancelstate(oldstate, NULL); pthread_cleanup_pop(TRUE); if (timeout) @@ -373,10 +286,8 @@ static void start_watchdog(private_ha_segments_t *this) charon->processor->queue_job(charon->processor, (job_t*)this->job); } -/** - * Implementation of ha_segments_t.handle_status - */ -static void handle_status(private_ha_segments_t *this, segment_mask_t mask) +METHOD(ha_segments_t, handle_status, void, + private_ha_segments_t *this, segment_mask_t mask) { segment_mask_t missing; int i; @@ -431,20 +342,25 @@ static job_requeue_t send_status(private_ha_segments_t *this) } this->socket->push(this->socket, message); + message->destroy(message); /* schedule next invocation */ charon->scheduler->schedule_job_ms(charon->scheduler, (job_t*) callback_job_create((callback_job_cb_t) send_status, this, NULL, NULL), - HEARTBEAT_DELAY); + this->heartbeat_delay); return JOB_REQUEUE_NONE; } -/** - * Implementation of ha_segments_t.destroy. - */ -static void destroy(private_ha_segments_t *this) +METHOD(ha_segments_t, is_active, bool, + private_ha_segments_t *this, u_int segment) +{ + return (this->active & SEGMENTS_BIT(segment)) != 0; +} + +METHOD(ha_segments_t, destroy, void, + private_ha_segments_t *this) { if (this->job) { @@ -460,44 +376,40 @@ static void destroy(private_ha_segments_t *this) */ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, ha_tunnel_t *tunnel, u_int count, u_int node, - bool monitor, bool sync) + bool monitor) { - private_ha_segments_t *this = malloc_thing(private_ha_segments_t); - - memset(&this->public.listener, 0, sizeof(listener_t)); - this->public.listener.alert = (bool(*)(listener_t*, ike_sa_t *, alert_t, va_list))alert_hook; - this->public.activate = (void(*)(ha_segments_t*, u_int segment,bool))activate; - this->public.deactivate = (void(*)(ha_segments_t*, u_int segment,bool))deactivate; - this->public.resync = (void(*)(ha_segments_t*, u_int segment))resync; - this->public.handle_status = (void(*)(ha_segments_t*, segment_mask_t mask))handle_status; - this->public.destroy = (void(*)(ha_segments_t*))destroy; - - this->socket = socket; - this->tunnel = tunnel; - this->kernel = kernel; - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - this->condvar = condvar_create(CONDVAR_TYPE_DEFAULT); - this->count = count; - this->node = node; - this->job = NULL; - - /* initially all segments are deactivated */ - this->active = 0; + private_ha_segments_t *this; + + INIT(this, + .public = { + .listener.alert = _alert_hook, + .activate = _activate, + .deactivate = _deactivate, + .handle_status = _handle_status, + .is_active = _is_active, + .destroy = _destroy, + }, + .socket = socket, + .tunnel = tunnel, + .kernel = kernel, + .count = count, + .node = node, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), + .condvar = condvar_create(CONDVAR_TYPE_DEFAULT), + .heartbeat_delay = lib->settings->get_int(lib->settings, + "charon.plugins.ha.heartbeat_delay", DEFAULT_HEARTBEAT_DELAY), + .heartbeat_timeout = lib->settings->get_int(lib->settings, + "charon.plugins.ha.heartbeat_timeout", DEFAULT_HEARTBEAT_TIMEOUT), + ); if (monitor) { + DBG1(DBG_CFG, "starting HA heartbeat, delay %dms, timeout %dms", + this->heartbeat_delay, this->heartbeat_timeout); send_status(this); start_watchdog(this); } - if (sync) - { - /* request a resync as soon as we are up */ - charon->processor->queue_job(charon->processor, (job_t*) - callback_job_create((callback_job_cb_t)request_resync, - this, NULL, NULL)); - } - return &this->public; } diff --git a/src/libcharon/plugins/ha/ha_segments.h b/src/libcharon/plugins/ha/ha_segments.h index 6d1cd5441..eb9e5c1d5 100644 --- a/src/libcharon/plugins/ha/ha_segments.h +++ b/src/libcharon/plugins/ha/ha_segments.h @@ -68,23 +68,19 @@ struct ha_segments_t { void (*deactivate)(ha_segments_t *this, u_int segment, bool notify); /** - * Resync an active segment. - * - * To reintegrade a node into the cluster, resynchronization is reqired. - * IKE_SAs and CHILD_SAs are synced automatically during rekeying. A call - * to this method enforces a rekeying immediately sync all state of a - * segment. + * Handle a status message from the remote node. * - * @param segment segment to resync + * @param mask segments the remote node is serving actively */ - void (*resync)(ha_segments_t *this, u_int segment); + void (*handle_status)(ha_segments_t *this, segment_mask_t mask); /** - * Handle a status message from the remote node. + * Check if a given segment is currently active. * - * @param mask segments the remote node is serving actively + * @param segment segment to check + * @return TRUE if segment active */ - void (*handle_status)(ha_segments_t *this, segment_mask_t mask); + bool (*is_active)(ha_segments_t *this, u_int segment); /** * Destroy a ha_segments_t. @@ -101,11 +97,10 @@ struct ha_segments_t { * @param count number of segments the cluster uses * @param node node, currently 1 or 0 * @param monitor should we use monitoring functionality - * @param resync request a complete resync on startup * @return segment object */ ha_segments_t *ha_segments_create(ha_socket_t *socket, ha_kernel_t *kernel, ha_tunnel_t *tunnel, u_int count, u_int node, - bool monitor, bool resync); + bool monitor); -#endif /* HA_SEGMENTS_ @}*/ +#endif /** HA_SEGMENTS_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index b84b02868..21e6eb6d5 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -58,8 +58,8 @@ struct private_ha_socket_t { * Data to pass to the send_message() callback job */ typedef struct { - ha_message_t *message; - private_ha_socket_t *this; + chunk_t chunk; + int fd; } job_data_t; /** @@ -67,7 +67,7 @@ typedef struct { */ static void job_data_destroy(job_data_t *this) { - this->message->destroy(this->message); + free(this->chunk.ptr); free(this); } @@ -76,22 +76,15 @@ static void job_data_destroy(job_data_t *this) */ static job_requeue_t send_message(job_data_t *data) { - private_ha_socket_t *this; - chunk_t chunk; - - this = data->this; - chunk = data->message->get_encoding(data->message); - if (send(this->fd, chunk.ptr, chunk.len, 0) < chunk.len) + if (send(data->fd, data->chunk.ptr, data->chunk.len, 0) < data->chunk.len) { DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); } return JOB_REQUEUE_NONE; } -/** - * Implementation of ha_socket_t.push - */ -static void push(private_ha_socket_t *this, ha_message_t *message) +METHOD(ha_socket_t, push, void, + private_ha_socket_t *this, ha_message_t *message) { chunk_t chunk; @@ -107,9 +100,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message) /* Fallback to asynchronous transmission. This is required, as sendto() * is a blocking call if it acquires a policy. We could end up in a * deadlock, as we own an IKE_SA. */ - data = malloc_thing(job_data_t); - data->message = message; - data->this = this; + INIT(data, + .chunk = chunk_clone(chunk), + .fd = this->fd, + ); job = callback_job_create((callback_job_cb_t)send_message, data, (void*)job_data_destroy, NULL); @@ -118,13 +112,10 @@ static void push(private_ha_socket_t *this, ha_message_t *message) } DBG1(DBG_CFG, "pushing HA message failed: %s", strerror(errno)); } - message->destroy(message); } -/** - * Implementation of ha_socket_t.pull - */ -static ha_message_t *pull(private_ha_socket_t *this) +METHOD(ha_socket_t, pull, ha_message_t*, + private_ha_socket_t *this) { while (TRUE) { @@ -189,10 +180,8 @@ static bool open_socket(private_ha_socket_t *this) return TRUE; } -/** - * Implementation of ha_socket_t.destroy. - */ -static void destroy(private_ha_socket_t *this) +METHOD(ha_socket_t, destroy, void, + private_ha_socket_t *this) { if (this->fd != -1) { @@ -208,15 +197,18 @@ static void destroy(private_ha_socket_t *this) */ ha_socket_t *ha_socket_create(char *local, char *remote) { - private_ha_socket_t *this = malloc_thing(private_ha_socket_t); - - this->public.push = (void(*)(ha_socket_t*, ha_message_t*))push; - this->public.pull = (ha_message_t*(*)(ha_socket_t*))pull; - this->public.destroy = (void(*)(ha_socket_t*))destroy; + private_ha_socket_t *this; - this->local = host_create_from_dns(local, 0, HA_PORT); - this->remote = host_create_from_dns(remote, 0, HA_PORT); - this->fd = -1; + INIT(this, + .public = { + .push = _push, + .pull = _pull, + .destroy = _destroy, + }, + .local = host_create_from_dns(local, 0, HA_PORT), + .remote = host_create_from_dns(remote, 0, HA_PORT), + .fd = -1, + ); if (!this->local || !this->remote) { diff --git a/src/libcharon/plugins/ha/ha_socket.h b/src/libcharon/plugins/ha/ha_socket.h index 8d398e22b..a4789a51d 100644 --- a/src/libcharon/plugins/ha/ha_socket.h +++ b/src/libcharon/plugins/ha/ha_socket.h @@ -35,7 +35,7 @@ struct ha_socket_t { /** * Push synchronization information to the responsible node. * - * @param message message to send, gets destroyed by push() + * @param message message to send */ void (*push)(ha_socket_t *this, ha_message_t *message); @@ -57,4 +57,4 @@ struct ha_socket_t { */ ha_socket_t *ha_socket_create(char *local, char *remote); -#endif /* HA_SOCKET_ @}*/ +#endif /** HA_SOCKET_ @}*/ diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index b3511e5f0..fef84a430 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -92,10 +92,8 @@ struct private_ha_tunnel_t { ha_creds_t creds; }; -/** - * Implementation of ha_tunnel_t.is_sa - */ -static bool is_sa(private_ha_tunnel_t *this, ike_sa_t *ike_sa) +METHOD(ha_tunnel_t, is_sa, bool, + private_ha_tunnel_t *this, ike_sa_t *ike_sa) { peer_cfg_t *cfg = this->backend.cfg; @@ -112,11 +110,8 @@ typedef struct { shared_key_t *key; } shared_enum_t; -/** - * Implementation of shared_enum_t.enumerate - */ -static bool shared_enumerate(shared_enum_t *this, shared_key_t **key, - id_match_t *me, id_match_t *other) +METHOD(enumerator_t, shared_enumerate, bool, + shared_enum_t *this, shared_key_t **key, id_match_t *me, id_match_t *other) { if (this->key) { @@ -135,12 +130,9 @@ static bool shared_enumerate(shared_enum_t *this, shared_key_t **key, return FALSE; } -/** - * Implements ha_creds_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(ha_creds_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) +METHOD(ha_creds_t, create_shared_enumerator, enumerator_t*, + ha_creds_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) { shared_enum_t *enumerator; @@ -157,28 +149,25 @@ static enumerator_t* create_shared_enumerator(ha_creds_t *this, return NULL; } - enumerator = malloc_thing(shared_enum_t); - enumerator->public.enumerate = (void*)shared_enumerate; - enumerator->public.destroy = (void*)free; - enumerator->key = this->key; + INIT(enumerator, + .public = { + .enumerate = (void*)_shared_enumerate, + .destroy = (void*)free, + }, + .key = this->key, + ); return &enumerator->public; } -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(ha_backend_t *this, - identification_t *me, identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + ha_backend_t *this, identification_t *me, identification_t *other) { return enumerator_create_single(this->cfg, NULL); } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(ha_backend_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + ha_backend_t *this, host_t *me, host_t *other) { return enumerator_create_single(this->cfg->get_ike_cfg(this->cfg), NULL); } @@ -207,11 +196,11 @@ static void setup_tunnel(private_ha_tunnel_t *this, chunk_clone(chunk_create(secret, strlen(secret)))); this->creds.public.create_private_enumerator = (void*)return_null; this->creds.public.create_cert_enumerator = (void*)return_null; - this->creds.public.create_shared_enumerator = (void*)create_shared_enumerator; + this->creds.public.create_shared_enumerator = (void*)_create_shared_enumerator; this->creds.public.create_cdp_enumerator = (void*)return_null; this->creds.public.cache_cert = (void*)nop; - charon->credentials->add_set(charon->credentials, &this->creds.public); + lib->credmgr->add_set(lib->credmgr, &this->creds.public); /* create config and backend */ ike_cfg = ike_cfg_create(FALSE, FALSE, local, IKEV2_UDP_PORT, @@ -233,8 +222,9 @@ static void setup_tunnel(private_ha_tunnel_t *this, identification_create_from_string(remote)); peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); - child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, - MODE_TRANSPORT, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); @@ -247,8 +237,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_child_cfg(peer_cfg, child_cfg); this->backend.cfg = peer_cfg; - this->backend.public.create_peer_cfg_enumerator = (void*)create_peer_cfg_enumerator; - this->backend.public.create_ike_cfg_enumerator = (void*)create_ike_cfg_enumerator; + this->backend.public.create_peer_cfg_enumerator = (void*)_create_peer_cfg_enumerator; + this->backend.public.create_ike_cfg_enumerator = (void*)_create_ike_cfg_enumerator; this->backend.public.get_peer_cfg_by_name = (void*)return_null; charon->backends->add_backend(charon->backends, &this->backend.public); @@ -257,10 +247,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, this->trap = charon->traps->install(charon->traps, peer_cfg, child_cfg); } -/** - * Implementation of ha_tunnel_t.destroy. - */ -static void destroy(private_ha_tunnel_t *this) +METHOD(ha_tunnel_t, destroy, void, + private_ha_tunnel_t *this) { if (this->backend.cfg) { @@ -269,7 +257,7 @@ static void destroy(private_ha_tunnel_t *this) } if (this->creds.key) { - charon->credentials->remove_set(charon->credentials, &this->creds.public); + lib->credmgr->remove_set(lib->credmgr, &this->creds.public); this->creds.key->destroy(this->creds.key); } this->creds.local->destroy(this->creds.local); @@ -286,10 +274,14 @@ static void destroy(private_ha_tunnel_t *this) */ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret) { - private_ha_tunnel_t *this = malloc_thing(private_ha_tunnel_t); + private_ha_tunnel_t *this; - this->public.is_sa = (bool(*)(ha_tunnel_t*, ike_sa_t *ike_sa))is_sa; - this->public.destroy = (void(*)(ha_tunnel_t*))destroy; + INIT(this, + .public = { + .is_sa = _is_sa, + .destroy = _destroy, + }, + ); setup_tunnel(this, local, remote, secret); diff --git a/src/libcharon/plugins/ha/ha_tunnel.h b/src/libcharon/plugins/ha/ha_tunnel.h index 085fb6122..549e33055 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.h +++ b/src/libcharon/plugins/ha/ha_tunnel.h @@ -54,4 +54,4 @@ struct ha_tunnel_t { */ ha_tunnel_t *ha_tunnel_create(char *local, char *remote, char *secret); -#endif /* HA_TUNNEL_H_ @}*/ +#endif /** HA_TUNNEL_H_ @}*/ diff --git a/src/libcharon/plugins/kernel_klips/Makefile.in b/src/libcharon/plugins/kernel_klips/Makefile.in index f0d112a0f..9cac89ec3 100644 --- a/src/libcharon/plugins/kernel_klips/Makefile.in +++ b/src/libcharon/plugins/kernel_klips/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c index 01df4f71a..6b5aeb342 100644 --- a/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libcharon/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1690,10 +1690,11 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, - bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1849,7 +1850,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_klips_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1920,14 +1921,14 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; /* TODO */ } METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1992,8 +1993,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -2210,7 +2211,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { #define IDLE_PREFIX "idle=" static const char *path_eroute = "/proc/net/ipsec_eroute"; @@ -2365,7 +2367,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_klips_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg = (struct sadb_msg*)request, *out; @@ -2574,7 +2577,7 @@ METHOD(kernel_ipsec_t, destroy, void, { close(this->socket); } - if (this->socket_evnets > 0) + if (this->socket_events > 0) { close(this->socket_events); } diff --git a/src/libcharon/plugins/kernel_netlink/Makefile.in b/src/libcharon/plugins/kernel_netlink/Makefile.in index 8c9965467..49cc895bc 100644 --- a/src/libcharon/plugins/kernel_netlink/Makefile.in +++ b/src/libcharon/plugins/kernel_netlink/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c index 1b8c1b879..019ec93f8 100644 --- a/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libcharon/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -280,6 +280,9 @@ struct policy_entry_t { /** parameters of installed policy */ struct xfrm_selector sel; + /** optional mark */ + u_int32_t mark; + /** associated route installed for this policy */ route_entry_t *route; @@ -292,7 +295,8 @@ struct policy_entry_t { */ static u_int policy_hash(policy_entry_t *key) { - chunk_t chunk = chunk_create((void*)&key->sel, sizeof(struct xfrm_selector)); + chunk_t chunk = chunk_create((void*)&key->sel, + sizeof(struct xfrm_selector) + sizeof(u_int32_t)); return chunk_hash(chunk); } @@ -301,7 +305,8 @@ static u_int policy_hash(policy_entry_t *key) */ static bool policy_equals(policy_entry_t *key, policy_entry_t *other_key) { - return memeq(&key->sel, &other_key->sel, sizeof(struct xfrm_selector)) && + return memeq(&key->sel, &other_key->sel, + sizeof(struct xfrm_selector) + sizeof(u_int32_t)) && key->direction == other_key->direction; } @@ -917,11 +922,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, + u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, - u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, - traffic_selector_t* dst_ts) + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t* src_ts, traffic_selector_t* dst_ts) { netlink_buf_t request; char *alg_name; @@ -934,8 +939,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, &lft, - ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, + add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, + &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; /* use transport mode ESP SA, IPComp uses tunnel mode */ @@ -944,9 +949,16 @@ METHOD(kernel_ipsec_t, add_sa, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", - ntohl(spi), reqid); - + if (mark.value) + { + DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u} " + "(mark %u/0x%8x)", ntohl(spi), reqid, mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "adding SAD entry with SPI %.8x and reqid {%u}", + ntohl(spi), reqid); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = inbound ? XFRM_MSG_UPDSA : XFRM_MSG_NEWSA; @@ -1151,6 +1163,8 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (encap) { + struct xfrm_encap_tmpl *tmpl; + rthdr->rta_type = XFRMA_ENCAP; rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_encap_tmpl)); @@ -1160,7 +1174,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, return FAILED; } - struct xfrm_encap_tmpl* tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); + tmpl = (struct xfrm_encap_tmpl*)RTA_DATA(rthdr); tmpl->encap_type = UDP_ENCAP_ESPINUDP; tmpl->encap_sport = htons(src->get_port(src)); tmpl->encap_dport = htons(dst->get_port(dst)); @@ -1177,9 +1191,36 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } + if (mark.value) + { + struct xfrm_mark *mrk; + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + rthdr = XFRM_RTA_NEXT(rthdr); + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x " + "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to add SAD entry with SPI %.8x", ntohl(spi)); + } return FAILED; } return SUCCESS; @@ -1275,7 +1316,7 @@ static status_t get_replay_state(private_kernel_netlink_ipsec_t *this, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1285,8 +1326,15 @@ METHOD(kernel_ipsec_t, query_sa, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); - + if (mark.value) + { + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "querying SAD entry with SPI %.8x", ntohl(spi)); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETSA; @@ -1298,6 +1346,24 @@ METHOD(kernel_ipsec_t, query_sa, status_t, sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1313,8 +1379,20 @@ METHOD(kernel_ipsec_t, query_sa, status_t, case NLMSG_ERROR: { struct nlmsgerr *err = NLMSG_DATA(hdr); - DBG1(DBG_KNL, "querying SAD entry with SPI %.8x failed: %s (%d)", - ntohl(spi), strerror(-err->error), -err->error); + + if (mark.value) + { + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " + "(mark %u/0x%8x) failed: %s (%d)", + ntohl(spi), mark.value, mark.mask, + strerror(-err->error), -err->error); + } + else + { + DBG1(DBG_KNL, "querying SAD entry with SPI %.8x " + "failed: %s (%d)", ntohl(spi), + strerror(-err->error), -err->error); + } break; } default: @@ -1341,7 +1419,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { netlink_buf_t request; struct nlmsghdr *hdr; @@ -1350,13 +1428,20 @@ METHOD(kernel_ipsec_t, del_sa, status_t, /* if IPComp was used, we first delete the additional IPComp SA */ if (cpi) { - del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0); + del_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, 0, mark); } memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); - + if (mark.value) + { + DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleting SAD entry with SPI %.8x", ntohl(spi)); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK; hdr->nlmsg_type = XFRM_MSG_DELSA; @@ -1368,19 +1453,53 @@ METHOD(kernel_ipsec_t, del_sa, status_t, sa_id->proto = proto_ike2kernel(protocol); sa_id->family = dst->get_family(dst); + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_usersa_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x " + "(mark %u/0x%8x)", ntohl(spi), mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to delete SAD entry with SPI %.8x", ntohl(spi)); + } return FAILED; } - DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); + if (mark.value) + { + DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x (mark %u/0x%8x)", + ntohl(spi), mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleted SAD entry with SPI %.8x", ntohl(spi)); + } return SUCCESS; } METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_netlink_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool old_encap, bool new_encap) + bool old_encap, bool new_encap, mark_t mark) { netlink_buf_t request; u_char *pos; @@ -1398,7 +1517,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, if (cpi) { update_sa(this, htonl(ntohs(cpi)), IPPROTO_COMP, 0, - src, dst, new_src, new_dst, FALSE, FALSE); + src, dst, new_src, new_dst, FALSE, FALSE, mark); } memset(&request, 0, sizeof(request)); @@ -1459,7 +1578,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, } /* delete the old SA (without affecting the IPComp SA) */ - if (del_sa(this, src, dst, spi, protocol, 0) != SUCCESS) + if (del_sa(this, src, dst, spi, protocol, 0, mark) != SUCCESS) { DBG1(DBG_KNL, "unable to delete old SAD entry with SPI %.8x", ntohl(spi)); free(out); @@ -1558,8 +1677,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { policy_entry_t *current, *policy; bool found = FALSE; @@ -1571,6 +1690,7 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy = malloc_thing(policy_entry_t); memset(policy, 0, sizeof(policy_entry_t)); policy->sel = ts2selector(src_ts, dst_ts); + policy->mark = mark.value & mark.mask; policy->direction = direction; /* find the policy, which matches EXACTLY */ @@ -1580,9 +1700,19 @@ METHOD(kernel_ipsec_t, add_policy, status_t, { /* use existing policy */ current->refcount++; - DBG2(DBG_KNL, "policy %R === %R %N already exists, increasing " - "refcount", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "policy %R === %R %N (mark %u/0x%8x) " + "already exists, increasing refcount", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "policy %R === %R %N " + "already exists, increasing refcount", + src_ts, dst_ts, policy_dir_names, direction); + } free(policy); policy = current; found = TRUE; @@ -1593,8 +1723,17 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy->refcount = 1; } - DBG2(DBG_KNL, "adding policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "adding policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "adding policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } memset(&request, 0, sizeof(request)); hdr = (struct nlmsghdr*)request; @@ -1673,6 +1812,25 @@ METHOD(kernel_ipsec_t, add_policy, status_t, tmpl->aalgos = tmpl->ealgos = tmpl->calgos = ~0; tmpl->mode = mode2kernel(mode); tmpl->family = src->get_family(src); + rthdr = XFRM_RTA_NEXT(rthdr); + + if (mark.value) + { + struct xfrm_mark *mrk; + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { @@ -1741,7 +1899,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { netlink_buf_t request; struct nlmsghdr *out = NULL, *hdr; @@ -1751,9 +1910,17 @@ METHOD(kernel_ipsec_t, query_policy, status_t, memset(&request, 0, sizeof(request)); - DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); - + if (mark.value) + { + DBG2(DBG_KNL, "querying policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "querying policy %R === %R %N", src_ts, dst_ts, + policy_dir_names, direction); + } hdr = (struct nlmsghdr*)request; hdr->nlmsg_flags = NLM_F_REQUEST; hdr->nlmsg_type = XFRM_MSG_GETPOLICY; @@ -1763,6 +1930,25 @@ METHOD(kernel_ipsec_t, query_policy, status_t, policy_id->sel = ts2selector(src_ts, dst_ts); policy_id->dir = direction; + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + if (this->socket_xfrm->send(this->socket_xfrm, hdr, &out, &len) == SUCCESS) { hdr = out; @@ -1816,7 +2002,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_netlink_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { policy_entry_t *current, policy, *to_delete = NULL; route_entry_t *route; @@ -1824,12 +2011,22 @@ METHOD(kernel_ipsec_t, del_policy, status_t, struct nlmsghdr *hdr; struct xfrm_userpolicy_id *policy_id; - DBG2(DBG_KNL, "deleting policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG2(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x)", + src_ts, dst_ts, policy_dir_names, direction, + mark.value, mark.mask); + } + else + { + DBG2(DBG_KNL, "deleting policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } /* create a policy */ memset(&policy, 0, sizeof(policy_entry_t)); policy.sel = ts2selector(src_ts, dst_ts); + policy.mark = mark.value & mark.mask; policy.direction = direction; /* find the policy */ @@ -1851,8 +2048,17 @@ METHOD(kernel_ipsec_t, del_policy, status_t, this->mutex->unlock(this->mutex); if (!to_delete) { - DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", src_ts, - dst_ts, policy_dir_names, direction); + if (mark.value) + { + DBG1(DBG_KNL, "deleting policy %R === %R %N (mark %u/0x%8x) " + "failed, not found", src_ts, dst_ts, policy_dir_names, + direction, mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "deleting policy %R === %R %N failed, not found", + src_ts, dst_ts, policy_dir_names, direction); + } return NOT_FOUND; } @@ -1867,13 +2073,40 @@ METHOD(kernel_ipsec_t, del_policy, status_t, policy_id->sel = to_delete->sel; policy_id->dir = direction; + if (mark.value) + { + struct xfrm_mark *mrk; + struct rtattr *rthdr = XFRM_RTA(hdr, struct xfrm_userpolicy_id); + + rthdr->rta_type = XFRMA_MARK; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_mark)); + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + mrk = (struct xfrm_mark*)RTA_DATA(rthdr); + mrk->v = mark.value; + mrk->m = mark.mask; + } + route = to_delete->route; free(to_delete); if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { - DBG1(DBG_KNL, "unable to delete policy %R === %R %N", src_ts, dst_ts, - policy_dir_names, direction); + if (mark.value) + { + DBG1(DBG_KNL, "unable to delete policy %R === %R %N " + "(mark %u/0x%8x)", src_ts, dst_ts, policy_dir_names, + direction, mark.value, mark.mask); + } + else + { + DBG1(DBG_KNL, "unable to delete policy %R === %R %N", + src_ts, dst_ts, policy_dir_names, direction); + } return FAILED; } diff --git a/src/libcharon/plugins/kernel_pfkey/Makefile.in b/src/libcharon/plugins/kernel_pfkey/Makefile.in index 2b028ba71..1dda6827b 100644 --- a/src/libcharon/plugins/kernel_pfkey/Makefile.in +++ b/src/libcharon/plugins/kernel_pfkey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index 8a7883c8a..a64c27f6f 100644 --- a/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libcharon/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008-2009 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Andreas Steffen * Hochschule fuer Technik Rapperswil * @@ -67,8 +67,10 @@ /** non linux specific */ #ifndef IPPROTO_COMP +#ifdef IPPROTO_IPCOMP #define IPPROTO_COMP IPPROTO_IPCOMP #endif +#endif #ifndef SADB_X_AALG_SHA2_256HMAC #define SADB_X_AALG_SHA2_256HMAC SADB_X_AALG_SHA2_256 @@ -600,17 +602,43 @@ static int lookup_algorithm(kernel_algorithm_t *list, int ikev2) } /** - * add a host behind a sadb_address extension + * Copy a host_t as sockaddr_t to the given memory location. Ports are + * reset to zero as per RFC 2367. + * @return the number of bytes copied */ -static void host2ext(host_t *host, struct sadb_address *ext) +static size_t hostcpy(void *dest, host_t *host) { - sockaddr_t *host_addr = host->get_sockaddr(host); + sockaddr_t *addr = host->get_sockaddr(host), *dest_addr = dest; socklen_t *len = host->get_sockaddr_len(host); + memcpy(dest, addr, *len); #ifdef HAVE_STRUCT_SOCKADDR_SA_LEN - host_addr->sa_len = *len; + dest_addr->sa_len = *len; #endif - memcpy((char*)(ext + 1), host_addr, *len); - ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + *len); + switch (dest_addr->sa_family) + { + case AF_INET: + { + struct sockaddr_in *sin = dest; + sin->sin_port = 0; + break; + } + case AF_INET6: + { + struct sockaddr_in6 *sin6 = dest; + sin6->sin6_port = 0; + break; + } + } + return *len; +} + +/** + * add a host behind an sadb_address extension + */ +static void host2ext(host_t *host, struct sadb_address *ext) +{ + size_t len = hostcpy(ext + 1, host); + ext->sadb_address_len = PFKEY_LEN(sizeof(*ext) + len); } /** @@ -1019,7 +1047,7 @@ static void process_migrate(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } #endif /*SADB_X_MIGRATE*/ -#ifdef HAVE_NATT +#ifdef SADB_X_NAT_T_NEW_MAPPING /** * Process a SADB_X_NAT_T_NEW_MAPPING message from the kernel */ @@ -1075,7 +1103,7 @@ static void process_mapping(private_kernel_pfkey_ipsec_t *this, struct sadb_msg* } } } -#endif /*HAVE_NATT*/ +#endif /*SADB_X_NAT_T_NEW_MAPPING*/ /** * Receives events from kernel @@ -1137,11 +1165,11 @@ static job_requeue_t receive_events(private_kernel_pfkey_ipsec_t *this) process_migrate(this, msg); break; #endif /*SADB_X_MIGRATE*/ -#ifdef HAVE_NATT +#ifdef SADB_X_NAT_T_NEW_MAPPING case SADB_X_NAT_T_NEW_MAPPING: process_mapping(this, msg); break; -#endif /*HAVE_NATT*/ +#endif /*SADB_X_NAT_T_NEW_MAPPING*/ default: break; } @@ -1217,10 +1245,11 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, - bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) + protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, + u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1364,7 +1393,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, METHOD(kernel_ipsec_t, update_sa, status_t, private_kernel_pfkey_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) + bool encap, bool new_encap, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1497,7 +1526,7 @@ METHOD(kernel_ipsec_t, update_sa, status_t, METHOD(kernel_ipsec_t, query_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int64_t *bytes) + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1553,7 +1582,7 @@ METHOD(kernel_ipsec_t, query_sa, status_t, METHOD(kernel_ipsec_t, del_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi) + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1604,8 +1633,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, traffic_selector_t *src_ts, traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, - u_int32_t reqid, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1679,14 +1708,10 @@ METHOD(kernel_ipsec_t, add_policy, status_t, req->sadb_x_ipsecrequest_level = IPSEC_LEVEL_UNIQUE; if (mode == MODE_TUNNEL) { - sockaddr_t *sa; - socklen_t sl; - sa = src->get_sockaddr(src); - sl = *src->get_sockaddr_len(src); - memcpy(req + 1, sa, sl); - sa = dst->get_sockaddr(dst); - memcpy((u_int8_t*)(req + 1) + sl, sa, sl); - req->sadb_x_ipsecrequest_len += sl * 2; + len = hostcpy(req + 1, src); + req->sadb_x_ipsecrequest_len += len; + len = hostcpy((char*)(req + 1) + len, dst); + req->sadb_x_ipsecrequest_len += len; } pol->sadb_x_policy_len += PFKEY_LEN(req->sadb_x_ipsecrequest_len); @@ -1771,22 +1796,30 @@ METHOD(kernel_ipsec_t, add_policy, status_t, route->dst_net = chunk_clone(policy->src.net->get_address(policy->src.net)); route->prefixlen = policy->src.mask; - switch (charon->kernel_interface->add_route(charon->kernel_interface, - route->dst_net, route->prefixlen, route->gateway, - route->src_ip, route->if_name)) + if (route->if_name) + { + switch (charon->kernel_interface->add_route( + charon->kernel_interface, route->dst_net, + route->prefixlen, route->gateway, + route->src_ip, route->if_name)) + { + default: + DBG1(DBG_KNL, "unable to install source route for %H", + route->src_ip); + /* FALL */ + case ALREADY_DONE: + /* route exists, do not uninstall */ + route_entry_destroy(route); + break; + case SUCCESS: + /* cache the installed route */ + policy->route = route; + break; + } + } + else { - default: - DBG1(DBG_KNL, "unable to install source route for %H", - route->src_ip); - /* FALL */ - case ALREADY_DONE: - /* route exists, do not uninstall */ - route_entry_destroy(route); - break; - case SUCCESS: - /* cache the installed route */ - policy->route = route; - break; + route_entry_destroy(route); } } else @@ -1802,7 +1835,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, METHOD(kernel_ipsec_t, query_policy, status_t, private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, u_int32_t *use_time) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; @@ -1905,7 +1939,8 @@ METHOD(kernel_ipsec_t, query_policy, status_t, METHOD(kernel_ipsec_t, del_policy, status_t, private_kernel_pfkey_ipsec_t *this, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, policy_dir_t direction, bool unrouted) + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { unsigned char request[PFKEY_BUFFER_SIZE]; struct sadb_msg *msg, *out; diff --git a/src/libcharon/plugins/kernel_pfroute/Makefile.in b/src/libcharon/plugins/kernel_pfroute/Makefile.in index 3a4d2c3b5..f78a97013 100644 --- a/src/libcharon/plugins/kernel_pfroute/Makefile.in +++ b/src/libcharon/plugins/kernel_pfroute/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 8965aff78..d049bb41b 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index c1f98f2fe..a230aa3f5 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -223,8 +223,9 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) generate_auth_cfg(this, this->initiator_auth, peer_cfg, FALSE, num); } - child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, - MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index 1218443cc..43c0ef009 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -34,118 +34,89 @@ struct private_load_tester_ipsec_t { u_int32_t spi; }; -/** - * Implementation of kernel_interface_t.get_spi. - */ -static status_t get_spi(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - protocol_id_t protocol, u_int32_t reqid, - u_int32_t *spi) +METHOD(kernel_ipsec_t, get_spi, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi) { *spi = ++this->spi; return SUCCESS; } -/** - * Implementation of kernel_interface_t.get_cpi. - */ -static status_t get_cpi(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - u_int32_t reqid, u_int16_t *cpi) +METHOD(kernel_ipsec_t, get_cpi, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t reqid, u_int16_t *cpi) { return FAILED; } -/** - * Implementation of kernel_interface_t.add_sa. - */ -static status_t add_sa(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - lifetime_cfg_t *lifetime, - u_int16_t enc_alg, chunk_t enc_key, - u_int16_t int_alg, chunk_t int_key, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool encap, bool inbound, traffic_selector_t *src_ts, - traffic_selector_t *dst_ts) +METHOD(kernel_ipsec_t, add_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int32_t reqid, mark_t mark, + lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.update_sa. - */ -static status_t update_sa(private_load_tester_ipsec_t *this, - u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, - host_t *src, host_t *dst, - host_t *new_src, host_t *new_dst, - bool encap, bool new_encap) +METHOD(kernel_ipsec_t, update_sa, status_t, + private_load_tester_ipsec_t *this, u_int32_t spi, protocol_id_t protocol, + u_int16_t cpi, host_t *src, host_t *dst, host_t *new_src, + host_t *new_dst, bool encap, bool new_encap, mark_t mark) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.query_sa. - */ -static status_t query_sa(private_load_tester_ipsec_t *this, host_t *src, - host_t *dst, u_int32_t spi, protocol_id_t protocol, - u_int64_t *bytes) +METHOD(kernel_ipsec_t, query_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, mark_t mark, u_int64_t *bytes) { return NOT_SUPPORTED; } -/** - * Implementation of kernel_interface_t.del_sa. - */ -static status_t del_sa(private_load_tester_ipsec_t *this, host_t *src, - host_t *dst, u_int32_t spi, protocol_id_t protocol, - u_int16_t cpi) +METHOD(kernel_ipsec_t, del_sa, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + u_int32_t spi, protocol_id_t protocol, u_int16_t cpi, mark_t mark) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.add_policy. - */ -static status_t add_policy(private_load_tester_ipsec_t *this, - host_t *src, host_t *dst, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t spi, - protocol_id_t protocol, u_int32_t reqid, - ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, - bool routed) +METHOD(kernel_ipsec_t, add_policy, status_t, + private_load_tester_ipsec_t *this, host_t *src, host_t *dst, + traffic_selector_t *src_ts, traffic_selector_t *dst_ts, + policy_dir_t direction, u_int32_t spi, protocol_id_t protocol, + u_int32_t reqid, mark_t mark, ipsec_mode_t mode, u_int16_t ipcomp, + u_int16_t cpi, bool routed) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.query_policy. - */ -static status_t query_policy(private_load_tester_ipsec_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, u_int32_t *use_time) +METHOD(kernel_ipsec_t, query_policy, status_t, + private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + u_int32_t *use_time) { *use_time = time_monotonic(NULL); return SUCCESS; } -/** - * Implementation of kernel_interface_t.del_policy. - */ -static status_t del_policy(private_load_tester_ipsec_t *this, - traffic_selector_t *src_ts, - traffic_selector_t *dst_ts, - policy_dir_t direction, bool unrouted) +METHOD(kernel_ipsec_t, del_policy, status_t, + private_load_tester_ipsec_t *this, traffic_selector_t *src_ts, + traffic_selector_t *dst_ts, policy_dir_t direction, mark_t mark, + bool unrouted) { return SUCCESS; } -/** - * Implementation of kernel_interface_t.destroy. - */ -static void destroy(private_load_tester_ipsec_t *this) +METHOD(kernel_ipsec_t, bypass_socket, bool, + private_load_tester_ipsec_t *this, int fd, int family) +{ + return TRUE; +} + +METHOD(kernel_ipsec_t, destroy, void, + private_load_tester_ipsec_t *this) { free(this); } @@ -155,21 +126,26 @@ static void destroy(private_load_tester_ipsec_t *this) */ load_tester_ipsec_t *load_tester_ipsec_create() { - private_load_tester_ipsec_t *this = malloc_thing(private_load_tester_ipsec_t); - - /* public functions */ - this->public.interface.get_spi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,protocol_id_t,u_int32_t,u_int32_t*))get_spi; - this->public.interface.get_cpi = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,u_int16_t*))get_cpi; - this->public.interface.add_sa = (status_t(*)(kernel_ipsec_t *,host_t*,host_t*,u_int32_t,protocol_id_t,u_int32_t,lifetime_cfg_t*,u_int16_t,chunk_t,u_int16_t,chunk_t,ipsec_mode_t,u_int16_t,u_int16_t,bool,bool,traffic_selector_t*,traffic_selector_t*))add_sa; - this->public.interface.update_sa = (status_t(*)(kernel_ipsec_t*,u_int32_t,protocol_id_t,u_int16_t,host_t*,host_t*,host_t*,host_t*,bool,bool))update_sa; - this->public.interface.query_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int64_t*))query_sa; - this->public.interface.del_sa = (status_t(*)(kernel_ipsec_t*,host_t*,host_t*,u_int32_t,protocol_id_t,u_int16_t))del_sa; - this->public.interface.add_policy = (status_t(*)(kernel_ipsec_t *this,host_t *, host_t *,traffic_selector_t *,traffic_selector_t *,policy_dir_t, u_int32_t,protocol_id_t, u_int32_t,ipsec_mode_t, u_int16_t, u_int16_t,bool))add_policy; - this->public.interface.query_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,u_int32_t*))query_policy; - this->public.interface.del_policy = (status_t(*)(kernel_ipsec_t*,traffic_selector_t*,traffic_selector_t*,policy_dir_t,bool))del_policy; - this->public.interface.destroy = (void(*)(kernel_ipsec_t*)) destroy; - - this->spi = 0; + private_load_tester_ipsec_t *this; + + INIT(this, + .public = { + .interface = { + .get_spi = _get_spi, + .get_cpi = _get_cpi, + .add_sa = _add_sa, + .update_sa = _update_sa, + .query_sa = _query_sa, + .del_sa = _del_sa, + .add_policy = _add_policy, + .query_policy = _query_policy, + .del_policy = _del_policy, + .bypass_socket = _bypass_socket, + .destroy = _destroy, + }, + }, + .spi = 0, + ); return &this->public; } diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index 46145b803..15dbccb00 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -158,7 +158,7 @@ static void destroy(private_load_tester_plugin_t *this) charon->kernel_interface->remove_ipsec_interface(charon->kernel_interface, (kernel_ipsec_constructor_t)load_tester_ipsec_create); charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); charon->bus->remove_listener(charon->bus, &this->listener->listener); this->config->destroy(this->config); this->creds->destroy(this->creds); @@ -209,7 +209,7 @@ plugin_t *load_tester_plugin_create() this->creds = load_tester_creds_create(); this->listener = load_tester_listener_create(shutdown_on); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set); charon->bus->add_listener(charon->bus, &this->listener->listener); if (lib->settings->get_bool(lib->settings, diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 539890ec3..c26d325a9 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index e355d55f7..6cbaf36f2 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -181,8 +181,9 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam identification_create_from_encoding(ID_KEY_ID, other)); peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); - child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, - MODE_TUNNEL, ACTION_NONE, ACTION_NONE, FALSE, 0); + child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -260,7 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/medcli/medcli_plugin.c b/src/libcharon/plugins/medcli/medcli_plugin.c index 397168d46..6befbf440 100644 --- a/src/libcharon/plugins/medcli/medcli_plugin.c +++ b/src/libcharon/plugins/medcli/medcli_plugin.c @@ -61,7 +61,7 @@ static void destroy(private_medcli_plugin_t *this) { charon->bus->remove_listener(charon->bus, &this->listener->listener); charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->listener->destroy(this->listener); this->config->destroy(this->config); this->creds->destroy(this->creds); @@ -100,7 +100,7 @@ plugin_t *medcli_plugin_create() this->config = medcli_config_create(this->db); this->listener = medcli_listener_create(this->db); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); charon->backends->add_backend(charon->backends, &this->config->backend); charon->bus->add_listener(charon->bus, &this->listener->listener); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index a103a1340..4dc9c00d0 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/medsrv/medsrv_plugin.c b/src/libcharon/plugins/medsrv/medsrv_plugin.c index 262d26d6b..c150346cb 100644 --- a/src/libcharon/plugins/medsrv/medsrv_plugin.c +++ b/src/libcharon/plugins/medsrv/medsrv_plugin.c @@ -54,7 +54,7 @@ struct private_medsrv_plugin_t { static void destroy(private_medsrv_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); this->config->destroy(this->config); this->creds->destroy(this->creds); this->db->destroy(this->db); @@ -91,7 +91,7 @@ plugin_t *medsrv_plugin_create() this->creds = medsrv_creds_create(this->db); this->config = medsrv_config_create(this->db); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); charon->backends->add_backend(charon->backends, &this->config->backend); return &this->public.plugin; diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index c7f288f54..1b3e4c5a6 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/nm/nm_plugin.c b/src/libcharon/plugins/nm/nm_plugin.c index 6087f6589..250e6f7f9 100644 --- a/src/libcharon/plugins/nm/nm_plugin.c +++ b/src/libcharon/plugins/nm/nm_plugin.c @@ -84,7 +84,7 @@ static void destroy(private_nm_plugin_t *this) { g_object_unref(this->plugin); } - charon->credentials->remove_set(charon->credentials, &this->creds->set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->creds->destroy(this->creds); this->handler->destroy(this->handler); @@ -110,7 +110,7 @@ plugin_t *nm_plugin_create() this->creds = nm_creds_create(); this->handler = nm_handler_create(); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); - charon->credentials->add_set(charon->credentials, &this->creds->set); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); this->plugin = nm_strongswan_plugin_new(this->creds, this->handler); if (!this->plugin) { diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index cdf7dc962..07318bbbf 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -444,7 +444,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_NONE, ipcomp, 0); + ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/resolve/Makefile.am b/src/libcharon/plugins/resolve/Makefile.am deleted file mode 100644 index f8830d42e..000000000 --- a/src/libcharon/plugins/resolve/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ - -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic \ - -DRESOLV_CONF=\"${resolv_conf}\" - -if MONOLITHIC -noinst_LTLIBRARIES = libstrongswan-resolve.la -else -plugin_LTLIBRARIES = libstrongswan-resolve.la -endif - -libstrongswan_resolve_la_SOURCES = \ - resolve_plugin.h resolve_plugin.c \ - resolve_handler.h resolve_handler.c - -libstrongswan_resolve_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/resolve/Makefile.in b/src/libcharon/plugins/resolve/Makefile.in deleted file mode 100644 index 92ee85539..000000000 --- a/src/libcharon/plugins/resolve/Makefile.in +++ /dev/null @@ -1,591 +0,0 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -subdir = src/libcharon/plugins/resolve -DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ - $(top_srcdir)/m4/config/ltoptions.m4 \ - $(top_srcdir)/m4/config/ltsugar.m4 \ - $(top_srcdir)/m4/config/ltversion.m4 \ - $(top_srcdir)/m4/config/lt~obsolete.m4 \ - $(top_srcdir)/m4/macros/with.m4 \ - $(top_srcdir)/m4/macros/enable-disable.m4 \ - $(top_srcdir)/configure.in -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -mkinstalldirs = $(install_sh) -d -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -am__installdirs = "$(DESTDIR)$(plugindir)" -LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_resolve_la_LIBADD = -am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \ - resolve_handler.lo -libstrongswan_resolve_la_OBJECTS = \ - $(am_libstrongswan_resolve_la_OBJECTS) -libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@ -@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \ -@MONOLITHIC_FALSE@ $(plugindir) -@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath = -DEFAULT_INCLUDES = -I.@am__isrc@ -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ - $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ - --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ - $(LDFLAGS) -o $@ -SOURCES = $(libstrongswan_resolve_la_SOURCES) -DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -ACLOCAL = @ACLOCAL@ -ALLOCA = @ALLOCA@ -AMTAR = @AMTAR@ -AR = @AR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -BTLIB = @BTLIB@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPP = @CPP@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DLLIB = @DLLIB@ -DSYMUTIL = @DSYMUTIL@ -DUMPBIN = @DUMPBIN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EGREP = @EGREP@ -EXEEXT = @EXEEXT@ -FGREP = @FGREP@ -GPERF = @GPERF@ -GREP = @GREP@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LD = @LD@ -LDFLAGS = @LDFLAGS@ -LEX = @LEX@ -LEXLIB = @LEXLIB@ -LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LIBTOOL = @LIBTOOL@ -LIPO = @LIPO@ -LN_S = @LN_S@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MKDIR_P = @MKDIR_P@ -MYSQLCFLAG = @MYSQLCFLAG@ -MYSQLCONFIG = @MYSQLCONFIG@ -MYSQLLIB = @MYSQLLIB@ -NM = @NM@ -NMEDIT = @NMEDIT@ -OBJDUMP = @OBJDUMP@ -OBJEXT = @OBJEXT@ -OTOOL = @OTOOL@ -OTOOL64 = @OTOOL64@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -PERL = @PERL@ -PKG_CONFIG = @PKG_CONFIG@ -PTHREADLIB = @PTHREADLIB@ -RANLIB = @RANLIB@ -RTLIB = @RTLIB@ -RUBY = @RUBY@ -RUBYINCLUDE = @RUBYINCLUDE@ -SED = @SED@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SOCKLIB = @SOCKLIB@ -STRIP = @STRIP@ -VERSION = @VERSION@ -YACC = @YACC@ -YFLAGS = @YFLAGS@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -default_pkcs11 = @default_pkcs11@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -gtk_CFLAGS = @gtk_CFLAGS@ -gtk_LIBS = @gtk_LIBS@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ -ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ -ipsecuser = @ipsecuser@ -libdir = @libdir@ -libexecdir = @libexecdir@ -libhydra_plugins = @libhydra_plugins@ -libstrongswan_plugins = @libstrongswan_plugins@ -linux_headers = @linux_headers@ -localedir = @localedir@ -localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -nm_CFLAGS = @nm_CFLAGS@ -nm_LIBS = @nm_LIBS@ -nm_ca_dir = @nm_ca_dir@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -piddir = @piddir@ -plugindir = @plugindir@ -pluto_plugins = @pluto_plugins@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -random_device = @random_device@ -resolv_conf = @resolv_conf@ -routing_table = @routing_table@ -routing_table_prio = @routing_table_prio@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -strongswan_conf = @strongswan_conf@ -sysconfdir = @sysconfdir@ -target_alias = @target_alias@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -urandom_device = @urandom_device@ -xml_CFLAGS = @xml_CFLAGS@ -xml_LIBS = @xml_LIBS@ -INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon - -AM_CFLAGS = -rdynamic \ - -DRESOLV_CONF=\"${resolv_conf}\" - -@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la -@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la -libstrongswan_resolve_la_SOURCES = \ - resolve_plugin.h resolve_plugin.c \ - resolve_handler.h resolve_handler.c - -libstrongswan_resolve_la_LDFLAGS = -module -avoid-version -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .lo .o .obj -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ - && { if test -f $@; then exit 0; else break; fi; }; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --gnu src/libcharon/plugins/resolve/Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh - -$(top_srcdir)/configure: $(am__configure_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh -$(am__aclocal_m4_deps): - -clean-noinstLTLIBRARIES: - -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) - @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) - @$(NORMAL_INSTALL) - test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - list2=; for p in $$list; do \ - if test -f $$p; then \ - list2="$$list2 $$p"; \ - else :; fi; \ - done; \ - test -z "$$list2" || { \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ - } - -uninstall-pluginLTLIBRARIES: - @$(NORMAL_UNINSTALL) - @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ - for p in $$list; do \ - $(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ - done - -clean-pluginLTLIBRARIES: - -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) - @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ - dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ - test "$$dir" != "$$p" || dir=.; \ - echo "rm -f \"$${dir}/so_locations\""; \ - rm -f "$${dir}/so_locations"; \ - done -libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) - $(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< - -.c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` - -.c.lo: -@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< - -mostlyclean-libtool: - -rm -f *.lo - -clean-libtool: - -rm -rf .libs _libs - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - set x; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done -check-am: all-am -check: check-am -all-am: Makefile $(LTLIBRARIES) -installdirs: - for dir in "$(DESTDIR)$(plugindir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ - clean-pluginLTLIBRARIES mostlyclean-am - -distclean: distclean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html: html-am - -html-am: - -info: info-am - -info-am: - -install-data-am: install-pluginLTLIBRARIES - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic \ - mostlyclean-libtool - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-pluginLTLIBRARIES - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ - ctags distclean distclean-compile distclean-generic \ - distclean-libtool distclean-tags distdir dvi dvi-am html \ - html-am info info-am install install-am install-data \ - install-data-am install-dvi install-dvi-am install-exec \ - install-exec-am install-html install-html-am install-info \ - install-info-am install-man install-pdf install-pdf-am \ - install-pluginLTLIBRARIES install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ - uninstall-pluginLTLIBRARIES - - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: diff --git a/src/libcharon/plugins/resolve/resolve_handler.c b/src/libcharon/plugins/resolve/resolve_handler.c deleted file mode 100644 index 714c751a6..000000000 --- a/src/libcharon/plugins/resolve/resolve_handler.c +++ /dev/null @@ -1,251 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "resolve_handler.h" - -#include - -#include -#include - -typedef struct private_resolve_handler_t private_resolve_handler_t; - -/** - * Private data of an resolve_handler_t object. - */ -struct private_resolve_handler_t { - - /** - * Public resolve_handler_t interface. - */ - resolve_handler_t public; - - /** - * resolv.conf file to use - */ - char *file; - - /** - * Mutex to access file exclusively - */ - mutex_t *mutex; -}; - -/** - * Implementation of attribute_handler_t.handle - */ -static bool handle(private_resolve_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data) -{ - FILE *in, *out; - char buf[1024]; - host_t *addr; - size_t len; - bool handled = FALSE; - - switch (type) - { - case INTERNAL_IP4_DNS: - addr = host_create_from_chunk(AF_INET, data, 0); - break; - case INTERNAL_IP6_DNS: - addr = host_create_from_chunk(AF_INET6, data, 0); - break; - default: - return FALSE; - } - - if (!addr || addr->is_anyaddr(addr)) - { - DESTROY_IF(addr); - return FALSE; - } - this->mutex->lock(this->mutex); - - in = fopen(this->file, "r"); - /* allows us to stream from in to out */ - unlink(this->file); - out = fopen(this->file, "w"); - if (out) - { - fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, server); - DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); - handled = TRUE; - - /* copy rest of the file */ - if (in) - { - while ((len = fread(buf, 1, sizeof(buf), in))) - { - ignore_result(fwrite(buf, 1, len, out)); - } - } - fclose(out); - } - if (in) - { - fclose(in); - } - this->mutex->unlock(this->mutex); - addr->destroy(addr); - - if (!handled) - { - DBG1(DBG_IKE, "adding DNS server failed", this->file); - } - return handled; -} - -/** - * Implementation of attribute_handler_t.release - */ -static void release(private_resolve_handler_t *this, identification_t *server, - configuration_attribute_type_t type, chunk_t data) -{ - FILE *in, *out; - char line[1024], matcher[512], *pos; - host_t *addr; - int family; - - switch (type) - { - case INTERNAL_IP4_DNS: - family = AF_INET; - break; - case INTERNAL_IP6_DNS: - family = AF_INET6; - break; - default: - return; - } - - this->mutex->lock(this->mutex); - - in = fopen(this->file, "r"); - if (in) - { - /* allows us to stream from in to out */ - unlink(this->file); - out = fopen(this->file, "w"); - if (out) - { - addr = host_create_from_chunk(family, data, 0); - snprintf(matcher, sizeof(matcher), - "nameserver %H # by strongSwan, from %Y\n", - addr, server); - - /* copy all, but matching line */ - while ((pos = fgets(line, sizeof(line), in))) - { - if (strneq(line, matcher, strlen(matcher))) - { - DBG1(DBG_IKE, "removing DNS server %H from %s", - addr, this->file); - } - else - { - fputs(line, out); - } - } - addr->destroy(addr); - fclose(out); - } - fclose(in); - } - - this->mutex->unlock(this->mutex); -} - -/** - * Attribute enumerator implementation - */ -typedef struct { - /** implements enumerator_t interface */ - enumerator_t public; - /** virtual IP we are requesting */ - host_t *vip; -} attribute_enumerator_t; - -/** - * Implementation of create_attribute_enumerator().enumerate() - */ -static bool attribute_enumerate(attribute_enumerator_t *this, - configuration_attribute_type_t *type, chunk_t *data) -{ - switch (this->vip->get_family(this->vip)) - { - case AF_INET: - *type = INTERNAL_IP4_DNS; - break; - case AF_INET6: - *type = INTERNAL_IP6_DNS; - break; - default: - return FALSE; - } - *data = chunk_empty; - /* enumerate only once */ - this->public.enumerate = (void*)return_false; - return TRUE; -} - -/** - * Implementation of attribute_handler_t.create_attribute_enumerator - */ -static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this, - identification_t *server, host_t *vip) -{ - if (vip) - { - attribute_enumerator_t *enumerator; - - enumerator = malloc_thing(attribute_enumerator_t); - enumerator->public.enumerate = (void*)attribute_enumerate; - enumerator->public.destroy = (void*)free; - enumerator->vip = vip; - - return &enumerator->public; - } - return enumerator_create_empty(); -} - -/** - * Implementation of resolve_handler_t.destroy. - */ -static void destroy(private_resolve_handler_t *this) -{ - this->mutex->destroy(this->mutex); - free(this); -} - -/** - * See header - */ -resolve_handler_t *resolve_handler_create() -{ - private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t); - - this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle; - this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release; - this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator; - this->public.destroy = (void(*)(resolve_handler_t*))destroy; - - this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); - this->file = lib->settings->get_str(lib->settings, - "charon.plugins.resolve.file", RESOLV_CONF); - - return &this->public; -} - diff --git a/src/libcharon/plugins/resolve/resolve_handler.h b/src/libcharon/plugins/resolve/resolve_handler.h deleted file mode 100644 index 77bf9781c..000000000 --- a/src/libcharon/plugins/resolve/resolve_handler.h +++ /dev/null @@ -1,49 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup resolve_handler resolve_handler - * @{ @ingroup resolve - */ - -#ifndef RESOLVE_HANDLER_H_ -#define RESOLVE_HANDLER_H_ - -#include - -typedef struct resolve_handler_t resolve_handler_t; - -/** - * Handle DNS configuration attributes by mangling a resolv.conf file. - */ -struct resolve_handler_t { - - /** - * Implements the attribute_handler_t interface - */ - attribute_handler_t handler; - - /** - * Destroy a resolve_handler_t. - */ - void (*destroy)(resolve_handler_t *this); -}; - -/** - * Create a resolve_handler instance. - */ -resolve_handler_t *resolve_handler_create(); - -#endif /** RESOLVE_HANDLER_H_ @}*/ diff --git a/src/libcharon/plugins/resolve/resolve_plugin.c b/src/libcharon/plugins/resolve/resolve_plugin.c deleted file mode 100644 index 502129593..000000000 --- a/src/libcharon/plugins/resolve/resolve_plugin.c +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "resolve_plugin.h" -#include "resolve_handler.h" - -#include - -typedef struct private_resolve_plugin_t private_resolve_plugin_t; - -/** - * private data of resolve plugin - */ -struct private_resolve_plugin_t { - - /** - * implements plugin interface - */ - resolve_plugin_t public; - - /** - * The registerd DNS attribute handler - */ - resolve_handler_t *handler; -}; - -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_resolve_plugin_t *this) -{ - hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); - this->handler->destroy(this->handler); - free(this); -} - -/* - * see header file - */ -plugin_t *resolve_plugin_create() -{ - private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->handler = resolve_handler_create(); - hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); - - return &this->public.plugin; -} - diff --git a/src/libcharon/plugins/resolve/resolve_plugin.h b/src/libcharon/plugins/resolve/resolve_plugin.h deleted file mode 100644 index 0148b10d7..000000000 --- a/src/libcharon/plugins/resolve/resolve_plugin.h +++ /dev/null @@ -1,42 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup resolve resolve - * @ingroup cplugins - * - * @defgroup resolve_plugin resolve_plugin - * @{ @ingroup resolve - */ - -#ifndef RESOLVE_PLUGIN_H_ -#define RESOLVE_PLUGIN_H_ - -#include - -typedef struct resolve_plugin_t resolve_plugin_t; - -/** - * Plugin that writes received DNS servers in a resolv.conf file. - */ -struct resolve_plugin_t { - - /** - * implements plugin interface - */ - plugin_t plugin; -}; - -#endif /** RESOLVE_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index b88283f38..35fb8367f 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index 03c438acd..df63d862e 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 3a5fb3778..8a3a15188 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 65ad6a7a9..32bd9e0a1 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/socket_raw/socket_raw_socket.c b/src/libcharon/plugins/socket_raw/socket_raw_socket.c index e0155fa87..166870421 100644 --- a/src/libcharon/plugins/socket_raw/socket_raw_socket.c +++ b/src/libcharon/plugins/socket_raw/socket_raw_socket.c @@ -538,11 +538,12 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) /* Destination Port must be either port or natt_port */ BPF_STMT(BPF_LD+BPF_H+BPF_ABS, udp_header + 2), BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_UDP_PORT, 1, 0), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 5, 12), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, IKEV2_NATT_PORT, 6, 14), /* port */ - /* IKE version must be 2.0 */ + /* IKE version must be 2.x */ BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + IKE_VERSION_OFFSET), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 10), + BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 11), /* packet length is length in IKEv2 header + ip header + udp header */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + IKE_LENGTH_OFFSET), BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN), @@ -550,10 +551,11 @@ static int open_recv_socket(private_socket_raw_socket_t *this, int family) /* natt_port */ /* nat-t: check for marker */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 5), - /* nat-t: IKE version must be 2.0 */ + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0, 0, 6), + /* nat-t: IKE version must be 2.x */ BPF_STMT(BPF_LD+BPF_B+BPF_ABS, ike_header + MARKER_LEN + IKE_VERSION_OFFSET), - BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 0x20, 0, 3), + BPF_STMT(BPF_ALU+BPF_RSH+BPF_K, 4), + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, 2, 0, 3), /* nat-t: packet length is length in IKEv2 header + ip header + udp header + non esp marker */ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, ike_header + MARKER_LEN + IKE_LENGTH_OFFSET), BPF_STMT(BPF_ALU+BPF_ADD+BPF_K, ip_len + UDP_LEN + MARKER_LEN), diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 5803dc898..e32dc7b57 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index 23366898a..a47d93f7b 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -134,7 +134,7 @@ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, - dpd, close, ipcomp, 0); + dpd, close, ipcomp, 0, 0, NULL, NULL); /* TODO: read proposal from db */ child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); add_traffic_selectors(this, child_cfg, id); diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c index e2d2d63b3..7b0a198d1 100644 --- a/src/libcharon/plugins/sql/sql_plugin.c +++ b/src/libcharon/plugins/sql/sql_plugin.c @@ -59,7 +59,7 @@ struct private_sql_plugin_t { static void destroy(private_sql_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->cred->set); + lib->credmgr->remove_set(lib->credmgr, &this->cred->set); charon->bus->remove_listener(charon->bus, &this->logger->listener); this->config->destroy(this->config); this->cred->destroy(this->cred); @@ -99,7 +99,7 @@ plugin_t *sql_plugin_create() this->logger = sql_logger_create(this->db); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->cred->set); + lib->credmgr->add_set(lib->credmgr, &this->cred->set); charon->bus->add_listener(charon->bus, &this->logger->listener); return &this->public.plugin; diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index 8815ba741..e094200ca 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index 49146f18b..9a3ae0ab9 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -306,7 +306,8 @@ static void del(private_stroke_ca_t *this, stroke_msg_t *msg) return; } ca_section_destroy(ca); - /* TODO: flush cached certs */ + + lib->credmgr->flush_cache(lib->credmgr, CERT_ANY); } /** @@ -356,12 +357,16 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer { if (section->certuribase && cert->issued_by(cert, section->cert)) { - chunk_t hash, encoded = cert->get_encoding(cert); - hasher->allocate_hash(hasher, encoded, &hash); - section->hashes->insert_last(section->hashes, - identification_create_from_encoding(ID_KEY_ID, hash)); - chunk_free(&hash); - chunk_free(&encoded); + chunk_t hash, encoded; + + if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) + { + hasher->allocate_hash(hasher, encoded, &hash); + section->hashes->insert_last(section->hashes, + identification_create_from_encoding(ID_KEY_ID, hash)); + chunk_free(&hash); + chunk_free(&encoded); + } break; } } @@ -400,11 +405,11 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) /* list authkey and keyid */ if (public) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) { fprintf(out, " authkey: %#B\n", &chunk); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &chunk)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &chunk)) { fprintf(out, " keyid: %#B\n", &chunk); } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index bbc1e7a31..617069432 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -399,8 +399,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, if (ca) { identity = identification_create_from_string(ca); - certificate = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, identity, TRUE); + certificate = lib->credmgr->get_cert(lib->credmgr, CERT_X509, + KEY_ANY, identity, TRUE); identity->destroy(identity); if (certificate) { @@ -413,7 +413,7 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, } } - /* AC groups */ + /* groups */ if (end->groups) { enumerator_t *enumerator; @@ -422,9 +422,8 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator = enumerator_create_token(end->groups, ",", " "); while (enumerator->enumerate(enumerator, &group)) { - identity = identification_create_from_encoding(ID_IETF_ATTR_STRING, - chunk_create(group, strlen(group))); - cfg->add(cfg, AUTH_RULE_AC_GROUP, identity); + cfg->add(cfg, AUTH_RULE_GROUP, + identification_create_from_string(group)); } enumerator->destroy(enumerator); } @@ -769,6 +768,14 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, .jitter = msg->add_conn.rekey.margin_packets * msg->add_conn.rekey.fuzz / 100 } }; + mark_t mark_in = { + .value = msg->add_conn.mark_in.value, + .mask = msg->add_conn.mark_in.mask + }; + mark_t mark_out = { + .value = msg->add_conn.mark_out.value, + .mask = msg->add_conn.mark_out.mask + }; switch (msg->add_conn.dpd.action) { /* map startes magic values to our action type */ @@ -787,7 +794,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, - msg->add_conn.inactivity); + msg->add_conn.inactivity, msg->add_conn.reqid, + &mark_in, &mark_out); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index a03aef697..f64421551 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -186,6 +186,11 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o } else { + if (!pos) + { + DBG1(DBG_CFG, "error parsing string"); + return; + } if (*(pos + 1) == '*') { /* is name[*] */ all = TRUE; diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index e0a5210a9..2816b9bb2 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -378,7 +378,7 @@ static bool add_crl(private_stroke_cred_t *this, crl_t* crl) } if (found) { - new = cert->is_newer(cert, current); + new = crl_is_newer(crl, crl_c); if (new) { this->certs->remove_at(this->certs, enumerator); @@ -587,9 +587,11 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_DIR, hex); free(hex.ptr); - chunk = cert->get_encoding(cert); - chunk_write(chunk, buf, "crl", 022, TRUE); - free(chunk.ptr); + if (cert->get_encoding(cert, CERT_ASN1_DER, &chunk)) + { + chunk_write(chunk, buf, "crl", 022, TRUE); + free(chunk.ptr); + } } } } diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index c2a98da33..a6de35466 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -17,6 +17,10 @@ #include +#ifdef HAVE_MALLINFO +#include +#endif /* HAVE_MALLINFO */ + #include #include #include @@ -54,6 +58,33 @@ struct private_stroke_list_t { stroke_attribute_t *attribute; }; +/** + * Log tasks of a specific queue to out + */ +static void log_task_q(FILE *out, ike_sa_t *ike_sa, task_queue_t q, char *name) +{ + enumerator_t *enumerator; + bool has = FALSE; + task_t *task; + + enumerator = ike_sa->create_task_enumerator(ike_sa, q); + while (enumerator->enumerate(enumerator, &task)) + { + if (!has) + { + fprintf(out, "%12s[%d]: Tasks %s: ", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa), name); + has = TRUE; + } + fprintf(out, "%N ", task_type_names, task->get_type(task)); + } + enumerator->destroy(enumerator); + if (has) + { + fprintf(out, "\n"); + } +} + /** * log an IKE_SA to out */ @@ -140,6 +171,10 @@ static void log_ike_sa(FILE *out, ike_sa_t *ike_sa, bool all) ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa), buf+4); } + + log_task_q(out, ike_sa, TASK_QUEUE_QUEUED, "queued"); + log_task_q(out, ike_sa, TASK_QUEUE_ACTIVE, "active"); + log_task_q(out, ike_sa, TASK_QUEUE_PASSIVE, "passive"); } } @@ -342,7 +377,7 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) rules = auth->create_enumerator(auth); while (rules->enumerate(rules, &rule, &id)) { - if (rule == AUTH_RULE_AC_GROUP) + if (rule == AUTH_RULE_GROUP) { fprintf(out, "%12s: group: %Y\n", name, id); } @@ -373,12 +408,19 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo u_int32_t dpd; time_t since, now; u_int size, online, offline; - now = time_monotonic(NULL); since = time(NULL) - (now - this->uptime); fprintf(out, "Status of IKEv2 charon daemon (strongSwan "VERSION"):\n"); fprintf(out, " uptime: %V, since %T\n", &now, &this->uptime, &since, FALSE); +#ifdef HAVE_MALLINFO + { + struct mallinfo mi = mallinfo(); + + fprintf(out, " malloc: sbrk %d, mmap %d, used %d, free %d\n", + mi.arena, mi.hblkhd, mi.uordblks, mi.fordblks); + } +#endif /* HAVE_MALLINFO */ fprintf(out, " worker threads: %d idle of %d,", charon->processor->get_idle_threads(charon->processor), charon->processor->get_total_threads(charon->processor)); @@ -534,9 +576,8 @@ static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bo static linked_list_t* create_unique_cert_list(certificate_type_t type) { linked_list_t *list = linked_list_create(); - enumerator_t *enumerator = charon->credentials->create_cert_enumerator( - charon->credentials, type, KEY_ANY, - NULL, FALSE); + enumerator_t *enumerator = lib->credmgr->create_cert_enumerator( + lib->credmgr, type, KEY_ANY, NULL, FALSE); certificate_t *cert; while (enumerator->enumerate(enumerator, (void**)&cert)) @@ -585,11 +626,11 @@ static void list_public_key(public_key_t *public, FILE *out) identification_t *id; auth_cfg_t *auth; - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { id = identification_create_from_encoding(ID_KEY_ID, keyid); auth = auth_cfg_create(); - private = charon->credentials->get_private(charon->credentials, + private = lib->credmgr->get_private(lib->credmgr, public->get_type(public), id, auth); auth->destroy(auth); id->destroy(id); @@ -599,11 +640,11 @@ static void list_public_key(public_key_t *public, FILE *out) key_type_names, public->get_type(public), public->get_keysize(public) * 8, private ? ", has private key" : ""); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { fprintf(out, " keyid: %#B\n", &keyid); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyid)) { fprintf(out, " subjkey: %#B\n", &keyid); } diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 56c18da38..18afa5af4 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -344,8 +344,7 @@ static void stroke_purge(private_stroke_socket_t *this, { if (msg->purge.flags & PURGE_OCSP) { - charon->credentials->flush_cache(charon->credentials, - CERT_X509_OCSP_RESPONSE); + lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE); } if (msg->purge.flags & PURGE_IKE) { @@ -622,8 +621,8 @@ static bool open_socket(private_stroke_socket_t *this) static void destroy(private_stroke_socket_t *this) { this->job->cancel(this->job); - charon->credentials->remove_set(charon->credentials, &this->ca->set); - charon->credentials->remove_set(charon->credentials, &this->cred->set); + lib->credmgr->remove_set(lib->credmgr, &this->ca->set); + lib->credmgr->remove_set(lib->credmgr, &this->cred->set); charon->backends->remove_backend(charon->backends, &this->config->backend); hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->cred->destroy(this->cred); @@ -657,8 +656,8 @@ stroke_socket_t *stroke_socket_create() this->control = stroke_control_create(); this->list = stroke_list_create(this->attribute); - charon->credentials->add_set(charon->credentials, &this->ca->set); - charon->credentials->add_set(charon->credentials, &this->cred->set); + lib->credmgr->add_set(lib->credmgr, &this->ca->set); + lib->credmgr->add_set(lib->credmgr, &this->cred->set); charon->backends->add_backend(charon->backends, &this->config->backend); hydra->attributes->add_provider(hydra->attributes, &this->attribute->provider); diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index c10829bb3..934ab6080 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index bd58afbf0..ddddae782 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,7 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0); + ACTION_NONE, ACTION_NONE, FALSE, 0, 0, + NULL, NULL); child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/libcharon/plugins/uci/uci_plugin.c b/src/libcharon/plugins/uci/uci_plugin.c index 742fcf4d0..4790ef4e7 100644 --- a/src/libcharon/plugins/uci/uci_plugin.c +++ b/src/libcharon/plugins/uci/uci_plugin.c @@ -64,7 +64,7 @@ struct private_uci_plugin_t { static void destroy(private_uci_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); - charon->credentials->remove_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->remove_set(lib->credmgr, &this->creds->credential_set); this->config->destroy(this->config); this->creds->destroy(this->creds); this->parser->destroy(this->parser); @@ -86,7 +86,7 @@ plugin_t *uci_plugin_create() this->creds = uci_creds_create(this->parser); this->control = uci_control_create(); charon->backends->add_backend(charon->backends, &this->config->backend); - charon->credentials->add_set(charon->credentials, &this->creds->credential_set); + lib->credmgr->add_set(lib->credmgr, &this->creds->credential_set); return &this->public.plugin; } diff --git a/src/libcharon/plugins/unit_tester/Makefile.am b/src/libcharon/plugins/unit_tester/Makefile.am index e27d1f859..c46d2b85d 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.am +++ b/src/libcharon/plugins/unit_tester/Makefile.am @@ -24,6 +24,7 @@ libstrongswan_unit_tester_la_SOURCES = \ tests/test_chunk.c \ tests/test_pool.c \ tests/test_agent.c \ - tests/test_id.c + tests/test_id.c \ + tests/test_hashtable.c libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 6ca43a38f..47850c1c5 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -78,7 +78,7 @@ am_libstrongswan_unit_tester_la_OBJECTS = unit_tester.lo \ test_enumerator.lo test_auth_info.lo test_curl.lo \ test_mysql.lo test_sqlite.lo test_mutex.lo test_rsa_gen.lo \ test_cert.lo test_med_db.lo test_chunk.lo test_pool.lo \ - test_agent.lo test_id.lo + test_agent.lo test_id.lo test_hashtable.lo libstrongswan_unit_tester_la_OBJECTS = \ $(am_libstrongswan_unit_tester_la_OBJECTS) libstrongswan_unit_tester_la_LINK = $(LIBTOOL) --tag=CC \ @@ -281,7 +281,8 @@ libstrongswan_unit_tester_la_SOURCES = \ tests/test_chunk.c \ tests/test_pool.c \ tests/test_agent.c \ - tests/test_id.c + tests/test_id.c \ + tests/test_hashtable.c libstrongswan_unit_tester_la_LDFLAGS = -module -avoid-version all: all-am @@ -373,6 +374,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_chunk.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_curl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_enumerator.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_hashtable.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_med_db.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/test_mutex.Plo@am__quote@ @@ -494,6 +496,13 @@ test_id.lo: tests/test_id.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_id.lo `test -f 'tests/test_id.c' || echo '$(srcdir)/'`tests/test_id.c +test_hashtable.lo: tests/test_hashtable.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT test_hashtable.lo -MD -MP -MF $(DEPDIR)/test_hashtable.Tpo -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/test_hashtable.Tpo $(DEPDIR)/test_hashtable.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tests/test_hashtable.c' object='test_hashtable.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o test_hashtable.lo `test -f 'tests/test_hashtable.c' || echo '$(srcdir)/'`tests/test_hashtable.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/unit_tester/tests.h b/src/libcharon/plugins/unit_tester/tests.h index 96313d390..cd38c8a99 100644 --- a/src/libcharon/plugins/unit_tester/tests.h +++ b/src/libcharon/plugins/unit_tester/tests.h @@ -19,6 +19,7 @@ */ DEFINE_TEST("linked_list_t->remove()", test_list_remove, FALSE) +DEFINE_TEST("hashtable_t->remove_at()", test_hashtable_remove_at, FALSE) DEFINE_TEST("simple enumerator", test_enumerate, FALSE) DEFINE_TEST("nested enumerator", test_enumerate_nested, FALSE) DEFINE_TEST("filtered enumerator", test_enumerate_filtered, FALSE) diff --git a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c index d6abe7a05..c250c356f 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_auth_info.c +++ b/src/libcharon/plugins/unit_tester/tests/test_auth_info.c @@ -15,7 +15,7 @@ #include #include -#include +#include static chunk_t certchunk = chunk_from_chars( diff --git a/src/libcharon/plugins/unit_tester/tests/test_hashtable.c b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c new file mode 100644 index 000000000..bd79e12f7 --- /dev/null +++ b/src/libcharon/plugins/unit_tester/tests/test_hashtable.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +static u_int hash(char *key) +{ + return chunk_hash(chunk_create(key, strlen(key))); +} + +static u_int equals(char *key1, char *key2) +{ + return streq(key1, key2); +} + +/** + * Test the remove_at method + */ +bool test_hashtable_remove_at() +{ + char *k1 = "key1", *k2 = "key2", *k3 = "key3", *key; + char *v1 = "val1", *v2 = "val2", *v3 = "val3", *value; + enumerator_t *enumerator; + hashtable_t *ht = hashtable_create((hashtable_hash_t)hash, + (hashtable_equals_t)equals, 0); + + ht->put(ht, k1, v1); + ht->put(ht, k2, v2); + ht->put(ht, k3, v3); + + if (ht->get_count(ht) != 3) + { + return FALSE; + } + + enumerator = ht->create_enumerator(ht); + while (enumerator->enumerate(enumerator, &key, &value)) + { + if (streq(key, k2)) + { + ht->remove_at(ht, enumerator); + } + } + enumerator->destroy(enumerator); + + if (ht->get_count(ht) != 2) + { + return FALSE; + } + + if (ht->get(ht, k1) == NULL || + ht->get(ht, k3) == NULL) + { + return FALSE; + } + + if (ht->get(ht, k2) != NULL) + { + return FALSE; + } + + ht->put(ht, k2, v2); + + if (ht->get_count(ht) != 3) + { + return FALSE; + } + + if (ht->get(ht, k1) == NULL || + ht->get(ht, k2) == NULL || + ht->get(ht, k3) == NULL) + { + return FALSE; + } + + enumerator = ht->create_enumerator(ht); + while (enumerator->enumerate(enumerator, &key, &value)) + { + ht->remove_at(ht, enumerator); + } + enumerator->destroy(enumerator); + + if (ht->get_count(ht) != 0) + { + return FALSE; + } + + if (ht->get(ht, k1) != NULL || + ht->get(ht, k2) != NULL || + ht->get(ht, k3) != NULL) + { + return FALSE; + } + + ht->destroy(ht); + + return TRUE; +} diff --git a/src/libcharon/plugins/unit_tester/tests/test_med_db.c b/src/libcharon/plugins/unit_tester/tests/test_med_db.c index 7fd78b0bc..ae1d08e15 100644 --- a/src/libcharon/plugins/unit_tester/tests/test_med_db.c +++ b/src/libcharon/plugins/unit_tester/tests/test_med_db.c @@ -37,11 +37,11 @@ bool test_med_db() bool good = FALSE; id = identification_create_from_encoding(ID_KEY_ID, keyid); - enumerator = charon->credentials->create_public_enumerator( - charon->credentials, KEY_ANY, id, NULL); + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + KEY_ANY, id, NULL); while (enumerator->enumerate(enumerator, &public, &auth)) { - good = public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &found); + good = public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &found); if (good) { good = chunk_equals(id->get_encoding(id), found); diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index d3c509a32..ce233ad04 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libcharon/plugins/updown/updown_listener.c b/src/libcharon/plugins/updown/updown_listener.c index 5a6746f92..ea4a792c2 100644 --- a/src/libcharon/plugins/updown/updown_listener.c +++ b/src/libcharon/plugins/updown/updown_listener.c @@ -115,7 +115,8 @@ METHOD(listener_t, child_updown, bool, { char command[1024]; char *my_client, *other_client, *my_client_mask, *other_client_mask; - char *pos, *virtual_ip, *iface; + char *pos, *virtual_ip, *iface, *mark_in, *mark_out, *udp_enc; + mark_t mark; bool is_host, is_ipv6; FILE *shell; @@ -160,6 +161,61 @@ METHOD(listener_t, child_updown, bool, } } + /* check for the presence of an inbound mark */ + mark = config->get_mark(config, TRUE); + if (mark.value) + { + if (asprintf(&mark_in, "PLUTO_MARK_IN='%u/0x%08x' ", + mark.value, mark.mask ) < 0) + { + mark_in = NULL; + } + } + else + { + if (asprintf(&mark_in, "") < 0) + { + mark_in = NULL; + } + } + + /* check for the presence of an outbound mark */ + mark = config->get_mark(config, FALSE); + if (mark.value) + { + if (asprintf(&mark_out, "PLUTO_MARK_OUT='%u/0x%08x' ", + mark.value, mark.mask ) < 0) + { + mark_out = NULL; + } + } + else + { + if (asprintf(&mark_out, "") < 0) + { + mark_out = NULL; + } + } + + /* check for a NAT condition causing ESP_IN_UDP encapsulation */ + if (ike_sa->has_condition(ike_sa, COND_NAT_ANY)) + { + if (asprintf(&udp_enc, "PLUTO_UDP_ENC='%u' ", + other->get_port(other)) < 0) + { + udp_enc = NULL; + } + + } + else + { + if (asprintf(&udp_enc, "") < 0) + { + udp_enc = NULL; + } + + } + if (up) { iface = charon->kernel_interface->get_interface( @@ -205,6 +261,9 @@ METHOD(listener_t, child_updown, bool, "PLUTO_PEER_PROTOCOL='%u' " "%s" "%s" + "%s" + "%s" + "%s" "%s", up ? "up" : "down", is_host ? "-host" : "-client", @@ -223,11 +282,17 @@ METHOD(listener_t, child_updown, bool, other_ts->get_from_port(other_ts), other_ts->get_protocol(other_ts), virtual_ip, + mark_in, + mark_out, + udp_enc, config->get_hostaccess(config) ? "PLUTO_HOST_ACCESS='1' " : "", script); free(my_client); free(other_client); free(virtual_ip); + free(mark_in); + free(mark_out); + free(udp_enc); free(iface); DBG3(DBG_CHD, "running updown script: %s", command); @@ -283,7 +348,9 @@ updown_listener_t *updown_listener_create() INIT(this, .public = { - .listener.child_updown = _child_updown, + .listener = { + .child_updown = _child_updown, + }, .destroy = _destroy, }, .iface_cache = linked_list_create(), diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c index 13586a23e..cd340e53e 100644 --- a/src/libcharon/sa/authenticators/authenticator.c +++ b/src/libcharon/sa/authenticators/authenticator.c @@ -34,13 +34,6 @@ ENUM_NEXT(auth_method_names, AUTH_ECDSA_256, AUTH_ECDSA_521, AUTH_DSS, "ECDSA-521 signature"); ENUM_END(auth_method_names, AUTH_ECDSA_521); -ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, - "any", - "public key", - "pre-shared key", - "EAP", -); - /** * Described in header. */ diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index fff91ed34..89178b5cf 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -24,11 +24,10 @@ #define AUTHENTICATOR_H_ typedef enum auth_method_t auth_method_t; -typedef enum auth_class_t auth_class_t; typedef struct authenticator_t authenticator_t; #include -#include +#include #include /** @@ -75,27 +74,6 @@ enum auth_method_t { */ extern enum_name_t *auth_method_names; -/** - * Class of authentication to use. This is different to auth_method_t in that - * it does not specify a method, but a class of acceptable methods. The found - * certificate finally dictates wich method is used. - */ -enum auth_class_t { - /** any class acceptable */ - AUTH_CLASS_ANY = 0, - /** authentication using public keys (RSA, ECDSA) */ - AUTH_CLASS_PUBKEY = 1, - /** authentication using a pre-shared secrets */ - AUTH_CLASS_PSK = 2, - /** authentication using EAP */ - AUTH_CLASS_EAP = 3, -}; - -/** - * enum strings for auth_class_t - */ -extern enum_name_t *auth_class_names; - /** * Authenticator interface implemented by the various authenticators. * diff --git a/src/libcharon/sa/authenticators/eap/eap_method.c b/src/libcharon/sa/authenticators/eap/eap_method.c index 91fa5305f..ad7b92cfa 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.c +++ b/src/libcharon/sa/authenticators/eap/eap_method.c @@ -15,44 +15,6 @@ #include "eap_method.h" -ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, - "EAP_IDENTITY", - "EAP_NOTIFICATION", - "EAP_NAK", - "EAP_MD5", - "EAP_OTP", - "EAP_GTC"); -ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, - "EAP_SIM"); -ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, - "EAP_AKA"); -ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "EAP_MSCHAPV2"); -ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "EAP_RADIUS", - "EAP_EXPANDED", - "EAP_EXPERIMENTAL"); -ENUM_END(eap_type_names, EAP_EXPERIMENTAL); - -ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, - "ID", - "NTF", - "NAK", - "MD5", - "OTP", - "GTC"); -ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC, - "SIM"); -ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM, - "AKA"); -ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, - "MSCHAPV2"); -ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, - "RAD", - "EXP", - "XP"); -ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); - /* * See header */ diff --git a/src/libcharon/sa/authenticators/eap/eap_method.h b/src/libcharon/sa/authenticators/eap/eap_method.h index 4cab84535..df354edb4 100644 --- a/src/libcharon/sa/authenticators/eap/eap_method.h +++ b/src/libcharon/sa/authenticators/eap/eap_method.h @@ -23,7 +23,6 @@ typedef struct eap_method_t eap_method_t; typedef enum eap_role_t eap_role_t; -typedef enum eap_type_t eap_type_t; typedef enum eap_code_t eap_code_t; #include @@ -42,35 +41,6 @@ enum eap_role_t { */ extern enum_name_t *eap_role_names; -/** - * EAP types, defines the EAP method implementation - */ -enum eap_type_t { - EAP_IDENTITY = 1, - EAP_NOTIFICATION = 2, - EAP_NAK = 3, - EAP_MD5 = 4, - EAP_OTP = 5, - EAP_GTC = 6, - EAP_SIM = 18, - EAP_AKA = 23, - EAP_MSCHAPV2 = 26, - /** not a method, but an implementation providing different methods */ - EAP_RADIUS = 253, - EAP_EXPANDED = 254, - EAP_EXPERIMENTAL = 255, -}; - -/** - * enum names for eap_type_t. - */ -extern enum_name_t *eap_type_names; - -/** - * short string enum names for eap_type_t. - */ -extern enum_name_t *eap_type_short_names; - /** * Lookup the EAP method type from a string. * diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index 4617c4d8d..3c0f3c358 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -140,17 +140,26 @@ static eap_payload_t* server_initiate_eap(private_eap_authenticator_t *this, id = auth->get(auth, AUTH_RULE_EAP_IDENTITY); if (id) { - this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER); - if (this->method) + if (id->get_type(id) == ID_ANY) { - if (this->method->initiate(this->method, &out) == NEED_MORE) + this->method = load_method(this, EAP_IDENTITY, 0, EAP_SERVER); + if (this->method) { - DBG1(DBG_IKE, "initiating EAP-Identity request"); - return out; + if (this->method->initiate(this->method, &out) == NEED_MORE) + { + DBG1(DBG_IKE, "initiating EAP-Identity request"); + return out; + } + this->method->destroy(this->method); } - this->method->destroy(this->method); + DBG1(DBG_IKE, "EAP-Identity request configured, " + "but not supported"); + } + else + { + DBG1(DBG_IKE, "using configured EAP-Identity %Y", id); + this->eap_identity = id->clone(id); } - DBG1(DBG_IKE, "EAP-Identity request configured, but not supported"); } } /* invoke real EAP method */ @@ -220,7 +229,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, eap_type_t type, received_type; u_int32_t vendor, received_vendor; eap_payload_t *out; - auth_cfg_t *cfg; if (in->get_code(in) != EAP_RESPONSE) { @@ -283,12 +291,6 @@ static eap_payload_t* server_process_eap(private_eap_authenticator_t *this, } this->ike_sa->set_condition(this->ike_sa, COND_EAP_AUTHENTICATED, TRUE); - cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - cfg->add(cfg, AUTH_RULE_EAP_TYPE, type); - if (vendor) - { - cfg->add(cfg, AUTH_RULE_EAP_VENDOR, vendor); - } this->eap_complete = TRUE; return eap_payload_create_code(EAP_SUCCESS, in->get_identifier(in)); case FAILED: diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index 67197d690..e69f30dcf 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -63,8 +63,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) other_id = this->ike_sa->get_other_id(this->ike_sa); DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_method_names, AUTH_PSK); - key = charon->credentials->get_shared(charon->credentials, SHARED_IKE, - my_id, other_id); + key = lib->credmgr->get_shared(lib->credmgr, SHARED_IKE, my_id, other_id); if (key == NULL) { DBG1(DBG_IKE, "no shared key found for '%Y' - '%Y'", my_id, other_id); @@ -107,8 +106,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) recv_auth_data = auth_payload->get_data(auth_payload); my_id = this->ike_sa->get_my_id(this->ike_sa); other_id = this->ike_sa->get_other_id(this->ike_sa); - enumerator = charon->credentials->create_shared_enumerator( - charon->credentials, SHARED_IKE, my_id, other_id); + enumerator = lib->credmgr->create_shared_enumerator(lib->credmgr, + SHARED_IKE, my_id, other_id); while (!authenticated && enumerator->enumerate(enumerator, &key, NULL, NULL)) { keys_found++; diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index f1dca2702..3c67f6db6 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -65,8 +65,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) id = this->ike_sa->get_my_id(this->ike_sa); auth = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); - private = charon->credentials->get_private(charon->credentials, KEY_ANY, - id, auth); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, id, auth); if (private == NULL) { DBG1(DBG_IKE, "no private key found for '%Y'", id); @@ -178,8 +177,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, this->nonce, id); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); - enumerator = charon->credentials->create_public_enumerator( - charon->credentials, key_type, id, auth); + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + key_type, id, auth); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, scheme, octets, auth_data)) diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index 3fdfb51ad..bd41cba56 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -97,6 +97,16 @@ struct private_child_sa_t { */ u_int32_t reqid; + /** + * inbound mark used for this child_sa + */ + mark_t mark_in; + + /** + * outbound mark used for this child_sa + */ + mark_t mark_out; + /** * absolute time when rekeying is scheduled */ @@ -127,6 +137,16 @@ struct private_child_sa_t { */ ipsec_mode_t mode; + /** + * Action to enforce if peer closes the CHILD_SA + */ + action_t close_action; + + /** + * Action to enforce if peer is considered dead + */ + action_t dpd_action; + /** * selected proposal */ @@ -271,6 +291,38 @@ static void set_ipcomp(private_child_sa_t *this, ipcomp_transform_t ipcomp) this->ipcomp = ipcomp; } +/** + * Implementation of child_sa_t.set_close_action. + */ +static void set_close_action(private_child_sa_t *this, action_t action) +{ + this->close_action = action; +} + +/** + * Implementation of child_sa_t.get_close_action. + */ +static action_t get_close_action(private_child_sa_t *this) +{ + return this->close_action; +} + +/** + * Implementation of child_sa_t.set_dpd_action. + */ +static void set_dpd_action(private_child_sa_t *this, action_t action) +{ + this->dpd_action = action; +} + +/** + * Implementation of child_sa_t.get_dpd_action. + */ +static action_t get_dpd_action(private_child_sa_t *this) +{ + return this->dpd_action; +} + /** * Implementation of child_sa_t.get_proposal */ @@ -389,10 +441,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->my_spi) { - status = charon->kernel_interface->query_sa( - charon->kernel_interface, + status = charon->kernel_interface->query_sa(charon->kernel_interface, this->other_addr, this->my_addr, - this->my_spi, this->protocol, &bytes); + this->my_spi, this->protocol, + this->mark_in, &bytes); if (status == SUCCESS) { if (bytes > this->my_usebytes) @@ -408,10 +460,10 @@ static status_t update_usebytes(private_child_sa_t *this, bool inbound) { if (this->other_spi) { - status = charon->kernel_interface->query_sa( - charon->kernel_interface, + status = charon->kernel_interface->query_sa(charon->kernel_interface, this->my_addr, this->other_addr, - this->other_spi, this->protocol, &bytes); + this->other_spi, this->protocol, + this->mark_out, &bytes); if (status == SUCCESS) { if (bytes > this->other_usebytes) @@ -443,14 +495,14 @@ static void update_usetime(private_child_sa_t *this, bool inbound) if (inbound) { if (charon->kernel_interface->query_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, &in) == SUCCESS) + other_ts, my_ts, POLICY_IN, this->mark_in, &in) == SUCCESS) { last_use = max(last_use, in); } if (this->mode != MODE_TRANSPORT) { if (charon->kernel_interface->query_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, &fwd) == SUCCESS) + other_ts, my_ts, POLICY_FWD, this->mark_in, &fwd) == SUCCESS) { last_use = max(last_use, fwd); } @@ -459,7 +511,7 @@ static void update_usetime(private_child_sa_t *this, bool inbound) else { if (charon->kernel_interface->query_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, &out) == SUCCESS) + my_ts, other_ts, POLICY_OUT, this->mark_out, &out) == SUCCESS) { last_use = max(last_use, out); } @@ -623,9 +675,10 @@ static status_t install(private_child_sa_t *this, chunk_t encr, chunk_t integ, } status = charon->kernel_interface->add_sa(charon->kernel_interface, - src, dst, spi, this->protocol, this->reqid, lifetime, - enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, - this->encap, update, src_ts, dst_ts); + src, dst, spi, this->protocol, this->reqid, + inbound ? this->mark_in : this->mark_out, + lifetime, enc_alg, encr, int_alg, integ, this->mode, + this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); free(lifetime); @@ -666,19 +719,19 @@ static status_t add_policies(private_child_sa_t *this, /* install 3 policies: out, in and forward */ status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->my_addr, this->other_addr, my_ts, other_ts, POLICY_OUT, - this->other_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->other_cpi, routed); + this->other_spi, this->protocol, this->reqid, this->mark_out, + this->mode, this->ipcomp, this->other_cpi, routed); status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_IN, - this->my_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->my_cpi, routed); + this->my_spi, this->protocol, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, routed); if (this->mode != MODE_TRANSPORT) { status |= charon->kernel_interface->add_policy(charon->kernel_interface, this->other_addr, this->my_addr, other_ts, my_ts, POLICY_FWD, - this->my_spi, this->protocol, this->reqid, this->mode, - this->ipcomp, this->my_cpi, routed); + this->my_spi, this->protocol, this->reqid, this->mark_in, + this->mode, this->ipcomp, this->my_cpi, routed); } if (status != SUCCESS) @@ -726,7 +779,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, this->my_spi, this->protocol, this->ipcomp != IPCOMP_NONE ? this->my_cpi : 0, this->other_addr, this->my_addr, other, me, - this->encap, encap) == NOT_SUPPORTED) + this->encap, encap, this->mark_in) == NOT_SUPPORTED) { return NOT_SUPPORTED; } @@ -739,7 +792,7 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, this->other_spi, this->protocol, this->ipcomp != IPCOMP_NONE ? this->other_cpi : 0, this->my_addr, this->other_addr, me, other, - this->encap, encap) == NOT_SUPPORTED) + this->encap, encap, this->mark_out) == NOT_SUPPORTED) { return NOT_SUPPORTED; } @@ -761,13 +814,13 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, { /* remove old policies first */ charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, FALSE); + my_ts, other_ts, POLICY_OUT, this->mark_out, FALSE); charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, FALSE); + other_ts, my_ts, POLICY_IN, this->mark_in, FALSE); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, FALSE); + other_ts, my_ts, POLICY_FWD, this->mark_in, FALSE); } /* check whether we have to update a "dynamic" traffic selector */ @@ -793,18 +846,18 @@ static status_t update(private_child_sa_t *this, host_t *me, host_t *other, /* reinstall updated policies */ charon->kernel_interface->add_policy(charon->kernel_interface, me, other, my_ts, other_ts, POLICY_OUT, this->other_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->other_cpi, FALSE); + this->protocol, this->reqid, this->mark_out, this->mode, + this->ipcomp, this->other_cpi, FALSE); charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_IN, this->my_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->my_cpi, FALSE); + this->protocol, this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->add_policy(charon->kernel_interface, other, me, other_ts, my_ts, POLICY_FWD, this->my_spi, - this->protocol, this->reqid, this->mode, this->ipcomp, - this->my_cpi, FALSE); + this->protocol, this->reqid, this->mark_in, this->mode, + this->ipcomp, this->my_cpi, FALSE); } } enumerator->destroy(enumerator); @@ -854,13 +907,13 @@ static void destroy(private_child_sa_t *this) } charon->kernel_interface->del_sa(charon->kernel_interface, this->other_addr, this->my_addr, this->my_spi, - this->protocol, this->my_cpi); + this->protocol, this->my_cpi, this->mark_in); } if (this->other_spi) { charon->kernel_interface->del_sa(charon->kernel_interface, this->my_addr, this->other_addr, this->other_spi, - this->protocol, this->other_cpi); + this->protocol, this->other_cpi, this->mark_out); } if (this->config->install_policy(this->config)) @@ -870,13 +923,13 @@ static void destroy(private_child_sa_t *this) while (enumerator->enumerate(enumerator, &my_ts, &other_ts)) { charon->kernel_interface->del_policy(charon->kernel_interface, - my_ts, other_ts, POLICY_OUT, unrouted); + my_ts, other_ts, POLICY_OUT, this->mark_out, unrouted); charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_IN, unrouted); + other_ts, my_ts, POLICY_IN, this->mark_in, unrouted); if (this->mode != MODE_TRANSPORT) { charon->kernel_interface->del_policy(charon->kernel_interface, - other_ts, my_ts, POLICY_FWD, unrouted); + other_ts, my_ts, POLICY_FWD, this->mark_in, unrouted); } } enumerator->destroy(enumerator); @@ -919,6 +972,10 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->public.has_encap = (bool(*)(child_sa_t*))has_encap; this->public.get_ipcomp = (ipcomp_transform_t(*)(child_sa_t*))get_ipcomp; this->public.set_ipcomp = (void(*)(child_sa_t*,ipcomp_transform_t))set_ipcomp; + this->public.get_close_action = (action_t(*)(child_sa_t*))get_close_action; + this->public.set_close_action = (void(*)(child_sa_t*,action_t))set_close_action; + this->public.get_dpd_action = (action_t(*)(child_sa_t*))get_dpd_action; + this->public.set_dpd_action = (void(*)(child_sa_t*,action_t))set_dpd_action; this->public.alloc_spi = (u_int32_t(*)(child_sa_t*, protocol_id_t protocol))alloc_spi; this->public.alloc_cpi = (u_int16_t(*)(child_sa_t*))alloc_cpi; this->public.install = (status_t(*)(child_sa_t*, chunk_t encr, chunk_t integ, u_int32_t spi, u_int16_t cpi, bool inbound, linked_list_t *my_ts_list, linked_list_t *other_ts_list))install; @@ -942,17 +999,26 @@ child_sa_t * child_sa_create(host_t *me, host_t* other, this->other_usetime = 0; this->my_usebytes = 0; this->other_usebytes = 0; - /* reuse old reqid if we are rekeying an existing CHILD_SA */ - this->reqid = rekey ? rekey : ++reqid; this->my_ts = linked_list_create(); this->other_ts = linked_list_create(); this->protocol = PROTO_NONE; this->mode = MODE_TUNNEL; + this->close_action = config->get_close_action(config); + this->dpd_action = config->get_dpd_action(config); this->proposal = NULL; this->rekey_time = 0; this->expire_time = 0; this->config = config; config->get_ref(config); + this->reqid = config->get_reqid(config); + this->mark_in = config->get_mark(config, TRUE); + this->mark_out = config->get_mark(config, FALSE); + + if (!this->reqid) + { + /* reuse old reqid if we are rekeying an existing CHILD_SA */ + this->reqid = rekey ? rekey : ++reqid; + } /* MIPv6 proxy transport mode sets SA endpoints to TS hosts */ if (config->get_mode(config) == MODE_TRANSPORT && diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index e6c603504..95bc297b0 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -207,6 +207,34 @@ struct child_sa_t { */ void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); + /** + * Get the action to enforce if the remote peer closes the CHILD_SA. + * + * @return close action + */ + action_t (*get_close_action)(child_sa_t *this); + + /** + * Override the close action specified by the CHILD_SA config. + * + * @param close action to enforce + */ + void (*set_close_action)(child_sa_t *this, action_t action); + + /** + * Get the action to enforce if the peer is considered dead. + * + * @return dpd action + */ + action_t (*get_dpd_action)(child_sa_t *this); + + /** + * Override the DPD action specified by the CHILD_SA config. + * + * @param close action to enforce + */ + void (*set_dpd_action)(child_sa_t *this, action_t action); + /** * Get the selected proposal. * diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index 023f0749f..7536662ca 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -287,18 +287,14 @@ static time_t get_use_time(private_ike_sa_t* this, bool inbound) return use_time; } -/** - * Implementation of ike_sa_t.get_unique_id - */ -static u_int32_t get_unique_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_unique_id, u_int32_t, + private_ike_sa_t *this) { return this->unique_id; } -/** - * Implementation of ike_sa_t.get_name. - */ -static char *get_name(private_ike_sa_t *this) +METHOD(ike_sa_t, get_name, char*, + private_ike_sa_t *this) { if (this->peer_cfg) { @@ -307,10 +303,8 @@ static char *get_name(private_ike_sa_t *this) return "(unnamed)"; } -/** - * Implementation of ike_sa_t.get_statistic. - */ -static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind) +METHOD(ike_sa_t, get_statistic, u_int32_t, + private_ike_sa_t *this, statistic_t kind) { if (kind < STAT_MAX) { @@ -319,52 +313,40 @@ static u_int32_t get_statistic(private_ike_sa_t *this, statistic_t kind) return 0; } -/** - * Implementation of ike_sa_t.get_my_host. - */ -static host_t *get_my_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_my_host, host_t*, + private_ike_sa_t *this) { return this->my_host; } -/** - * Implementation of ike_sa_t.set_my_host. - */ -static void set_my_host(private_ike_sa_t *this, host_t *me) +METHOD(ike_sa_t, set_my_host, void, + private_ike_sa_t *this, host_t *me) { DESTROY_IF(this->my_host); this->my_host = me; } -/** - * Implementation of ike_sa_t.get_other_host. - */ -static host_t *get_other_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_host, host_t*, + private_ike_sa_t *this) { return this->other_host; } -/** - * Implementation of ike_sa_t.set_other_host. - */ -static void set_other_host(private_ike_sa_t *this, host_t *other) +METHOD(ike_sa_t, set_other_host, void, + private_ike_sa_t *this, host_t *other) { DESTROY_IF(this->other_host); this->other_host = other; } -/** - * Implementation of ike_sa_t.get_peer_cfg - */ -static peer_cfg_t* get_peer_cfg(private_ike_sa_t *this) +METHOD(ike_sa_t, get_peer_cfg, peer_cfg_t*, + private_ike_sa_t *this) { return this->peer_cfg; } -/** - * Implementation of ike_sa_t.set_peer_cfg - */ -static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) +METHOD(ike_sa_t, set_peer_cfg, void, + private_ike_sa_t *this, peer_cfg_t *peer_cfg) { DESTROY_IF(this->peer_cfg); peer_cfg->get_ref(peer_cfg); @@ -377,10 +359,8 @@ static void set_peer_cfg(private_ike_sa_t *this, peer_cfg_t *peer_cfg) } } -/** - * Implementation of ike_sa_t.get_auth_cfg - */ -static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local) +METHOD(ike_sa_t, get_auth_cfg, auth_cfg_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -389,10 +369,8 @@ static auth_cfg_t* get_auth_cfg(private_ike_sa_t *this, bool local) return this->other_auth; } -/** - * Implementation of ike_sa_t.add_auth_cfg - */ -static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg) +METHOD(ike_sa_t, add_auth_cfg, void, + private_ike_sa_t *this, bool local, auth_cfg_t *cfg) { if (local) { @@ -404,11 +382,8 @@ static void add_auth_cfg(private_ike_sa_t *this, bool local, auth_cfg_t *cfg) } } -/** - * Implementation of ike_sa_t.create_auth_cfg_enumerator - */ -static enumerator_t* create_auth_cfg_enumerator(private_ike_sa_t *this, - bool local) +METHOD(ike_sa_t, create_auth_cfg_enumerator, enumerator_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -424,42 +399,33 @@ static void flush_auth_cfgs(private_ike_sa_t *this) { auth_cfg_t *cfg; - if (lib->settings->get_bool(lib->settings, "charon.flush_auth_cfg", FALSE)) + while (this->my_auths->remove_last(this->my_auths, + (void**)&cfg) == SUCCESS) { - while (this->my_auths->remove_last(this->my_auths, - (void**)&cfg) == SUCCESS) - { - cfg->destroy(cfg); - } - while (this->other_auths->remove_last(this->other_auths, - (void**)&cfg) == SUCCESS) - { - cfg->destroy(cfg); - } + cfg->destroy(cfg); + } + while (this->other_auths->remove_last(this->other_auths, + (void**)&cfg) == SUCCESS) + { + cfg->destroy(cfg); } } -/** - * Implementation of ike_sa_t.get_proposal - */ -static proposal_t* get_proposal(private_ike_sa_t *this) +METHOD(ike_sa_t, get_proposal, proposal_t*, + private_ike_sa_t *this) { return this->proposal; } -/** - * Implementation of ike_sa_t.set_proposal - */ -static void set_proposal(private_ike_sa_t *this, proposal_t *proposal) +METHOD(ike_sa_t, set_proposal, void, + private_ike_sa_t *this, proposal_t *proposal) { DESTROY_IF(this->proposal); this->proposal = proposal->clone(proposal); } -/** - * Implementation of ike_sa_t.set_message_id - */ -static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid) +METHOD(ike_sa_t, set_message_id, void, + private_ike_sa_t *this, bool initiate, u_int32_t mid) { if (initiate) { @@ -471,10 +437,8 @@ static void set_message_id(private_ike_sa_t *this, bool initiate, u_int32_t mid) } } -/** - * Implementation of ike_sa_t.send_keepalive - */ -static void send_keepalive(private_ike_sa_t *this) +METHOD(ike_sa_t, send_keepalive, void, + private_ike_sa_t *this) { send_keepalive_job_t *job; time_t last_out, now, diff; @@ -510,52 +474,39 @@ static void send_keepalive(private_ike_sa_t *this) this->keepalive_interval - diff); } -/** - * Implementation of ike_sa_t.get_ike_cfg - */ -static ike_cfg_t *get_ike_cfg(private_ike_sa_t *this) +METHOD(ike_sa_t, get_ike_cfg, ike_cfg_t*, + private_ike_sa_t *this) { return this->ike_cfg; } -/** - * Implementation of ike_sa_t.set_ike_cfg - */ -static void set_ike_cfg(private_ike_sa_t *this, ike_cfg_t *ike_cfg) +METHOD(ike_sa_t, set_ike_cfg, void, + private_ike_sa_t *this, ike_cfg_t *ike_cfg) { ike_cfg->get_ref(ike_cfg); this->ike_cfg = ike_cfg; } -/** - * Implementation of ike_sa_t.enable_extension. - */ -static void enable_extension(private_ike_sa_t *this, ike_extension_t extension) +METHOD(ike_sa_t, enable_extension, void, + private_ike_sa_t *this, ike_extension_t extension) { this->extensions |= extension; } -/** - * Implementation of ike_sa_t.has_extension. - */ -static bool supports_extension(private_ike_sa_t *this, ike_extension_t extension) +METHOD(ike_sa_t, supports_extension, bool, + private_ike_sa_t *this, ike_extension_t extension) { return (this->extensions & extension) != FALSE; } -/** - * Implementation of ike_sa_t.has_condition. - */ -static bool has_condition(private_ike_sa_t *this, ike_condition_t condition) +METHOD(ike_sa_t, has_condition, bool, + private_ike_sa_t *this, ike_condition_t condition) { return (this->conditions & condition) != FALSE; } -/** - * Implementation of ike_sa_t.enable_condition. - */ -static void set_condition(private_ike_sa_t *this, ike_condition_t condition, - bool enable) +METHOD(ike_sa_t, set_condition, void, + private_ike_sa_t *this, ike_condition_t condition, bool enable) { if (has_condition(this, condition) != enable) { @@ -601,10 +552,8 @@ static void set_condition(private_ike_sa_t *this, ike_condition_t condition, } } -/** - * Implementation of ike_sa_t.send_dpd - */ -static status_t send_dpd(private_ike_sa_t *this) +METHOD(ike_sa_t, send_dpd, status_t, + private_ike_sa_t *this) { job_t *job; time_t diff, delay; @@ -660,18 +609,14 @@ static status_t send_dpd(private_ike_sa_t *this) return SUCCESS; } -/** - * Implementation of ike_sa_t.get_state. - */ -static ike_sa_state_t get_state(private_ike_sa_t *this) +METHOD(ike_sa_t, get_state, ike_sa_state_t, + private_ike_sa_t *this) { return this->state; } -/** - * Implementation of ike_sa_t.set_state. - */ -static void set_state(private_ike_sa_t *this, ike_sa_state_t state) +METHOD(ike_sa_t, set_state, void, + private_ike_sa_t *this, ike_sa_state_t state) { DBG2(DBG_IKE, "IKE_SA %s[%d] state change: %N => %N", get_name(this), this->unique_id, @@ -754,10 +699,8 @@ static void set_state(private_ike_sa_t *this, ike_sa_state_t state) this->state = state; } -/** - * Implementation of ike_sa_t.reset - */ -static void reset(private_ike_sa_t *this) +METHOD(ike_sa_t, reset, void, + private_ike_sa_t *this) { /* the responder ID is reset, as peer may choose another one */ if (this->ike_sa_id->is_initiator(this->ike_sa_id)) @@ -767,21 +710,22 @@ static void reset(private_ike_sa_t *this) set_state(this, IKE_CREATED); + flush_auth_cfgs(this); + + this->keymat->destroy(this->keymat); + this->keymat = keymat_create(this->ike_sa_id->is_initiator(this->ike_sa_id)); + this->task_manager->reset(this->task_manager, 0, 0); } -/** - * Implementation of ike_sa_t.get_keymat - */ -static keymat_t* get_keymat(private_ike_sa_t *this) +METHOD(ike_sa_t, get_keymat, keymat_t*, + private_ike_sa_t *this) { return this->keymat; } -/** - * Implementation of ike_sa_t.set_virtual_ip - */ -static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) +METHOD(ike_sa_t, set_virtual_ip, void, + private_ike_sa_t *this, bool local, host_t *ip) { if (local) { @@ -811,10 +755,8 @@ static void set_virtual_ip(private_ike_sa_t *this, bool local, host_t *ip) } } -/** - * Implementation of ike_sa_t.get_virtual_ip - */ -static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) +METHOD(ike_sa_t, get_virtual_ip, host_t*, + private_ike_sa_t *this, bool local) { if (local) { @@ -826,27 +768,21 @@ static host_t* get_virtual_ip(private_ike_sa_t *this, bool local) } } -/** - * Implementation of ike_sa_t.add_additional_address. - */ -static void add_additional_address(private_ike_sa_t *this, host_t *host) +METHOD(ike_sa_t, add_additional_address, void, + private_ike_sa_t *this, host_t *host) { this->additional_addresses->insert_last(this->additional_addresses, host); } -/** - * Implementation of ike_sa_t.create_additional_address_iterator. - */ -static iterator_t* create_additional_address_iterator(private_ike_sa_t *this) +METHOD(ike_sa_t, create_additional_address_iterator, iterator_t*, + private_ike_sa_t *this) { return this->additional_addresses->create_iterator( this->additional_addresses, TRUE); } -/** - * Implementation of ike_sa_t.has_mapping_changed - */ -static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash) +METHOD(ike_sa_t, has_mapping_changed, bool, + private_ike_sa_t *this, chunk_t hash) { if (this->nat_detection_dest.ptr == NULL) { @@ -862,26 +798,20 @@ static bool has_mapping_changed(private_ike_sa_t *this, chunk_t hash) return TRUE; } -/** - * Implementation of ike_sa_t.set_pending_updates. - */ -static void set_pending_updates(private_ike_sa_t *this, u_int32_t updates) +METHOD(ike_sa_t, set_pending_updates, void, + private_ike_sa_t *this, u_int32_t updates) { this->pending_updates = updates; } -/** - * Implementation of ike_sa_t.get_pending_updates. - */ -static u_int32_t get_pending_updates(private_ike_sa_t *this) +METHOD(ike_sa_t, get_pending_updates, u_int32_t, + private_ike_sa_t *this) { return this->pending_updates; } -/** - * Update hosts, as addresses may change (NAT) - */ -static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) +METHOD(ike_sa_t, update_hosts, void, + private_ike_sa_t *this, host_t *me, host_t *other) { bool update = FALSE; @@ -946,11 +876,8 @@ static void update_hosts(private_ike_sa_t *this, host_t *me, host_t *other) } } -/** - * Implementation of ike_sa_t.generate - */ -static status_t generate_message(private_ike_sa_t *this, message_t *message, - packet_t **packet) +METHOD(ike_sa_t, generate_message, status_t, + private_ike_sa_t *this, message_t *message, packet_t **packet) { this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); @@ -994,10 +921,8 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request, response->destroy(response); } -/** - * Implementation of ike_sa_t.set_kmaddress. - */ -static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote) +METHOD(ike_sa_t, set_kmaddress, void, + private_ike_sa_t *this, host_t *local, host_t *remote) { DESTROY_IF(this->local_host); DESTROY_IF(this->remote_host); @@ -1006,46 +931,35 @@ static void set_kmaddress(private_ike_sa_t *this, host_t *local, host_t *remote) } #ifdef ME -/** - * Implementation of ike_sa_t.act_as_mediation_server. - */ -static void act_as_mediation_server(private_ike_sa_t *this) +METHOD(ike_sa_t, act_as_mediation_server, void, + private_ike_sa_t *this) { charon->mediation_manager->update_sa_id(charon->mediation_manager, this->other_id, this->ike_sa_id); this->is_mediation_server = TRUE; } -/** - * Implementation of ike_sa_t.get_server_reflexive_host. - */ -static host_t *get_server_reflexive_host(private_ike_sa_t *this) +METHOD(ike_sa_t, get_server_reflexive_host, host_t*, + private_ike_sa_t *this) { return this->server_reflexive_host; } -/** - * Implementation of ike_sa_t.set_server_reflexive_host. - */ -static void set_server_reflexive_host(private_ike_sa_t *this, host_t *host) +METHOD(ike_sa_t, set_server_reflexive_host, void, + private_ike_sa_t *this, host_t *host) { DESTROY_IF(this->server_reflexive_host); this->server_reflexive_host = host; } -/** - * Implementation of ike_sa_t.get_connect_id. - */ -static chunk_t get_connect_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_connect_id, chunk_t, + private_ike_sa_t *this) { return this->connect_id; } -/** - * Implementation of ike_sa_t.respond - */ -static status_t respond(private_ike_sa_t *this, identification_t *peer_id, - chunk_t connect_id) +METHOD(ike_sa_t, respond, status_t, + private_ike_sa_t *this, identification_t *peer_id, chunk_t connect_id) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->respond(task, peer_id, connect_id); @@ -1053,10 +967,8 @@ static status_t respond(private_ike_sa_t *this, identification_t *peer_id, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.callback - */ -static status_t callback(private_ike_sa_t *this, identification_t *peer_id) +METHOD(ike_sa_t, callback, status_t, + private_ike_sa_t *this, identification_t *peer_id) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->callback(task, peer_id); @@ -1064,12 +976,9 @@ static status_t callback(private_ike_sa_t *this, identification_t *peer_id) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.relay - */ -static status_t relay(private_ike_sa_t *this, identification_t *requester, - chunk_t connect_id, chunk_t connect_key, - linked_list_t *endpoints, bool response) +METHOD(ike_sa_t, relay, status_t, + private_ike_sa_t *this, identification_t *requester, chunk_t connect_id, + chunk_t connect_key, linked_list_t *endpoints, bool response) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->relay(task, requester, connect_id, connect_key, endpoints, response); @@ -1077,11 +986,8 @@ static status_t relay(private_ike_sa_t *this, identification_t *requester, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.initiate_mediation - */ -static status_t initiate_mediation(private_ike_sa_t *this, - peer_cfg_t *mediated_cfg) +METHOD(ike_sa_t, initiate_mediation, status_t, + private_ike_sa_t *this, peer_cfg_t *mediated_cfg) { ike_me_t *task = ike_me_create(&this->public, TRUE); task->connect(task, mediated_cfg->get_peer_id(mediated_cfg)); @@ -1089,11 +995,8 @@ static status_t initiate_mediation(private_ike_sa_t *this, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.initiate_mediated - */ -static status_t initiate_mediated(private_ike_sa_t *this, host_t *me, - host_t *other, chunk_t connect_id) +METHOD(ike_sa_t, initiate_mediated, status_t, + private_ike_sa_t *this, host_t *me, host_t *other, chunk_t connect_id) { set_my_host(this, me->clone(me)); set_other_host(this, other->clone(other)); @@ -1166,12 +1069,9 @@ static void resolve_hosts(private_ike_sa_t *this) } } -/** - * Implementation of ike_sa_t.initiate - */ -static status_t initiate(private_ike_sa_t *this, - child_cfg_t *child_cfg, u_int32_t reqid, - traffic_selector_t *tsi, traffic_selector_t *tsr) +METHOD(ike_sa_t, initiate, status_t, + private_ike_sa_t *this, child_cfg_t *child_cfg, u_int32_t reqid, + traffic_selector_t *tsi, traffic_selector_t *tsr) { task_t *task; @@ -1259,10 +1159,8 @@ static status_t initiate(private_ike_sa_t *this, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.process_message. - */ -static status_t process_message(private_ike_sa_t *this, message_t *message) +METHOD(ike_sa_t, process_message, status_t, + private_ike_sa_t *this, message_t *message) { status_t status; bool is_request; @@ -1367,7 +1265,9 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) } status = this->task_manager->process_message(this->task_manager, message); if (message->get_exchange_type(message) == IKE_AUTH && - this->state == IKE_ESTABLISHED) + this->state == IKE_ESTABLISHED && + lib->settings->get_bool(lib->settings, + "charon.flush_auth_cfg", FALSE)) { /* authentication completed */ flush_auth_cfgs(this); } @@ -1375,43 +1275,33 @@ static status_t process_message(private_ike_sa_t *this, message_t *message) return status; } -/** - * Implementation of ike_sa_t.get_id. - */ -static ike_sa_id_t* get_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_id, ike_sa_id_t*, + private_ike_sa_t *this) { return this->ike_sa_id; } -/** - * Implementation of ike_sa_t.get_my_id. - */ -static identification_t* get_my_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_my_id, identification_t*, + private_ike_sa_t *this) { return this->my_id; } -/** - * Implementation of ike_sa_t.set_my_id. - */ -static void set_my_id(private_ike_sa_t *this, identification_t *me) +METHOD(ike_sa_t, set_my_id, void, + private_ike_sa_t *this, identification_t *me) { DESTROY_IF(this->my_id); this->my_id = me; } -/** - * Implementation of ike_sa_t.get_other_id. - */ -static identification_t* get_other_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_id, identification_t*, + private_ike_sa_t *this) { return this->other_id; } -/** - * Implementation of ike_sa_t.get_other_eap_id. - */ -static identification_t* get_other_eap_id(private_ike_sa_t *this) +METHOD(ike_sa_t, get_other_eap_id, identification_t*, + private_ike_sa_t *this) { identification_t *id = NULL, *current; enumerator_t *enumerator; @@ -1440,28 +1330,21 @@ static identification_t* get_other_eap_id(private_ike_sa_t *this) return this->other_id; } -/** - * Implementation of ike_sa_t.set_other_id. - */ -static void set_other_id(private_ike_sa_t *this, identification_t *other) +METHOD(ike_sa_t, set_other_id, void, + private_ike_sa_t *this, identification_t *other) { DESTROY_IF(this->other_id); this->other_id = other; } -/** - * Implementation of ike_sa_t.add_child_sa. - */ -static void add_child_sa(private_ike_sa_t *this, child_sa_t *child_sa) +METHOD(ike_sa_t, add_child_sa, void, + private_ike_sa_t *this, child_sa_t *child_sa) { this->child_sas->insert_last(this->child_sas, child_sa); } -/** - * Implementation of ike_sa_t.get_child_sa. - */ -static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi, bool inbound) +METHOD(ike_sa_t, get_child_sa, child_sa_t*, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi, bool inbound) { iterator_t *iterator; child_sa_t *current, *found = NULL; @@ -1479,19 +1362,14 @@ static child_sa_t* get_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return found; } -/** - * Implementation of ike_sa_t.create_child_sa_iterator. - */ -static iterator_t* create_child_sa_iterator(private_ike_sa_t *this) +METHOD(ike_sa_t, create_child_sa_iterator, iterator_t*, + private_ike_sa_t *this) { return this->child_sas->create_iterator(this->child_sas, TRUE); } -/** - * Implementation of ike_sa_t.rekey_child_sa. - */ -static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, rekey_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { child_rekey_t *child_rekey; @@ -1500,11 +1378,8 @@ static status_t rekey_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.delete_child_sa. - */ -static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, delete_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { child_delete_t *child_delete; @@ -1513,11 +1388,8 @@ static status_t delete_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.destroy_child_sa. - */ -static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, - u_int32_t spi) +METHOD(ike_sa_t, destroy_child_sa, status_t, + private_ike_sa_t *this, protocol_id_t protocol, u_int32_t spi) { iterator_t *iterator; child_sa_t *child_sa; @@ -1539,10 +1411,8 @@ static status_t destroy_child_sa(private_ike_sa_t *this, protocol_id_t protocol, return status; } -/** - * Implementation of public_ike_sa_t.delete. - */ -static status_t delete_(private_ike_sa_t *this) +METHOD(ike_sa_t, delete_, status_t, + private_ike_sa_t *this) { ike_delete_t *ike_delete; @@ -1567,10 +1437,8 @@ static status_t delete_(private_ike_sa_t *this) return DESTROY_ME; } -/** - * Implementation of ike_sa_t.rekey. - */ -static status_t rekey(private_ike_sa_t *this) +METHOD(ike_sa_t, rekey, status_t, + private_ike_sa_t *this) { ike_rekey_t *ike_rekey; @@ -1580,10 +1448,8 @@ static status_t rekey(private_ike_sa_t *this) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.reauth - */ -static status_t reauth(private_ike_sa_t *this) +METHOD(ike_sa_t, reauth, status_t, + private_ike_sa_t *this) { task_t *task; @@ -1618,10 +1484,8 @@ static status_t reauth(private_ike_sa_t *this) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.reestablish - */ -static status_t reestablish(private_ike_sa_t *this) +METHOD(ike_sa_t, reestablish, status_t, + private_ike_sa_t *this) { ike_sa_t *new; host_t *host; @@ -1636,14 +1500,13 @@ static status_t reestablish(private_ike_sa_t *this) iterator = create_child_sa_iterator(this); while (iterator->iterate(iterator, (void**)&child_sa)) { - child_cfg = child_sa->get_config(child_sa); if (this->state == IKE_DELETING) { - action = child_cfg->get_close_action(child_cfg); + action = child_sa->get_close_action(child_sa); } else { - action = child_cfg->get_dpd_action(child_cfg); + action = child_sa->get_dpd_action(child_sa); } switch (action) { @@ -1651,7 +1514,8 @@ static status_t reestablish(private_ike_sa_t *this) restart = TRUE; break; case ACTION_ROUTE: - charon->traps->install(charon->traps, this->peer_cfg, child_cfg); + charon->traps->install(charon->traps, this->peer_cfg, + child_sa->get_config(child_sa)); break; default: break; @@ -1707,18 +1571,18 @@ static status_t reestablish(private_ike_sa_t *this) iterator = create_child_sa_iterator(this); while (iterator->iterate(iterator, (void**)&child_sa)) { - child_cfg = child_sa->get_config(child_sa); if (this->state == IKE_DELETING) { - action = child_cfg->get_close_action(child_cfg); + action = child_sa->get_close_action(child_sa); } else { - action = child_cfg->get_dpd_action(child_cfg); + action = child_sa->get_dpd_action(child_sa); } switch (action) { case ACTION_RESTART: + child_cfg = child_sa->get_config(child_sa); DBG1(DBG_IKE, "restarting CHILD_SA %s", child_cfg->get_name(child_cfg)); child_cfg->get_ref(child_cfg); @@ -1750,9 +1614,41 @@ static status_t reestablish(private_ike_sa_t *this) } /** - * Implementation of ike_sa_t.retransmit. + * Requeue the IKE_SA_INIT tasks for initiation, if required */ -static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) +static void requeue_init_tasks(private_ike_sa_t *this) +{ + enumerator_t *enumerator; + bool has_init = FALSE; + task_t *task; + + /* if we have advanced to IKE_AUTH, the IKE_INIT and related tasks + * have already completed. Recreate them if necessary. */ + enumerator = this->task_manager->create_task_enumerator( + this->task_manager, TASK_QUEUE_QUEUED); + while (enumerator->enumerate(enumerator, &task)) + { + if (task->get_type(task) == IKE_INIT) + { + has_init = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + if (!has_init) + { + task = (task_t*)ike_vendor_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + task = (task_t*)ike_natd_create(&this->public, TRUE); + this->task_manager->queue_task(this->task_manager, task); + task = (task_t*)ike_init_create(&this->public, TRUE, NULL); + this->task_manager->queue_task(this->task_manager, task); + } +} + +METHOD(ike_sa_t, retransmit, status_t, + private_ike_sa_t *this, u_int32_t message_id) { this->stats[STAT_OUTBOUND] = time_monotonic(NULL); if (this->task_manager->retransmit(this->task_manager, message_id) != SUCCESS) @@ -1770,6 +1666,7 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) DBG1(DBG_IKE, "peer not responding, trying again (%d/%d)", this->keyingtry + 1, tries); reset(this); + requeue_init_tasks(this); return this->task_manager->initiate(this->task_manager); } DBG1(DBG_IKE, "establishing IKE_SA failed, peer not responding"); @@ -1790,10 +1687,8 @@ static status_t retransmit(private_ike_sa_t *this, u_int32_t message_id) return SUCCESS; } -/** - * Implementation of ike_sa_t.set_auth_lifetime. - */ -static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime) +METHOD(ike_sa_t, set_auth_lifetime, void, + private_ike_sa_t *this, u_int32_t lifetime) { u_int32_t reduction = this->peer_cfg->get_over_time(this->peer_cfg); u_int32_t reauth_time = time_monotonic(NULL) + lifetime - reduction; @@ -1823,10 +1718,8 @@ static void set_auth_lifetime(private_ike_sa_t *this, u_int32_t lifetime) } } -/** - * Implementation of ike_sa_t.roam. - */ -static status_t roam(private_ike_sa_t *this, bool address) +METHOD(ike_sa_t, roam, status_t, + private_ike_sa_t *this, bool address) { host_t *src; ike_mobike_t *mobike; @@ -1919,12 +1812,9 @@ static status_t roam(private_ike_sa_t *this, bool address) return reauth(this); } -/** - * Implementation of ike_sa_t.add_configuration_attribute - */ -static void add_configuration_attribute(private_ike_sa_t *this, - attribute_handler_t *handler, - configuration_attribute_type_t type, chunk_t data) +METHOD(ike_sa_t, add_configuration_attribute, void, + private_ike_sa_t *this, attribute_handler_t *handler, + configuration_attribute_type_t type, chunk_t data) { attribute_entry_t *entry = malloc_thing(attribute_entry_t); @@ -1935,11 +1825,16 @@ static void add_configuration_attribute(private_ike_sa_t *this, this->attributes->insert_last(this->attributes, entry); } -/** - * Implementation of ike_sa_t.inherit. - */ -static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) +METHOD(ike_sa_t, create_task_enumerator, enumerator_t*, + private_ike_sa_t *this, task_queue_t queue) +{ + return this->task_manager->create_task_enumerator(this->task_manager, queue); +} + +METHOD(ike_sa_t, inherit, status_t, + private_ike_sa_t *this, ike_sa_t *other_public) { + private_ike_sa_t *other = (private_ike_sa_t*)other_public; child_sa_t *child_sa; attribute_entry_t *entry; @@ -2021,10 +1916,8 @@ static status_t inherit(private_ike_sa_t *this, private_ike_sa_t *other) return this->task_manager->initiate(this->task_manager); } -/** - * Implementation of ike_sa_t.destroy. - */ -static void destroy(private_ike_sa_t *this) +METHOD(ike_sa_t, destroy, void, + private_ike_sa_t *this) { attribute_entry_t *entry; @@ -2106,122 +1999,107 @@ static void destroy(private_ike_sa_t *this) */ ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id) { - private_ike_sa_t *this = malloc_thing(private_ike_sa_t); + private_ike_sa_t *this; static u_int32_t unique_id = 0; - /* Public functions */ - this->public.get_state = (ike_sa_state_t (*)(ike_sa_t*)) get_state; - this->public.set_state = (void (*)(ike_sa_t*,ike_sa_state_t)) set_state; - this->public.get_name = (char* (*)(ike_sa_t*))get_name; - this->public.get_statistic = (u_int32_t(*)(ike_sa_t*, statistic_t kind))get_statistic; - this->public.process_message = (status_t (*)(ike_sa_t*, message_t*)) process_message; - this->public.initiate = (status_t (*)(ike_sa_t*,child_cfg_t*,u_int32_t,traffic_selector_t*,traffic_selector_t*)) initiate; - this->public.get_ike_cfg = (ike_cfg_t* (*)(ike_sa_t*))get_ike_cfg; - this->public.set_ike_cfg = (void (*)(ike_sa_t*,ike_cfg_t*))set_ike_cfg; - this->public.get_peer_cfg = (peer_cfg_t* (*)(ike_sa_t*))get_peer_cfg; - this->public.set_peer_cfg = (void (*)(ike_sa_t*,peer_cfg_t*))set_peer_cfg; - this->public.get_auth_cfg = (auth_cfg_t*(*)(ike_sa_t*, bool local))get_auth_cfg; - this->public.create_auth_cfg_enumerator = (enumerator_t*(*)(ike_sa_t*, bool local))create_auth_cfg_enumerator; - this->public.add_auth_cfg = (void(*)(ike_sa_t*, bool local, auth_cfg_t *cfg))add_auth_cfg; - this->public.get_proposal = (proposal_t*(*)(ike_sa_t*))get_proposal; - this->public.set_proposal = (void(*)(ike_sa_t*, proposal_t *proposal))set_proposal; - this->public.get_id = (ike_sa_id_t* (*)(ike_sa_t*)) get_id; - this->public.get_my_host = (host_t* (*)(ike_sa_t*)) get_my_host; - this->public.set_my_host = (void (*)(ike_sa_t*,host_t*)) set_my_host; - this->public.get_other_host = (host_t* (*)(ike_sa_t*)) get_other_host; - this->public.set_other_host = (void (*)(ike_sa_t*,host_t*)) set_other_host; - this->public.set_message_id = (void(*)(ike_sa_t*, bool inbound, u_int32_t mid))set_message_id; - this->public.update_hosts = (void(*)(ike_sa_t*, host_t *me, host_t *other))update_hosts; - this->public.get_my_id = (identification_t* (*)(ike_sa_t*)) get_my_id; - this->public.set_my_id = (void (*)(ike_sa_t*,identification_t*)) set_my_id; - this->public.get_other_id = (identification_t* (*)(ike_sa_t*)) get_other_id; - this->public.set_other_id = (void (*)(ike_sa_t*,identification_t*)) set_other_id; - this->public.get_other_eap_id = (identification_t* (*)(ike_sa_t*)) get_other_eap_id; - this->public.enable_extension = (void(*)(ike_sa_t*, ike_extension_t extension))enable_extension; - this->public.supports_extension = (bool(*)(ike_sa_t*, ike_extension_t extension))supports_extension; - this->public.set_condition = (void (*)(ike_sa_t*, ike_condition_t,bool)) set_condition; - this->public.has_condition = (bool (*)(ike_sa_t*,ike_condition_t)) has_condition; - this->public.set_pending_updates = (void(*)(ike_sa_t*, u_int32_t updates))set_pending_updates; - this->public.get_pending_updates = (u_int32_t(*)(ike_sa_t*))get_pending_updates; - this->public.create_additional_address_iterator = (iterator_t*(*)(ike_sa_t*))create_additional_address_iterator; - this->public.add_additional_address = (void(*)(ike_sa_t*, host_t *host))add_additional_address; - this->public.has_mapping_changed = (bool(*)(ike_sa_t*, chunk_t hash))has_mapping_changed; - this->public.retransmit = (status_t (*)(ike_sa_t *, u_int32_t)) retransmit; - this->public.delete = (status_t (*)(ike_sa_t*))delete_; - this->public.destroy = (void (*)(ike_sa_t*))destroy; - this->public.send_dpd = (status_t (*)(ike_sa_t*)) send_dpd; - this->public.send_keepalive = (void (*)(ike_sa_t*)) send_keepalive; - this->public.get_keymat = (keymat_t*(*)(ike_sa_t*))get_keymat; - this->public.add_child_sa = (void (*)(ike_sa_t*,child_sa_t*)) add_child_sa; - this->public.get_child_sa = (child_sa_t* (*)(ike_sa_t*,protocol_id_t,u_int32_t,bool)) get_child_sa; - this->public.create_child_sa_iterator = (iterator_t* (*)(ike_sa_t*)) create_child_sa_iterator; - this->public.rekey_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) rekey_child_sa; - this->public.delete_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t)) delete_child_sa; - this->public.destroy_child_sa = (status_t (*)(ike_sa_t*,protocol_id_t,u_int32_t))destroy_child_sa; - this->public.rekey = (status_t (*)(ike_sa_t*))rekey; - this->public.reauth = (status_t (*)(ike_sa_t*))reauth; - this->public.reestablish = (status_t (*)(ike_sa_t*))reestablish; - this->public.set_auth_lifetime = (void(*)(ike_sa_t*, u_int32_t lifetime))set_auth_lifetime; - this->public.roam = (status_t(*)(ike_sa_t*,bool))roam; - this->public.inherit = (status_t (*)(ike_sa_t*,ike_sa_t*))inherit; - this->public.generate_message = (status_t (*)(ike_sa_t*,message_t*,packet_t**))generate_message; - this->public.reset = (void (*)(ike_sa_t*))reset; - this->public.get_unique_id = (u_int32_t (*)(ike_sa_t*))get_unique_id; - this->public.set_virtual_ip = (void (*)(ike_sa_t*,bool,host_t*))set_virtual_ip; - this->public.get_virtual_ip = (host_t* (*)(ike_sa_t*,bool))get_virtual_ip; - this->public.add_configuration_attribute = (void(*)(ike_sa_t*, attribute_handler_t *handler,configuration_attribute_type_t type, chunk_t data))add_configuration_attribute; - this->public.set_kmaddress = (void (*)(ike_sa_t*,host_t*,host_t*))set_kmaddress; + INIT(this, + .public = { + .get_state = _get_state, + .set_state = _set_state, + .get_name = _get_name, + .get_statistic = _get_statistic, + .process_message = _process_message, + .initiate = _initiate, + .get_ike_cfg = _get_ike_cfg, + .set_ike_cfg = _set_ike_cfg, + .get_peer_cfg = _get_peer_cfg, + .set_peer_cfg = _set_peer_cfg, + .get_auth_cfg = _get_auth_cfg, + .create_auth_cfg_enumerator = _create_auth_cfg_enumerator, + .add_auth_cfg = _add_auth_cfg, + .get_proposal = _get_proposal, + .set_proposal = _set_proposal, + .get_id = _get_id, + .get_my_host = _get_my_host, + .set_my_host = _set_my_host, + .get_other_host = _get_other_host, + .set_other_host = _set_other_host, + .set_message_id = _set_message_id, + .update_hosts = _update_hosts, + .get_my_id = _get_my_id, + .set_my_id = _set_my_id, + .get_other_id = _get_other_id, + .set_other_id = _set_other_id, + .get_other_eap_id = _get_other_eap_id, + .enable_extension = _enable_extension, + .supports_extension = _supports_extension, + .set_condition = _set_condition, + .has_condition = _has_condition, + .set_pending_updates = _set_pending_updates, + .get_pending_updates = _get_pending_updates, + .create_additional_address_iterator = _create_additional_address_iterator, + .add_additional_address = _add_additional_address, + .has_mapping_changed = _has_mapping_changed, + .retransmit = _retransmit, + .delete = _delete_, + .destroy = _destroy, + .send_dpd = _send_dpd, + .send_keepalive = _send_keepalive, + .get_keymat = _get_keymat, + .add_child_sa = _add_child_sa, + .get_child_sa = _get_child_sa, + .create_child_sa_iterator = _create_child_sa_iterator, + .rekey_child_sa = _rekey_child_sa, + .delete_child_sa = _delete_child_sa, + .destroy_child_sa = _destroy_child_sa, + .rekey = _rekey, + .reauth = _reauth, + .reestablish = _reestablish, + .set_auth_lifetime = _set_auth_lifetime, + .roam = _roam, + .inherit = _inherit, + .generate_message = _generate_message, + .reset = _reset, + .get_unique_id = _get_unique_id, + .set_virtual_ip = _set_virtual_ip, + .get_virtual_ip = _get_virtual_ip, + .add_configuration_attribute = _add_configuration_attribute, + .set_kmaddress = _set_kmaddress, + .create_task_enumerator = _create_task_enumerator, #ifdef ME - this->public.act_as_mediation_server = (void (*)(ike_sa_t*)) act_as_mediation_server; - this->public.get_server_reflexive_host = (host_t* (*)(ike_sa_t*)) get_server_reflexive_host; - this->public.set_server_reflexive_host = (void (*)(ike_sa_t*,host_t*)) set_server_reflexive_host; - this->public.get_connect_id = (chunk_t (*)(ike_sa_t*)) get_connect_id; - this->public.initiate_mediation = (status_t (*)(ike_sa_t*,peer_cfg_t*)) initiate_mediation; - this->public.initiate_mediated = (status_t (*)(ike_sa_t*,host_t*,host_t*,chunk_t)) initiate_mediated; - this->public.relay = (status_t (*)(ike_sa_t*,identification_t*,chunk_t,chunk_t,linked_list_t*,bool)) relay; - this->public.callback = (status_t (*)(ike_sa_t*,identification_t*)) callback; - this->public.respond = (status_t (*)(ike_sa_t*,identification_t*,chunk_t)) respond; + .act_as_mediation_server = _act_as_mediation_server, + .get_server_reflexive_host = _get_server_reflexive_host, + .set_server_reflexive_host = _set_server_reflexive_host, + .get_connect_id = _get_connect_id, + .initiate_mediation = _initiate_mediation, + .initiate_mediated = _initiate_mediated, + .relay = _relay, + .callback = _callback, + .respond = _respond, #endif /* ME */ - - /* initialize private fields */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->child_sas = linked_list_create(); - this->my_host = host_create_any(AF_INET); + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .child_sas = linked_list_create(), + .my_host = host_create_any(AF_INET), + .other_host = host_create_any(AF_INET), + .my_id = identification_create_from_encoding(ID_ANY, chunk_empty), + .other_id = identification_create_from_encoding(ID_ANY, chunk_empty), + .keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)), + .state = IKE_CREATED, + .stats[STAT_INBOUND] = time_monotonic(NULL), + .stats[STAT_OUTBOUND] = time_monotonic(NULL), + .my_auth = auth_cfg_create(), + .other_auth = auth_cfg_create(), + .my_auths = linked_list_create(), + .other_auths = linked_list_create(), + .task_manager = task_manager_create(&this->public), + .unique_id = ++unique_id, + .additional_addresses = linked_list_create(), + .attributes = linked_list_create(), + .keepalive_interval = lib->settings->get_time(lib->settings, + "charon.keep_alive", KEEPALIVE_INTERVAL), + ); this->my_host->set_port(this->my_host, IKEV2_UDP_PORT); - this->other_host = host_create_any(AF_INET); - this->my_id = identification_create_from_encoding(ID_ANY, chunk_empty); - this->other_id = identification_create_from_encoding(ID_ANY, chunk_empty); - this->extensions = 0; - this->conditions = 0; - this->keymat = keymat_create(ike_sa_id->is_initiator(ike_sa_id)); - this->state = IKE_CREATED; - this->keepalive_interval = lib->settings->get_time(lib->settings, - "charon.keep_alive", KEEPALIVE_INTERVAL); - memset(this->stats, 0, sizeof(this->stats)); - this->stats[STAT_INBOUND] = this->stats[STAT_OUTBOUND] = time_monotonic(NULL); - this->ike_cfg = NULL; - this->peer_cfg = NULL; - this->my_auth = auth_cfg_create(); - this->other_auth = auth_cfg_create(); - this->my_auths = linked_list_create(); - this->other_auths = linked_list_create(); - this->proposal = NULL; - this->task_manager = task_manager_create(&this->public); - this->unique_id = ++unique_id; - this->my_virtual_ip = NULL; - this->other_virtual_ip = NULL; - this->additional_addresses = linked_list_create(); - this->attributes = linked_list_create(); - this->nat_detection_dest = chunk_empty; - this->pending_updates = 0; - this->keyingtry = 0; - this->local_host = NULL; - this->remote_host = NULL; -#ifdef ME - this->is_mediation_server = FALSE; - this->server_reflexive_host = NULL; - this->connect_id = chunk_empty; -#endif /* ME */ return &this->public; } diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c61502edf..34842a573 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -37,11 +37,11 @@ typedef struct ike_sa_t ike_sa_t; #include #include #include -#include +#include #include #include #include -#include +#include /** * Timeout in seconds after that a half open IKE_SA gets deleted. @@ -887,6 +887,14 @@ struct ike_sa_t { */ void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); + /** + * Create enumerator over a task queue of this IKE_SA. + * + * @param queue type to enumerate + * @return enumerator over task_t + */ + enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue); + /** * Inherit all attributes of other to this after rekeying. * diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index 3ef0f3bb0..c71c3b297 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -886,9 +886,10 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id { if (wait_for_entry(this, entry, segment)) { - DBG2(DBG_MGR, "IKE_SA successfully checked out"); entry->checked_out = TRUE; ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -916,7 +917,8 @@ static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) } ike_sa = ike_sa_create(ike_sa_id); - DBG2(DBG_MGR, "created IKE_SA"); + DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); if (!initiator) { @@ -971,10 +973,11 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, } else if (wait_for_entry(this, entry, segment)) { - DBG2(DBG_MGR, "IKE_SA checked out by hash"); entry->checked_out = TRUE; entry->message_id = message->get_message_id(message); ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] checked out by hash", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -998,7 +1001,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, entry->init_hash = hash; ike_sa = entry->ike_sa; - DBG2(DBG_MGR, "created IKE_SA"); + DBG2(DBG_MGR, "created IKE_SA %s[%u]", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } else { @@ -1027,7 +1031,6 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, else if (wait_for_entry(this, entry, segment)) { ike_sa_id_t *ike_id = entry->ike_sa->get_id(entry->ike_sa); - DBG2(DBG_MGR, "IKE_SA successfully checked out"); entry->checked_out = TRUE; entry->message_id = message->get_message_id(message); if (ike_id->get_responder_spi(ike_id) == 0) @@ -1035,6 +1038,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, ike_id->set_responder_spi(ike_id, id->get_responder_spi(id)); } ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); } unlock_single_segment(this, segment); } @@ -1056,6 +1061,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, ike_cfg_t *current_ike; u_int segment; + DBG2(DBG_MGR, "checkout IKE_SA by config"); + if (!this->reuse_ikesa) { /* IKE_SA reuse disable by config */ ike_sa = checkout_new(this, TRUE); @@ -1081,10 +1088,11 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, current_ike = current_peer->get_ike_cfg(current_peer); if (current_ike->equals(current_ike, peer_cfg->get_ike_cfg(peer_cfg))) { - DBG2(DBG_MGR, "found an existing IKE_SA with a '%s' config", - current_peer->get_name(current_peer)); entry->checked_out = TRUE; ike_sa = entry->ike_sa; + DBG2(DBG_MGR, "found existing IKE_SA %u with a '%s' config", + ike_sa->get_unique_id(ike_sa), + current_peer->get_name(current_peer)); break; } } @@ -1112,6 +1120,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, child_sa_t *child_sa; u_int segment; + DBG2(DBG_MGR, "checkout IKE_SA by ID"); + enumerator = create_table_enumerator(this); while (enumerator->enumerate(enumerator, &entry, &segment)) { @@ -1142,6 +1152,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, if (ike_sa) { entry->checked_out = TRUE; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } } @@ -1195,6 +1207,8 @@ static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name, if (ike_sa) { entry->checked_out = TRUE; + DBG2(DBG_MGR, "IKE_SA %s[%u] successfully checked out", + ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); break; } } @@ -1251,7 +1265,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) other_id = ike_sa->get_other_id(ike_sa); other = ike_sa->get_other_host(ike_sa); - DBG2(DBG_MGR, "checkin IKE_SA"); + DBG2(DBG_MGR, "checkin IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); /* look for the entry */ if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) @@ -1327,7 +1342,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa ike_sa_id = ike_sa->get_id(ike_sa); - DBG2(DBG_MGR, "checkin and destroy IKE_SA"); + DBG2(DBG_MGR, "checkin and destroy IKE_SA %s[%u]", ike_sa->get_name(ike_sa), + ike_sa->get_unique_id(ike_sa)); if (get_entry_by_sa(this, ike_sa_id, ike_sa, &entry, &segment) == SUCCESS) { diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index eeda6c860..a68826440 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -1,6 +1,6 @@ /* * Copyright (C) 2007 Tobias Brunner - * Copyright (C) 2007 Martin Willi + * Copyright (C) 2007-2010 Martin Willi * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -195,10 +195,8 @@ static bool activate_task(private_task_manager_t *this, task_type_t type) return found; } -/** - * Implementation of task_manager_t.retransmit - */ -static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) +METHOD(task_manager_t, retransmit, status_t, + private_task_manager_t *this, u_int32_t message_id) { if (message_id == this->initiating.mid) { @@ -281,11 +279,8 @@ static status_t retransmit(private_task_manager_t *this, u_int32_t message_id) return SUCCESS; } -/** - * build a request using the active task list - * Implementation of task_manager_t.initiate - */ -static status_t build_request(private_task_manager_t *this) +METHOD(task_manager_t, initiate, status_t, + private_task_manager_t *this) { iterator_t *iterator; task_t *task; @@ -296,7 +291,8 @@ static status_t build_request(private_task_manager_t *this) if (this->initiating.type != EXCHANGE_TYPE_UNDEFINED) { - DBG2(DBG_IKE, "delaying task initiation, exchange in progress"); + DBG2(DBG_IKE, "delaying task initiation, %N exchange in progress", + exchange_type_names, this->initiating.type); /* do not initiate if we already have a message in the air */ return SUCCESS; } @@ -534,7 +530,7 @@ static status_t process_response(private_task_manager_t *this, { /* start all over again if we were reset */ this->reset = FALSE; iterator->destroy(iterator); - return build_request(this); + return initiate(this); } } iterator->destroy(iterator); @@ -544,7 +540,7 @@ static status_t process_response(private_task_manager_t *this, this->initiating.packet->destroy(this->initiating.packet); this->initiating.packet = NULL; - return build_request(this); + return initiate(this); } /** @@ -883,10 +879,8 @@ static status_t process_request(private_task_manager_t *this, return build_response(this, message); } -/** - * Implementation of task_manager_t.process_message - */ -static status_t process_message(private_task_manager_t *this, message_t *msg) +METHOD(task_manager_t, process_message, status_t, + private_task_manager_t *this, message_t *msg) { u_int32_t mid = msg->get_message_id(msg); @@ -943,10 +937,8 @@ static status_t process_message(private_task_manager_t *this, message_t *msg) return SUCCESS; } -/** - * Implementation of task_manager_t.queue_task - */ -static void queue_task(private_task_manager_t *this, task_t *task) +METHOD(task_manager_t, queue_task, void, + private_task_manager_t *this, task_t *task) { if (task->get_type(task) == IKE_MOBIKE) { /* there is no need to queue more than one mobike task */ @@ -969,11 +961,10 @@ static void queue_task(private_task_manager_t *this, task_t *task) this->queued_tasks->insert_last(this->queued_tasks, task); } -/** - * Implementation of task_manager_t.adopt_tasks - */ -static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *other) +METHOD(task_manager_t, adopt_tasks, void, + private_task_manager_t *this, task_manager_t *other_public) { + private_task_manager_t *other = (private_task_manager_t*)other_public; task_t *task; /* move queued tasks from other to this */ @@ -986,20 +977,16 @@ static void adopt_tasks(private_task_manager_t *this, private_task_manager_t *ot } } -/** - * Implementation of task_manager_t.busy - */ -static bool busy(private_task_manager_t *this) +METHOD(task_manager_t, busy, bool, + private_task_manager_t *this) { return (this->active_tasks->get_count(this->active_tasks) > 0); } -/** - * Implementation of task_manager_t.reset - */ -static void reset(private_task_manager_t *this, - u_int32_t initiate, u_int32_t respond) +METHOD(task_manager_t, reset, void, + private_task_manager_t *this, u_int32_t initiate, u_int32_t respond) { + enumerator_t *enumerator; task_t *task; /* reset message counters and retransmit packets */ @@ -1017,6 +1004,14 @@ static void reset(private_task_manager_t *this, } this->initiating.type = EXCHANGE_TYPE_UNDEFINED; + /* reset queued tasks */ + enumerator = this->queued_tasks->create_enumerator(this->queued_tasks); + while (enumerator->enumerate(enumerator, &task)) + { + task->migrate(task, this->ike_sa); + } + enumerator->destroy(enumerator); + /* reset active tasks */ while (this->active_tasks->remove_last(this->active_tasks, (void**)&task) == SUCCESS) @@ -1028,10 +1023,24 @@ static void reset(private_task_manager_t *this, this->reset = TRUE; } -/** - * Implementation of task_manager_t.destroy - */ -static void destroy(private_task_manager_t *this) +METHOD(task_manager_t, create_task_enumerator, enumerator_t*, + private_task_manager_t *this, task_queue_t queue) +{ + switch (queue) + { + case TASK_QUEUE_ACTIVE: + return this->active_tasks->create_enumerator(this->active_tasks); + case TASK_QUEUE_PASSIVE: + return this->passive_tasks->create_enumerator(this->passive_tasks); + case TASK_QUEUE_QUEUED: + return this->queued_tasks->create_enumerator(this->queued_tasks); + default: + return enumerator_create_empty(); + } +} + +METHOD(task_manager_t, destroy, void, + private_task_manager_t *this) { flush(this); @@ -1049,34 +1058,32 @@ static void destroy(private_task_manager_t *this) */ task_manager_t *task_manager_create(ike_sa_t *ike_sa) { - private_task_manager_t *this = malloc_thing(private_task_manager_t); - - this->public.process_message = (status_t(*)(task_manager_t*,message_t*))process_message; - this->public.queue_task = (void(*)(task_manager_t*,task_t*))queue_task; - this->public.initiate = (status_t(*)(task_manager_t*))build_request; - this->public.retransmit = (status_t(*)(task_manager_t*,u_int32_t))retransmit; - this->public.reset = (void(*)(task_manager_t*,u_int32_t,u_int32_t))reset; - this->public.adopt_tasks = (void(*)(task_manager_t*,task_manager_t*))adopt_tasks; - this->public.busy = (bool(*)(task_manager_t*))busy; - this->public.destroy = (void(*)(task_manager_t*))destroy; - - this->ike_sa = ike_sa; - this->responding.packet = NULL; - this->initiating.packet = NULL; - this->responding.mid = 0; - this->initiating.mid = 0; - this->initiating.type = EXCHANGE_TYPE_UNDEFINED; - this->queued_tasks = linked_list_create(); - this->active_tasks = linked_list_create(); - this->passive_tasks = linked_list_create(); - this->reset = FALSE; - - this->retransmit_tries = lib->settings->get_int(lib->settings, - "charon.retransmit_tries", RETRANSMIT_TRIES); - this->retransmit_timeout = lib->settings->get_double(lib->settings, - "charon.retransmit_timeout", RETRANSMIT_TIMEOUT); - this->retransmit_base = lib->settings->get_double(lib->settings, - "charon.retransmit_base", RETRANSMIT_BASE); + private_task_manager_t *this; + + INIT(this, + .public = { + .process_message = _process_message, + .queue_task = _queue_task, + .initiate = _initiate, + .retransmit = _retransmit, + .reset = _reset, + .adopt_tasks = _adopt_tasks, + .busy = _busy, + .create_task_enumerator = _create_task_enumerator, + .destroy = _destroy, + }, + .ike_sa = ike_sa, + .initiating.type = EXCHANGE_TYPE_UNDEFINED, + .queued_tasks = linked_list_create(), + .active_tasks = linked_list_create(), + .passive_tasks = linked_list_create(), + .retransmit_tries = lib->settings->get_int(lib->settings, + "charon.retransmit_tries", RETRANSMIT_TRIES), + .retransmit_timeout = lib->settings->get_double(lib->settings, + "charon.retransmit_timeout", RETRANSMIT_TIMEOUT), + .retransmit_base = lib->settings->get_double(lib->settings, + "charon.retransmit_base", RETRANSMIT_BASE), + ); return &this->public; } diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 731ed4898..14fccd5f9 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -22,6 +22,7 @@ #define TASK_MANAGER_H_ typedef struct task_manager_t task_manager_t; +typedef enum task_queue_t task_queue_t; #include @@ -55,6 +56,17 @@ typedef struct task_manager_t task_manager_t; */ #define ROUTEABILITY_CHECK_TRIES 10 +/** + * Type of task queues the task manager uses to handle tasks + */ +enum task_queue_t { + /** tasks currently active, initiated by us */ + TASK_QUEUE_ACTIVE, + /** passive tasks initiated by the remote peer */ + TASK_QUEUE_PASSIVE, + /** tasks queued for initiated, but not yet activated */ + TASK_QUEUE_QUEUED, +}; /** * The task manager, juggles task and handles message exchanges. @@ -157,6 +169,15 @@ struct task_manager_t { */ bool (*busy) (task_manager_t *this); + /** + * Create an enumerator over tasks in a specific queue. + * + * @param queue queue to create an enumerator over + * @return enumerator over task_t + */ + enumerator_t* (*create_task_enumerator)(task_manager_t *this, + task_queue_t queue); + /** * Destroy the task_manager_t. */ diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index bea4f73d5..3de27ee3f 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -273,7 +273,8 @@ static void schedule_inactivity_timeout(private_child_create_t *this) * - INVALID_ARG: diffie hellman group inacceptable * - NOT_FOUND: TS inacceptable */ -static status_t select_and_install(private_child_create_t *this, bool no_dh) +static status_t select_and_install(private_child_create_t *this, + bool no_dh, bool ike_auth) { status_t status, status_i, status_o; chunk_t nonce_i, nonce_r; @@ -364,6 +365,25 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) other_ts = this->config->get_traffic_selectors(this->config, FALSE, other_ts, other_vip); + if (this->initiator) + { + if (ike_auth) + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_POST_NOAUTH, my_ts, other_ts); + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_POST_AUTH, my_ts, other_ts); + } + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_RESPONDER, my_ts, other_ts); + } + if (my_ts->get_count(my_ts) == 0 || other_ts->get_count(other_ts) == 0) { my_ts->destroy_offset(my_ts, offsetof(traffic_selector_t, destroy)); @@ -418,66 +438,6 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) } } - /* check for any certificate-based IP address block constraints */ - if (this->mode == MODE_BEET || this->mode == MODE_TUNNEL) - { - auth_cfg_t *auth; - enumerator_t *auth_enum; - certificate_t *cert = NULL; - - auth_enum = this->ike_sa->create_auth_cfg_enumerator(this->ike_sa, FALSE); - while (auth_enum->enumerate(auth_enum, &auth)) - { - cert = auth->get(auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { - break; - } - } - auth_enum->destroy(auth_enum); - - if (cert && cert->get_type(cert) == CERT_X509) - { - x509_t *x509 = (x509_t*)cert; - - if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) - { - enumerator_t *enumerator, *block_enum; - traffic_selector_t *ts, *block_ts; - - DBG1(DBG_IKE, "checking certificate-based traffic selector " - "constraints [RFC 3779]"); - enumerator = other_ts->create_enumerator(other_ts); - while (enumerator->enumerate(enumerator, &ts)) - { - bool contained = FALSE; - - block_enum = x509->create_ipAddrBlock_enumerator(x509); - while (block_enum->enumerate(block_enum, &block_ts)) - { - if (ts->is_contained_in(ts, block_ts)) - { - DBG1(DBG_IKE, " TS %R is contained in address block" - " constraint %R", ts, block_ts); - contained = TRUE; - break; - } - } - block_enum->destroy(block_enum); - - if (!contained) - { - DBG1(DBG_IKE, " TS %R is not contained in any" - " address block constraint", ts); - enumerator->destroy(enumerator); - return FAILED; - } - } - enumerator->destroy(enumerator); - } - } - } - this->child_sa->set_state(this->child_sa, CHILD_INSTALLING); this->child_sa->set_ipcomp(this->child_sa, this->ipcomp); this->child_sa->set_mode(this->child_sa, this->mode); @@ -529,8 +489,8 @@ static status_t select_and_install(private_child_create_t *this, bool no_dh) return NOT_FOUND; } - charon->bus->child_keys(charon->bus, this->child_sa, this->dh, - nonce_i, nonce_r); + charon->bus->child_keys(charon->bus, this->child_sa, this->initiator, + this->dh, nonce_i, nonce_r); /* add to IKE_SA, and remove from task */ this->child_sa->set_state(this->child_sa, CHILD_INSTALLED); @@ -848,6 +808,17 @@ static status_t build_i(private_child_create_t *this, message_t *message) add_ipcomp_notify(this, message, IPCOMP_DEFLATE); } + if (message->get_exchange_type(message) == IKE_AUTH) + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_PRE_NOAUTH, this->tsi, this->tsr); + } + else + { + charon->bus->narrow(charon->bus, this->child_sa, + NARROW_INITIATOR_PRE_AUTH, this->tsi, this->tsr); + } + build_payloads(this, message); this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); @@ -914,7 +885,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) peer_cfg_t *peer_cfg; payload_t *payload; enumerator_t *enumerator; - bool no_dh = TRUE; + bool no_dh = TRUE, ike_auth = FALSE; switch (message->get_exchange_type(message)) { @@ -934,6 +905,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) { /* wait until all authentication round completed */ return NEED_MORE; } + ike_auth = TRUE; default: break; } @@ -1016,7 +988,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) } } - switch (select_and_install(this, no_dh)) + switch (select_and_install(this, no_dh, ike_auth)) { case SUCCESS: break; @@ -1064,7 +1036,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; - bool no_dh = TRUE; + bool no_dh = TRUE, ike_auth = FALSE; switch (message->get_exchange_type(message)) { @@ -1079,6 +1051,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) { /* wait until all authentication round completed */ return NEED_MORE; } + ike_auth = TRUE; default: break; } @@ -1159,7 +1132,7 @@ static status_t process_i(private_child_create_t *this, message_t *message) return SUCCESS; } - if (select_and_install(this, no_dh) == SUCCESS) + if (select_and_install(this, no_dh, ike_auth) == SUCCESS) { DBG0(DBG_IKE, "CHILD_SA %s{%d} established " "with SPIs %.8x_i %.8x_o and TS %#R=== %#R", @@ -1229,11 +1202,11 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); - if (this->tsi) + if (this->tsr) { this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); } - if (this->tsr) + if (this->tsi) { this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); } diff --git a/src/libcharon/sa/tasks/child_delete.c b/src/libcharon/sa/tasks/child_delete.c index d7c6b0541..b0cd30e1e 100644 --- a/src/libcharon/sa/tasks/child_delete.c +++ b/src/libcharon/sa/tasks/child_delete.c @@ -191,6 +191,7 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) child_cfg_t *child_cfg; protocol_id_t protocol; u_int32_t spi; + action_t action; status_t status = SUCCESS; iterator = this->child_sas->create_iterator(this->child_sas, TRUE); @@ -205,10 +206,11 @@ static status_t destroy_and_reestablish(private_child_delete_t *this) protocol = child_sa->get_protocol(child_sa); child_cfg = child_sa->get_config(child_sa); child_cfg->get_ref(child_cfg); + action = child_sa->get_close_action(child_sa); this->ike_sa->destroy_child_sa(this->ike_sa, protocol, spi); if (this->check_delete_action) { /* enforce child_cfg policy if deleted passively */ - switch (child_cfg->get_close_action(child_cfg)) + switch (action) { case ACTION_RESTART: child_cfg->get_ref(child_cfg); diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index b5e4e84b4..fb3452efd 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -214,6 +214,64 @@ static status_t build_r(private_child_rekey_t *this, message_t *message) return SUCCESS; } +/** + * Handle a rekey collision + */ +static child_sa_t *handle_collision(private_child_rekey_t *this) +{ + child_sa_t *to_delete; + + if (this->collision->get_type(this->collision) == CHILD_REKEY) + { + chunk_t this_nonce, other_nonce; + private_child_rekey_t *other = (private_child_rekey_t*)this->collision; + + this_nonce = this->child_create->get_lower_nonce(this->child_create); + other_nonce = other->child_create->get_lower_nonce(other->child_create); + + /* if we have the lower nonce, delete rekeyed SA. If not, delete + * the redundant. */ + if (memcmp(this_nonce.ptr, other_nonce.ptr, + min(this_nonce.len, other_nonce.len)) < 0) + { + child_sa_t *child_sa; + + DBG1(DBG_IKE, "CHILD_SA rekey collision won, " + "deleting rekeyed child"); + to_delete = this->child_sa; + /* disable close action for the redundand child */ + child_sa = other->child_create->get_child(other->child_create); + child_sa->set_close_action(child_sa, ACTION_NONE); + } + else + { + DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " + "deleting redundant child"); + to_delete = this->child_create->get_child(this->child_create); + } + } + else + { /* CHILD_DELETE */ + child_delete_t *del = (child_delete_t*)this->collision; + + /* we didn't had a chance to compare the nonces, so we delete + * the CHILD_SA the other is not deleting. */ + if (del->get_child(del) != this->child_sa) + { + DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, " + "deleting rekeyed child"); + to_delete = this->child_sa; + } + else + { + DBG1(DBG_IKE, "CHILD_SA rekey/delete collision, " + "deleting redundant child"); + to_delete = this->child_create->get_child(this->child_create); + } + } + return to_delete; +} + /** * Implementation of task_t.process for initiator */ @@ -263,35 +321,14 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) return SUCCESS; } - to_delete = this->child_sa; - /* check for rekey collisions */ - if (this->collision && - this->collision->get_type(this->collision) == CHILD_REKEY) + if (this->collision) { - chunk_t this_nonce, other_nonce; - private_child_rekey_t *other = (private_child_rekey_t*)this->collision; - - this_nonce = this->child_create->get_lower_nonce(this->child_create); - other_nonce = other->child_create->get_lower_nonce(other->child_create); - - /* if we have the lower nonce, delete rekeyed SA. If not, delete - * the redundant. */ - if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) - { - DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting rekeyed child"); - } - else - { - DBG1(DBG_IKE, "CHILD_SA rekey collision lost, deleting redundant child"); - to_delete = this->child_create->get_child(this->child_create); - if (to_delete == NULL) - { - /* ooops, should not happen, fallback */ - to_delete = this->child_sa; - } - } + to_delete = handle_collision(this); + } + else + { + to_delete = this->child_sa; } if (to_delete != this->child_create->get_child(this->child_create)) @@ -300,6 +337,10 @@ static status_t process_i(private_child_rekey_t *this, message_t *message) this->child_create->get_child(this->child_create)); } + if (to_delete == NULL) + { + return SUCCESS; + } spi = to_delete->get_spi(to_delete, TRUE); protocol = to_delete->get_protocol(to_delete); diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index a07f96767..a954782f2 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -518,6 +518,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) (uintptr_t)cand->get(cand, AUTH_RULE_EAP_TYPE) == EAP_NAK && (uintptr_t)cand->get(cand, AUTH_RULE_EAP_VENDOR) == 0)) { /* peer requested EAP, but current config does not match */ + DBG1(DBG_IKE, "peer requested EAP, config inacceptable"); this->peer_cfg->destroy(this->peer_cfg); this->peer_cfg = NULL; if (!update_cfg_candidates(this, FALSE)) @@ -527,7 +528,16 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) } cand = get_auth_cfg(this, FALSE); } - cfg->merge(cfg, cand, TRUE); + /* copy over the EAP specific rules for authentication */ + cfg->add(cfg, AUTH_RULE_EAP_TYPE, + cand->get(cand, AUTH_RULE_EAP_TYPE)); + cfg->add(cfg, AUTH_RULE_EAP_VENDOR, + cand->get(cand, AUTH_RULE_EAP_VENDOR)); + id = (identification_t*)cand->get(cand, AUTH_RULE_EAP_IDENTITY); + if (id) + { + cfg->add(cfg, AUTH_RULE_EAP_IDENTITY, id->clone(id)); + } } /* verify authentication data */ diff --git a/src/libcharon/sa/tasks/ike_cert_post.c b/src/libcharon/sa/tasks/ike_cert_post.c index c831df975..cc810a49a 100644 --- a/src/libcharon/sa/tasks/ike_cert_post.c +++ b/src/libcharon/sa/tasks/ike_cert_post.c @@ -72,14 +72,18 @@ static cert_payload_t *build_cert_payload(private_ike_cert_post_t *this, return cert_payload_create_from_cert(cert); } - encoded = cert->get_encoding(cert); + if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) + { + DBG1(DBG_IKE, "encoding certificate for cert payload failed"); + hasher->destroy(hasher); + return NULL; + } hasher->allocate_hash(hasher, encoded, &hash); chunk_free(&encoded); hasher->destroy(hasher); id = identification_create_from_encoding(ID_KEY_ID, hash); - enumerator = charon->credentials->create_cdp_enumerator(charon->credentials, - CERT_X509, id); + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, CERT_X509, id); if (enumerator->enumerate(enumerator, &url)) { payload = cert_payload_create_from_hash_and_url(hash, url); diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index 0805d0290..1c0c54727 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -93,8 +93,8 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) certificate_t *cert; id = identification_create_from_encoding(ID_KEY_ID, keyid); - cert = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, id, TRUE); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, TRUE); if (cert) { DBG1(DBG_IKE, "received cert request for \"%Y\"", @@ -156,8 +156,8 @@ static certificate_t *try_get_cert(cert_payload_t *cert_payload) break; } id = identification_create_from_encoding(ID_KEY_ID, hash); - cert = charon->credentials->get_cert(charon->credentials, - CERT_X509, KEY_ANY, id, FALSE); + cert = lib->credmgr->get_cert(lib->credmgr, + CERT_X509, KEY_ANY, id, FALSE); id->destroy(id); break; } @@ -299,7 +299,7 @@ static void add_certreq(certreq_payload_t **req, certificate_t *cert) { *req = certreq_payload_create_type(CERT_X509); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { (*req)->add_keyid(*req, keyid); DBG1(DBG_IKE, "sending cert request for \"%Y\"", @@ -370,8 +370,8 @@ static void build_certreqs(private_ike_cert_pre_t *this, message_t *message) if (!req) { /* otherwise add all trusted CA certificates */ - enumerator = charon->credentials->create_cert_enumerator( - charon->credentials, CERT_ANY, KEY_ANY, NULL, TRUE); + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_ANY, KEY_ANY, NULL, TRUE); while (enumerator->enumerate(enumerator, &cert)) { add_certreq(&req, cert); diff --git a/src/libcharon/sa/tasks/ike_config.c b/src/libcharon/sa/tasks/ike_config.c index 58bcf0762..c92b5bca5 100644 --- a/src/libcharon/sa/tasks/ike_config.c +++ b/src/libcharon/sa/tasks/ike_config.c @@ -333,7 +333,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message) chunk_empty); return SUCCESS; } - DBG1(DBG_IKE, "assigning virtual IP %H to peer", vip); + DBG1(DBG_IKE, "assigning virtual IP %H to peer '%Y'", vip, id); this->ike_sa->set_virtual_ip(this->ike_sa, FALSE, vip); cp = cp_payload_create_type(CFG_REPLY); @@ -342,7 +342,7 @@ static status_t build_r(private_ike_config_t *this, message_t *message) /* query registered providers for additional attributes to include */ enumerator = hydra->attributes->create_responder_enumerator( - hydra->attributes, id, vip); + hydra->attributes, config->get_pool(config), id, vip); while (enumerator->enumerate(enumerator, &type, &value)) { if (!cp) diff --git a/src/libcharon/sa/tasks/ike_init.c b/src/libcharon/sa/tasks/ike_init.c index 5eb33b540..38fb572f4 100644 --- a/src/libcharon/sa/tasks/ike_init.c +++ b/src/libcharon/sa/tasks/ike_init.c @@ -543,6 +543,7 @@ static void migrate(private_ike_init_t *this, ike_sa_t *ike_sa) chunk_free(&this->other_nonce); this->ike_sa = ike_sa; + this->keymat = ike_sa->get_keymat(ike_sa); this->proposal = NULL; DESTROY_IF(this->dh); this->dh = this->keymat->create_dh(this->keymat, this->dh_group); diff --git a/src/libcharon/sa/trap_manager.c b/src/libcharon/sa/trap_manager.c index 878170c83..80bf647cd 100644 --- a/src/libcharon/sa/trap_manager.c +++ b/src/libcharon/sa/trap_manager.c @@ -128,7 +128,7 @@ static u_int32_t install(private_trap_manager_t *this, peer_cfg_t *peer, ike_cfg = peer->get_ike_cfg(peer); other = host_create_from_dns(ike_cfg->get_other_addr(ike_cfg), 0, ike_cfg->get_other_port(ike_cfg)); - if (!other) + if (!other || other->is_anyaddr(other)) { DBG1(DBG_CFG, "installing trap failed, remote address unknown"); return 0; diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index f6d1f20a5..a84b272dc 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libfast/request.c b/src/libfast/request.c index 6bf596fd8..16c1ae583 100644 --- a/src/libfast/request.c +++ b/src/libfast/request.c @@ -203,6 +203,14 @@ static char* get_query_data(private_request_t *this, char *name) return hdf_get_valuef(this->hdf, "Query.%s", name); } +/** + * Implementation of request_t.read_data. + */ +static int read_data(private_request_t *this, char *buf, int len) +{ + return FCGX_GetStr(buf, len, this->req.in); +} + /** * Implementation of request_t.get_base. */ @@ -407,6 +415,7 @@ request_t *request_create(int fd, bool debug) this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie; this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie; this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data; + this->public.read_data = (int(*)(request_t*, char*, int))read_data; this->public.session_closed = (bool(*)(request_t*))session_closed; this->public.close_session = (void(*)(request_t*))close_session; this->public.redirect = (void(*)(request_t*, char *fmt,...))redirect; diff --git a/src/libfast/request.h b/src/libfast/request.h index af0f8e4f5..9ca74a91e 100644 --- a/src/libfast/request.h +++ b/src/libfast/request.h @@ -85,6 +85,15 @@ struct request_t { */ char* (*get_query_data)(request_t *this, char *name); + /** + * Read raw POST/PUT data from HTTP request. + * + * @param buf buffer to read data into + * @param len size of the supplied buffer + * @return number of bytes read, < 0 on error + */ + int (*read_data)(request_t *this, char *buf, int len); + /** * Close the session and it's context after handling. */ diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index e752df82d..6d640d778 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libhydra/Makefile.am b/src/libhydra/Makefile.am index 601a56e38..4e5c55d3f 100644 --- a/src/libhydra/Makefile.am +++ b/src/libhydra/Makefile.am @@ -40,3 +40,10 @@ if MONOLITHIC endif endif +if USE_RESOLVE + SUBDIRS += plugins/resolve +if MONOLITHIC + libhydra_la_LIBADD += plugins/resolve/libstrongswan-resolve.la +endif +endif + diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 32027d1ea..a3aec26c9 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -38,6 +38,8 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_ATTR_TRUE@am__append_2 = plugins/attr/libstrongswan-attr.la @USE_ATTR_SQL_TRUE@am__append_3 = plugins/attr_sql @MONOLITHIC_TRUE@@USE_ATTR_SQL_TRUE@am__append_4 = plugins/attr_sql/libstrongswan-attr-sql.la +@USE_RESOLVE_TRUE@am__append_5 = plugins/resolve +@MONOLITHIC_TRUE@@USE_RESOLVE_TRUE@am__append_6 = plugins/resolve/libstrongswan-resolve.la subdir = src/libhydra DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -77,7 +79,8 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(libdir)" LTLIBRARIES = $(lib_LTLIBRARIES) -libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) +libhydra_la_DEPENDENCIES = $(am__append_2) $(am__append_4) \ + $(am__append_6) am_libhydra_la_OBJECTS = hydra.lo attributes.lo attribute_manager.lo \ mem_pool.lo libhydra_la_OBJECTS = $(am_libhydra_la_OBJECTS) @@ -110,7 +113,7 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/attr plugins/attr_sql +DIST_SUBDIRS = . plugins/attr plugins/attr_sql plugins/resolve DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -300,7 +303,7 @@ attributes/attribute_provider.h attributes/attribute_handler.h \ attributes/attribute_manager.c attributes/attribute_manager.h \ attributes/mem_pool.c attributes/mem_pool.h -libhydra_la_LIBADD = $(am__append_2) $(am__append_4) +libhydra_la_LIBADD = $(am__append_2) $(am__append_4) $(am__append_6) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = \ -DIPSEC_DIR=\"${ipsecdir}\" \ @@ -308,11 +311,13 @@ AM_CFLAGS = \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" EXTRA_DIST = Android.mk -@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) +@MONOLITHIC_FALSE@SUBDIRS = . $(am__append_1) $(am__append_3) \ +@MONOLITHIC_FALSE@ $(am__append_5) # build optional plugins ######################## -@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) +@MONOLITHIC_TRUE@SUBDIRS = $(am__append_1) $(am__append_3) \ +@MONOLITHIC_TRUE@ $(am__append_5) all: all-recursive .SUFFIXES: @@ -447,7 +452,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -472,7 +477,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libhydra/attributes/attribute_manager.c b/src/libhydra/attributes/attribute_manager.c index 3080b56eb..0d4cbda82 100644 --- a/src/libhydra/attributes/attribute_manager.c +++ b/src/libhydra/attributes/attribute_manager.c @@ -51,6 +51,8 @@ struct private_attribute_manager_t { * Data to pass to enumerator filters */ typedef struct { + /** attribute group pool */ + char *pool; /** server/peer identity */ identification_t *id; /** requesting/assigned virtual IP */ @@ -123,17 +125,20 @@ static void release_address(private_attribute_manager_t *this, static enumerator_t *responder_enum_create(attribute_provider_t *provider, enum_data_t *data) { - return provider->create_attribute_enumerator(provider, data->id, data->vip); + return provider->create_attribute_enumerator(provider, data->pool, + data->id, data->vip); } /** * Implementation of attribute_manager_t.create_responder_enumerator */ static enumerator_t* create_responder_enumerator( - private_attribute_manager_t *this, identification_t *id, host_t *vip) + private_attribute_manager_t *this, char *pool, + identification_t *id, host_t *vip) { enum_data_t *data = malloc_thing(enum_data_t); + data->pool = pool; data->id = id; data->vip = vip; this->lock->read_lock(this->lock); @@ -355,7 +360,7 @@ attribute_manager_t *attribute_manager_create() this->public.acquire_address = (host_t*(*)(attribute_manager_t*, char*, identification_t*,host_t*))acquire_address; this->public.release_address = (void(*)(attribute_manager_t*, char *, host_t*, identification_t*))release_address; - this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, identification_t*, host_t*))create_responder_enumerator; + this->public.create_responder_enumerator = (enumerator_t*(*)(attribute_manager_t*, char *name, identification_t*, host_t*))create_responder_enumerator; this->public.add_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))add_provider; this->public.remove_provider = (void(*)(attribute_manager_t*, attribute_provider_t *provider))remove_provider; this->public.handle = (attribute_handler_t*(*)(attribute_manager_t*,identification_t*, attribute_handler_t*, configuration_attribute_type_t, chunk_t))handle; diff --git a/src/libhydra/attributes/attribute_manager.h b/src/libhydra/attributes/attribute_manager.h index 642662366..56afef7c6 100644 --- a/src/libhydra/attributes/attribute_manager.h +++ b/src/libhydra/attributes/attribute_manager.h @@ -61,12 +61,13 @@ struct attribute_manager_t { /** * Create an enumerator over attributes to hand out to a peer. * + * @param pool pool name to get attributes from * @param id peer identity to hand out attributes to * @param vip virtual IP to assign to peer, if any * @return enumerator (configuration_attribute_type_t, chunk_t) */ enumerator_t* (*create_responder_enumerator)(attribute_manager_t *this, - identification_t *id, host_t *vip); + char *pool, identification_t *id, host_t *vip); /** * Register an attribute provider to the manager. diff --git a/src/libhydra/attributes/attribute_provider.h b/src/libhydra/attributes/attribute_provider.h index f8485cc6c..e4b4e13f3 100644 --- a/src/libhydra/attributes/attribute_provider.h +++ b/src/libhydra/attributes/attribute_provider.h @@ -56,12 +56,13 @@ struct attribute_provider_t { /** * Create an enumerator over attributes to hand out to a peer. * + * @param pool pool name to get attributes from * @param id peer ID * @param vip virtual IP to assign to peer, if any * @return enumerator (configuration_attribute_type_t, chunk_t) */ enumerator_t* (*create_attribute_enumerator)(attribute_provider_t *this, - identification_t *id, host_t *vip); + char *pool, identification_t *id, host_t *vip); }; #endif /** ATTRIBUTE_PROVIDER_H_ @}*/ diff --git a/src/libhydra/attributes/attributes.c b/src/libhydra/attributes/attributes.c index 83feed17e..ea87109e2 100644 --- a/src/libhydra/attributes/attributes.c +++ b/src/libhydra/attributes/attributes.c @@ -36,8 +36,77 @@ ENUM_BEGIN(configuration_attribute_type_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP "MIP6_HOME_PREFIX", "INTERNAL_IP6_LINK", "INTERNAL_IP6_PREFIX"); -ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, INTERNAL_IP6_PREFIX, +ENUM_NEXT(configuration_attribute_type_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX, + "XAUTH_TYPE", + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER"); +ENUM_NEXT(configuration_attribute_type_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, "INTERNAL_IP4_SERVER", "INTERNAL_IP6_SERVER"); -ENUM_END(configuration_attribute_type_names, INTERNAL_IP6_SERVER); +ENUM_NEXT(configuration_attribute_type_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME"); +ENUM_END(configuration_attribute_type_names, UNITY_DDNS_HOSTNAME); +ENUM_BEGIN(configuration_attribute_type_short_names, INTERNAL_IP4_ADDRESS, INTERNAL_IP6_PREFIX, + "ADDR", + "MASK", + "DNS", + "NBNS", + "EXP", + "DHCP", + "VER", + "ADDR6", + "MASK6", + "DNS6", + "NBNS6", + "DHCP6", + "SUBNET", + "SUPPORTED", + "SUBNET6", + "MIP6HPFX", + "LINK6", + "PFX6"); +ENUM_NEXT(configuration_attribute_type_short_names, XAUTH_TYPE, XAUTH_ANSWER, INTERNAL_IP6_PREFIX, + "XAUTH_TYPE", + "XAUTH_USER_NAME", + "XAUTH_USER_PASSWORD", + "XAUTH_PASSCODE", + "XAUTH_MESSAGE", + "XAUTH_CHALLENGE", + "XAUTH_DOMAIN", + "XAUTH_STATUS", + "XAUTH_NEXT_PIN", + "XAUTH_ANSWER"); +ENUM_NEXT(configuration_attribute_type_short_names, INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER, XAUTH_ANSWER, + "SRV", + "SRV6"); +ENUM_NEXT(configuration_attribute_type_short_names, UNITY_BANNER, UNITY_DDNS_HOSTNAME, INTERNAL_IP6_SERVER, + "UNITY_BANNER", + "UNITY_SAVE_PASSWD", + "UNITY_DEF_DOMAIN", + "UNITY_SPLITDNS_NAME", + "UNITY_SPLIT_INCLUDE", + "UNITY_NATT_PORT", + "UNITY_LOCAL_LAN", + "UNITY_PFS", + "UNITY_FW_TYPE", + "UNITY_BACKUP_SERVERS", + "UNITY_DDNS_HOSTNAME"); +ENUM_END(configuration_attribute_type_short_names, UNITY_DDNS_HOSTNAME); diff --git a/src/libhydra/attributes/attributes.h b/src/libhydra/attributes/attributes.h index f4a396f21..3a40ba367 100644 --- a/src/libhydra/attributes/attributes.h +++ b/src/libhydra/attributes/attributes.h @@ -30,27 +30,50 @@ typedef enum configuration_attribute_type_t configuration_attribute_type_t; * Type of the attribute, as in IKEv2 RFC 3.15.1 or IKEv1 ModeConfig. */ enum configuration_attribute_type_t { - INTERNAL_IP4_ADDRESS = 1, - INTERNAL_IP4_NETMASK = 2, - INTERNAL_IP4_DNS = 3, - INTERNAL_IP4_NBNS = 4, + INTERNAL_IP4_ADDRESS = 1, + INTERNAL_IP4_NETMASK = 2, + INTERNAL_IP4_DNS = 3, + INTERNAL_IP4_NBNS = 4, INTERNAL_ADDRESS_EXPIRY = 5, - INTERNAL_IP4_DHCP = 6, - APPLICATION_VERSION = 7, - INTERNAL_IP6_ADDRESS = 8, - INTERNAL_IP6_NETMASK = 9, - INTERNAL_IP6_DNS = 10, - INTERNAL_IP6_NBNS = 11, - INTERNAL_IP6_DHCP = 12, - INTERNAL_IP4_SUBNET = 13, - SUPPORTED_ATTRIBUTES = 14, - INTERNAL_IP6_SUBNET = 15, - MIP6_HOME_PREFIX = 16, - INTERNAL_IP6_LINK = 17, - INTERNAL_IP6_PREFIX = 18, + INTERNAL_IP4_DHCP = 6, + APPLICATION_VERSION = 7, + INTERNAL_IP6_ADDRESS = 8, + INTERNAL_IP6_NETMASK = 9, + INTERNAL_IP6_DNS = 10, + INTERNAL_IP6_NBNS = 11, + INTERNAL_IP6_DHCP = 12, + INTERNAL_IP4_SUBNET = 13, + SUPPORTED_ATTRIBUTES = 14, + INTERNAL_IP6_SUBNET = 15, + MIP6_HOME_PREFIX = 16, + INTERNAL_IP6_LINK = 17, + INTERNAL_IP6_PREFIX = 18, + /* XAUTH attributes */ + XAUTH_TYPE = 16520, + XAUTH_USER_NAME = 16521, + XAUTH_USER_PASSWORD = 16522, + XAUTH_PASSCODE = 16523, + XAUTH_MESSAGE = 16524, + XAUTH_CHALLENGE = 16525, + XAUTH_DOMAIN = 16526, + XAUTH_STATUS = 16527, + XAUTH_NEXT_PIN = 16528, + XAUTH_ANSWER = 16529, /* proprietary Microsoft attributes */ - INTERNAL_IP4_SERVER = 23456, - INTERNAL_IP6_SERVER = 23457 + INTERNAL_IP4_SERVER = 23456, + INTERNAL_IP6_SERVER = 23457, + /* proprietary Cisco Unity attributes */ + UNITY_BANNER = 28672, + UNITY_SAVE_PASSWD = 28673, + UNITY_DEF_DOMAIN = 28674, + UNITY_SPLITDNS_NAME = 28675, + UNITY_SPLIT_INCLUDE = 28676, + UNITY_NATT_PORT = 28677, + UNITY_LOCAL_LAN = 28678, + UNITY_PFS = 28679, + UNITY_FW_TYPE = 28680, + UNITY_BACKUP_SERVERS = 28681, + UNITY_DDNS_HOSTNAME = 28682 }; /** @@ -58,5 +81,10 @@ enum configuration_attribute_type_t { */ extern enum_name_t *configuration_attribute_type_names; +/** + * Short enum names for configuration_attribute_type_t. + */ +extern enum_name_t *configuration_attribute_type_short_names; + #endif /** ATTRIBUTES_H_ @}*/ diff --git a/src/libhydra/attributes/mem_pool.c b/src/libhydra/attributes/mem_pool.c index 65018e3a9..e1d69fd6b 100644 --- a/src/libhydra/attributes/mem_pool.c +++ b/src/libhydra/attributes/mem_pool.c @@ -225,9 +225,18 @@ METHOD(mem_pool_t, acquire_address, host_t*, /* check for a valid online lease, reassign */ offset = (uintptr_t)this->online->get(this->online, id); - if (offset && offset == host2offset(this, requested)) + if (offset) { - DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + if (offset == host2offset(this, requested)) + { + DBG1(DBG_CFG, "reassigning online lease to '%Y'", id); + } + else + { + DBG1(DBG_CFG, "'%Y' already has an online lease, " + "unable to assign address", id); + offset = 0; + } break; } diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 54aa64beb..71402fc7f 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libhydra/plugins/attr/attr_provider.c b/src/libhydra/plugins/attr/attr_provider.c index 9d6daa892..b3c0cc076 100644 --- a/src/libhydra/plugins/attr/attr_provider.c +++ b/src/libhydra/plugins/attr/attr_provider.c @@ -65,7 +65,7 @@ static bool attr_enum_filter(void *null, attribute_entry_t **in, * Implementation of attribute_provider_t.create_attribute_enumerator */ static enumerator_t* create_attribute_enumerator(private_attr_provider_t *this, - identification_t *id, host_t *vip) + char *pool, identification_t *id, host_t *vip) { if (vip) { @@ -148,6 +148,7 @@ static struct { {"dhcp", INTERNAL_IP4_DHCP, INTERNAL_IP6_DHCP}, {"netmask", INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK}, {"server", INTERNAL_IP4_SERVER, INTERNAL_IP6_SERVER}, + {"subnet", INTERNAL_IP4_SUBNET, INTERNAL_IP6_SUBNET}, }; /** @@ -165,12 +166,19 @@ static void load_entries(private_attr_provider_t *this) configuration_attribute_type_t type; attribute_entry_t *entry; host_t *host; - int i; + char *pos; + int i, mask = -1; type = atoi(key); tokens = enumerator_create_token(value, ",", " "); while (tokens->enumerate(tokens, &token)) { + pos = strchr(token, '/'); + if (pos) + { + *(pos++) = '\0'; + mask = atoi(pos); + } host = host_create_from_string(token, 0); if (!host) { @@ -201,7 +209,27 @@ static void load_entries(private_attr_provider_t *this) } entry = malloc_thing(attribute_entry_t); entry->type = type; - entry->value = chunk_clone(host->get_address(host)); + if (mask == -1) + { + entry->value = chunk_clone(host->get_address(host)); + } + else + { + if (host->get_family(host) == AF_INET) + { /* IPv4 attributes contain a subnet mask */ + u_int32_t netmask; + + mask = 32 - mask; + netmask = htonl((0xFFFFFFFF >> mask) << mask); + entry->value = chunk_cat("cc", host->get_address(host), + chunk_from_thing(netmask)); + } + else + { /* IPv6 addresses the prefix only */ + entry->value = chunk_cat("cc", host->get_address(host), + chunk_from_chars(mask)); + } + } host->destroy(host); this->attributes->insert_last(this->attributes, entry); } @@ -222,7 +250,7 @@ attr_provider_t *attr_provider_create(database_t *db) this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))return_null; this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))return_false; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *vip))create_attribute_enumerator; + this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *vip))create_attribute_enumerator; this->public.destroy = (void(*)(attr_provider_t*))destroy; this->attributes = linked_list_create(); diff --git a/src/libhydra/plugins/attr_sql/Makefile.am b/src/libhydra/plugins/attr_sql/Makefile.am index 376a8259c..a3dac863f 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.am +++ b/src/libhydra/plugins/attr_sql/Makefile.am @@ -18,6 +18,8 @@ libstrongswan_attr_sql_la_SOURCES = \ libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version ipsec_PROGRAMS = pool -pool_SOURCES = pool.c -pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \ + pool_usage.h pool_usage.c +pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la pool.o : $(top_builddir)/config.status diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index 99e97cefc..edf51059b 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -88,10 +88,12 @@ libstrongswan_attr_sql_la_LINK = $(LIBTOOL) --tag=CC \ @MONOLITHIC_FALSE@ $(plugindir) @MONOLITHIC_TRUE@am_libstrongswan_attr_sql_la_rpath = PROGRAMS = $(ipsec_PROGRAMS) -am_pool_OBJECTS = pool.$(OBJEXT) +am_pool_OBJECTS = pool.$(OBJEXT) pool_attributes.$(OBJEXT) \ + pool_usage.$(OBJEXT) pool_OBJECTS = $(am_pool_OBJECTS) pool_DEPENDENCIES = \ - $(top_builddir)/src/libstrongswan/libstrongswan.la + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles @@ -277,8 +279,12 @@ libstrongswan_attr_sql_la_SOURCES = \ sql_attribute.h sql_attribute.c libstrongswan_attr_sql_la_LDFLAGS = -module -avoid-version -pool_SOURCES = pool.c -pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +pool_SOURCES = pool.c pool_attributes.c pool_attributes.h \ + pool_usage.h pool_usage.c + +pool_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la + all: all-am .SUFFIXES: @@ -410,6 +416,8 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/attr_sql_plugin.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_attributes.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pool_usage.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sql_attribute.Plo@am__quote@ .c.o: diff --git a/src/libhydra/plugins/attr_sql/pool.c b/src/libhydra/plugins/attr_sql/pool.c index fed89fc51..b4bdfc629 100644 --- a/src/libhydra/plugins/attr_sql/pool.c +++ b/src/libhydra/plugins/attr_sql/pool.c @@ -27,15 +27,18 @@ #include #include +#include "pool_attributes.h" +#include "pool_usage.h" + /** * global database handle */ database_t *db; /** - * --start/--end/--server addresses of various subcommands + * --start/--end addresses of various subcommands */ -host_t *start = NULL, *end = NULL, *server = NULL; +host_t *start = NULL, *end = NULL; /** * whether --add should --replace an existing pool @@ -125,23 +128,6 @@ static bool is_attribute(char *name) strcaseeq(name, "wins"); } -/** - * determine configuration attribute type - */ -static configuration_attribute_type_t get_attribute_type(char *name, host_t* addr) -{ - if (strcaseeq(name, "dns")) - { - return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_DNS : - INTERNAL_IP6_DNS; - } - else - { - return (addr->get_family(addr) == AF_INET) ? INTERNAL_IP4_NBNS : - INTERNAL_IP6_NBNS; - } -} - /** * calculate the size of a pool using start and end address chunk */ @@ -158,85 +144,6 @@ static u_int get_pool_size(chunk_t start, chunk_t end) return ntohl(*end_ptr) - ntohl(*start_ptr) + 1; } -/** - * print usage info - */ -static void usage(void) -{ - printf("\ -Usage:\n\ - ipsec pool --status|--add|--replace|--del|--resize|--purge [options]\n\ - \n\ - ipsec pool --status\n\ - Show a list of installed pools with statistics.\n\ - \n\ - ipsec pool --add --start --end [--timeout ]\n\ - ipsec pool --replace --start --end [--timeout ]\n\ - Add a new pool to or replace an existing pool in the database.\n\ - name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ - start: Start address of the pool\n\ - end: End address of the pool\n\ - timeout: Lease time in hours, 0 for static leases\n\ - \n\ - ipsec pool --add --addresses [--timeout ]\n\ - ipsec pool --replace --addresses [--timeout ]\n\ - Add a new pool to or replace an existing pool in the database.\n\ - name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ - file: File newline separated addresses for the pool are read from.\n\ - Optionally each address can be pre-assigned to a roadwarrior\n\ - identity, e.g. 10.231.14.2=alice@strongswan.org.\n\ - If a - (hyphen) is given instead of a file name, the addresses\n\ - are read from STDIN. Reading addresses stops at the end of file\n\ - or an empty line. Pools created with this command can not be\n\ - resized.\n\ - timeout: Lease time in hours, 0 for static leases\n\ - \n\ - ipsec pool --add dns|nbns|wins --server \n\ - Add a new DNS or NBNS server to the database.\n\ - server: IP address of the name server\n\ - \n\ - ipsec pool --del \n\ - Delete a pool from the database.\n\ - name: Name of the pool to delete\n\ - \n\ - ipsec pool --del dns|nbns|wins [--server ]\n\ - Delete a specific or all DNS or NBNS servers from the database.\n\ - server: IP address of the name server to delete\n\ - \n\ - ipsec pool --resize --end \n\ - Grow or shrink an existing pool.\n\ - name: Name of the pool to resize\n\ - end: New end address for the pool\n\ - \n\ - ipsec pool --leases [--filter ] [--utc]\n\ - Show lease information using filters:\n\ - filter: Filter string containing comma separated key=value filters,\n\ - e.g. id=alice@strongswan.org,addr=1.1.1.1\n\ - pool: name of the pool\n\ - id: assigned identity of the lease\n\ - addr: lease IP address\n\ - tstamp: UNIX timestamp when lease was valid, as integer\n\ - status: status of the lease: online|valid|expired\n\ - utc: Show times in UTC instead of local time\n\ - \n\ - ipsec pool --purge \n\ - Delete lease history of a pool:\n\ - name: Name of the pool to purge\n\ - \n\ - ipsec pool --batch \n\ - Read commands from a file and execute them atomically.\n\ - file: File to read the newline separated commands from. Commands\n\ - appear as they are written on the command line, e.g.\n\ - --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\ - --del dns\n\ - --add dns --server 10.1.0.1\n\ - --add dns --server 10.1.1.1\n\ - If a - (hyphen) is given as a file name, the commands are read\n\ - from STDIN. Readin commands stops at the end of file. Empty\n\ - lines are ignored. The file may not contain a --batch command.\n\ - \n"); -} - /** * ipsec pool --status - show pool overview */ @@ -483,29 +390,14 @@ static bool add_address(u_int pool_id, char *address_str, int *family) char *pos_eq = strchr(address_str, '='); if (pos_eq != NULL) { - enumerator_t *e; identification_t *id = identification_create_from_string(pos_eq + 1); + user_id = get_identity(id); + id->destroy(id); - /* look for peer identity in the identities table */ - e = db->query(db, - "SELECT id FROM identities WHERE type = ? AND data = ?", - DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), - DB_UINT); - - if (!e || !e->enumerate(e, &user_id)) + if (user_id == 0) { - /* not found, insert new one */ - if (db->execute(db, &user_id, - "INSERT INTO identities (type, data) VALUES (?, ?)", - DB_INT, id->get_type(id), - DB_BLOB, id->get_encoding(id)) != 1) - { - fprintf(stderr, "creating id '%s' failed.\n", pos_eq + 1); - return FALSE; - } + return FALSE; } - DESTROY_IF(e); - id->destroy(id); *pos_eq = '\0'; } @@ -592,26 +484,6 @@ static void add_addresses(char *pool, char *path, int timeout) printf("%d addresses done.\n", count); } -/** - * ipsec pool --add dns|nbns|wins - add a DNS or NBNS server entry - */ -static void add_attr(char *name, host_t *server) -{ - configuration_attribute_type_t type; - chunk_t value; - - type = get_attribute_type(name, server); - value = server->get_address(server); - if (db->execute(db, NULL, - "INSERT INTO attributes (type, value) VALUES (?, ?)", - DB_INT, type, DB_BLOB, value) != 1) - { - fprintf(stderr, "adding %s server %H failed.\n", name, server); - exit(EXIT_FAILURE); - } - printf("added %s server %H\n", name, server); -} - /** * ipsec pool --del - delete a pool */ @@ -652,88 +524,6 @@ static void del(char *name) } } -/** - * ipsec pool --del dns|nbns|wins - delete a DNS or NBNS server entry - */ -static void del_attr(char *name, host_t *server) -{ - configuration_attribute_type_t type; - chunk_t value; - u_int id; - enumerator_t *query; - bool found = FALSE; - - if (server) - { - type = get_attribute_type(name, server); - value = server->get_address(server); - query = db->query(db, - "SELECT id, type, value FROM attributes " - "WHERE type = ? AND value = ?", - DB_INT, type, DB_BLOB, value, - DB_UINT, DB_INT, DB_BLOB); - } - else - { - configuration_attribute_type_t type_ip4, type_ip6; - - if (strcaseeq(name, "dns")) - { - type_ip4 = INTERNAL_IP4_DNS; - type_ip6 = INTERNAL_IP6_DNS; - } - else - { - type_ip4 = INTERNAL_IP4_NBNS; - type_ip6 = INTERNAL_IP6_NBNS; - } - - query = db->query(db, - "SELECT id, type, value FROM attributes " - "WHERE type = ? OR type = ?", - DB_INT, type_ip4, DB_INT, type_ip6, - DB_UINT, DB_INT, DB_BLOB); - } - if (!query) - { - fprintf(stderr, "deleting %s servers failed.\n", name); - exit(EXIT_FAILURE); - } - - while (query->enumerate(query, &id, &type, &value)) - { - int family; - host_t *host; - - found = TRUE; - family = (type == INTERNAL_IP4_DNS || type == INTERNAL_IP4_NBNS) ? - AF_INET : AF_INET6; - host = host_create_from_chunk(family, value, 0); - if (db->execute(db, NULL, - "DELETE FROM attributes WHERE id = ?", - DB_UINT, id) != 1) - { - fprintf(stderr, "deleting %s server %H failed\n", name, host); - query->destroy(query); - DESTROY_IF(host); - exit(EXIT_FAILURE); - } - printf("deleted %s server %H\n", name, host); - DESTROY_IF(host); - } - query->destroy(query); - - if (!found && server) - { - printf("%s server %H not found\n", name, server); - exit(EXIT_FAILURE); - } - else if (!found) - { - printf("no %s servers found\n", name); - } -} - /** * ipsec pool --resize - resize a pool */ @@ -1134,22 +924,26 @@ static void cleanup(void) db->destroy(db); DESTROY_IF(start); DESTROY_IF(end); - DESTROY_IF(server); } static void do_args(int argc, char *argv[]) { - char *name = "", *filter = "", *addresses = NULL; + char *name = "", *value = "", *filter = ""; + char *pool = NULL, *identity = NULL, *addresses = NULL; + value_type_t value_type = VALUE_NONE; int timeout = 0; - bool utc = FALSE; + bool utc = FALSE, hexout = FALSE; + enum { OP_UNDEF, OP_USAGE, OP_STATUS, + OP_STATUS_ATTR, OP_ADD, OP_ADD_ATTR, OP_DEL, OP_DEL_ATTR, + OP_SHOW_ATTR, OP_RESIZE, OP_LEASES, OP_PURGE, @@ -1174,14 +968,26 @@ static void do_args(int argc, char *argv[]) { "resize", required_argument, NULL, 'r' }, { "leases", no_argument, NULL, 'l' }, { "purge", required_argument, NULL, 'p' }, + { "statusattr", no_argument, NULL, '1' }, + { "addattr", required_argument, NULL, '2' }, + { "delattr", required_argument, NULL, '3' }, + { "showattr", no_argument, NULL, '4' }, { "batch", required_argument, NULL, 'b' }, { "start", required_argument, NULL, 's' }, { "end", required_argument, NULL, 'e' }, - { "addresses", required_argument, NULL, 'x' }, + { "addresses", required_argument, NULL, 'y' }, { "timeout", required_argument, NULL, 't' }, { "filter", required_argument, NULL, 'f' }, + { "addr", required_argument, NULL, 'v' }, + { "mask", required_argument, NULL, 'v' }, { "server", required_argument, NULL, 'v' }, + { "subnet", required_argument, NULL, 'n' }, + { "string", required_argument, NULL, 'g' }, + { "hex", required_argument, NULL, 'x' }, + { "hexout", no_argument, NULL, '5' }, + { "pool", required_argument, NULL, '6' }, + { "identity", required_argument, NULL, '7' }, { 0,0,0,0 } }; @@ -1196,6 +1002,8 @@ static void do_args(int argc, char *argv[]) case 'w': operation = OP_STATUS; break; + case '1': + operation = OP_STATUS_ATTR; case 'u': utc = TRUE; continue; @@ -1207,15 +1015,27 @@ static void do_args(int argc, char *argv[]) operation = is_attribute(name) ? OP_ADD_ATTR : OP_ADD; if (replace_pool && operation == OP_ADD_ATTR) { - fprintf(stderr, "invalid pool name: '%s'.\n", optarg); + fprintf(stderr, "invalid pool name: " + "reserved for '%s' attribute.\n", optarg); usage(); exit(EXIT_FAILURE); } continue; + case '2': + name = optarg; + operation = OP_ADD_ATTR; + continue; case 'd': name = optarg; operation = is_attribute(name) ? OP_DEL_ATTR : OP_DEL; continue; + case '3': + name = optarg; + operation = OP_DEL_ATTR; + continue; + case '4': + operation = OP_SHOW_ATTR; + continue; case 'r': name = optarg; operation = OP_RESIZE; @@ -1268,18 +1088,33 @@ static void do_args(int argc, char *argv[]) case 'f': filter = optarg; continue; - case 'x': + case 'y': addresses = optarg; continue; + case 'g': + value_type = VALUE_STRING; + value = optarg; + continue; + case 'n': + value_type = VALUE_SUBNET; + value = optarg; + continue; case 'v': - DESTROY_IF(server); - server = host_create_from_string(optarg, 0); - if (server == NULL) - { - fprintf(stderr, "invalid server address: '%s'.\n", optarg); - usage(); - exit(EXIT_FAILURE); - } + value_type = VALUE_ADDR; + value = optarg; + continue; + case 'x': + value_type = VALUE_HEX; + value = optarg; + continue; + case '5': + hexout = TRUE; + continue; + case '6': + pool = optarg; + continue; + case '7': + identity = optarg; continue; default: usage(); @@ -1297,6 +1132,9 @@ static void do_args(int argc, char *argv[]) case OP_STATUS: status(); break; + case OP_STATUS_ATTR: + status_attr(hexout); + break; case OP_ADD: if (addresses != NULL) { @@ -1314,19 +1152,34 @@ static void do_args(int argc, char *argv[]) } break; case OP_ADD_ATTR: - if (server == NULL) + if (value_type == VALUE_NONE) { fprintf(stderr, "missing arguments.\n"); usage(); exit(EXIT_FAILURE); } - add_attr(name, server); + if (identity && !pool) + { + fprintf(stderr, "--identity option can't be used without --pool.\n"); + usage(); + exit(EXIT_FAILURE); + } + add_attr(name, pool, identity, value, value_type); break; case OP_DEL: del(name); break; case OP_DEL_ATTR: - del_attr(name, server); + if (identity && !pool) + { + fprintf(stderr, "--identity option can't be used without --pool.\n"); + usage(); + exit(EXIT_FAILURE); + } + del_attr(name, pool, identity, value, value_type); + break; + case OP_SHOW_ATTR: + show_attr(); break; case OP_RESIZE: if (end == NULL) diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.c b/src/libhydra/plugins/attr_sql/pool_attributes.c new file mode 100644 index 000000000..5f7afdfcd --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_attributes.c @@ -0,0 +1,715 @@ +/* + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include + +#include +#include + +#include "pool_attributes.h" +#include "pool_usage.h" + +/** + * global database handle + */ +extern database_t *db; + +#define UNITY_NETWORK_LEN 14 + +ENUM(value_type_names, VALUE_HEX, VALUE_SUBNET, + "hex", + "string", + "addr", + "subnet" +); + +typedef struct attr_info_t attr_info_t; + +struct attr_info_t { + char* keyword; + value_type_t value_type; + configuration_attribute_type_t type; + configuration_attribute_type_t type_ip6; +}; + +static const attr_info_t attr_info[] = { + { "internal_ip4_netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, 0 }, + { "internal_ip6_netmask", VALUE_ADDR, INTERNAL_IP6_NETMASK, 0 }, + { "netmask", VALUE_ADDR, INTERNAL_IP4_NETMASK, + INTERNAL_IP6_NETMASK }, + { "internal_ip4_dns", VALUE_ADDR, INTERNAL_IP4_DNS, 0 }, + { "internal_ip6_dns", VALUE_ADDR, INTERNAL_IP6_DNS, 0 }, + { "dns", VALUE_ADDR, INTERNAL_IP4_DNS, + INTERNAL_IP6_DNS }, + { "internal_ip4_nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, 0 }, + { "internal_ip6_nbns", VALUE_ADDR, INTERNAL_IP6_NBNS, 0 }, + { "nbns", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "wins", VALUE_ADDR, INTERNAL_IP4_NBNS, + INTERNAL_IP6_NBNS }, + { "internal_ip4_dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, 0 }, + { "internal_ip6_dhcp", VALUE_ADDR, INTERNAL_IP6_DHCP, 0 }, + { "dhcp", VALUE_ADDR, INTERNAL_IP4_DHCP, + INTERNAL_IP6_DHCP }, + { "internal_ip4_server", VALUE_ADDR, INTERNAL_IP4_SERVER, 0 }, + { "internal_ip6_server", VALUE_ADDR, INTERNAL_IP6_SERVER, 0 }, + { "server", VALUE_ADDR, INTERNAL_IP4_SERVER, + INTERNAL_IP6_SERVER }, + { "application_version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "version", VALUE_STRING, APPLICATION_VERSION, 0 }, + { "unity_banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "banner", VALUE_STRING, UNITY_BANNER, 0 }, + { "unity_def_domain", VALUE_STRING, UNITY_DEF_DOMAIN, 0 }, + { "unity_splitdns_name", VALUE_STRING, UNITY_SPLITDNS_NAME, 0 }, + { "unity_split_include", VALUE_SUBNET, UNITY_SPLIT_INCLUDE, 0 }, + { "unity_local_lan", VALUE_SUBNET, UNITY_LOCAL_LAN, 0 }, +}; + +/** + * Determine the type of the attribute and its value + */ +static bool parse_attributes(char *name, char *value, value_type_t *value_type, + configuration_attribute_type_t *type, + configuration_attribute_type_t *type_ip6, + chunk_t *blob) +{ + host_t *addr = NULL, *mask = NULL; + chunk_t addr_chunk, mask_chunk, blob_next; + char *text = "", *pos_addr, *pos_mask, *pos_next, *endptr; + int i; + + switch (*value_type) + { + case VALUE_STRING: + *blob = chunk_create(value, strlen(value)); + *blob = chunk_clone(*blob); + break; + case VALUE_HEX: + *blob = chunk_from_hex(chunk_create(value, strlen(value)), NULL); + break; + case VALUE_ADDR: + addr = host_create_from_string(value, 0); + if (addr == NULL) + { + fprintf(stderr, "invalid IP address: '%s'.\n", value); + return FALSE; + } + addr_chunk = addr->get_address(addr); + *blob = chunk_clone(addr_chunk); + break; + case VALUE_SUBNET: + *blob = chunk_empty; + pos_next = value; + + do + { + pos_addr = pos_next; + pos_next = strchr(pos_next, ','); + if (pos_next) + { + *pos_next = '\0'; + pos_next += 1; + } + pos_mask = strchr(pos_addr, '/'); + if (pos_mask == NULL) + { + fprintf(stderr, "invalid IPv4 subnet: '%s'.\n", pos_addr); + free(blob->ptr); + return FALSE; + } + *pos_mask = '\0'; + pos_mask += 1; + addr = host_create_from_string(pos_addr, 0); + mask = host_create_from_string(pos_mask, 0); + if (addr == NULL || addr->get_family(addr) != AF_INET || + mask == NULL || mask->get_family(addr) != AF_INET) + { + fprintf(stderr, "invalid IPv4 subnet: '%s/%s'.\n", + pos_addr, pos_mask); + DESTROY_IF(addr); + DESTROY_IF(mask); + free(blob->ptr); + return FALSE; + } + addr_chunk = addr->get_address(addr); + mask_chunk = mask->get_address(mask); + blob_next = chunk_alloc(blob->len + UNITY_NETWORK_LEN); + memcpy(blob_next.ptr, blob->ptr, blob->len); + pos_addr = blob_next.ptr + blob->len; + memset(pos_addr, 0x00, UNITY_NETWORK_LEN); + memcpy(pos_addr, addr_chunk.ptr, 4); + memcpy(pos_addr + 4, mask_chunk.ptr, 4); + addr->destroy(addr); + mask->destroy(mask); + chunk_free(blob); + *blob = blob_next; + } + while (pos_next); + break; + case VALUE_NONE: + *blob = chunk_empty; + break; + } + + /* init the attribute type */ + *type = 0; + *type_ip6 = 0; + + for (i = 0; i < countof(attr_info); i++) + { + if (strcaseeq(name, attr_info[i].keyword)) + { + *type = attr_info[i].type; + *type_ip6 = attr_info[i].type_ip6; + + if (*value_type == VALUE_NONE) + { + *value_type = attr_info[i].value_type; + return TRUE; + } + + if (*value_type != attr_info[i].value_type && + *value_type != VALUE_HEX) + { + switch (attr_info[i].value_type) + { + case VALUE_STRING: + text = "a string"; + break; + case VALUE_HEX: + text = "a hex"; + break; + case VALUE_ADDR: + text = "an IP address"; + break; + case VALUE_SUBNET: + text = "a subnet"; + break; + case VALUE_NONE: + text = "no"; + break; + } + fprintf(stderr, "the %s attribute requires %s value.\n", + name, text); + DESTROY_IF(addr); + free(blob->ptr); + return FALSE; + } + + if (*value_type == VALUE_ADDR) + { + *type = (addr->get_family(addr) == AF_INET) ? + attr_info[i].type : attr_info[i].type_ip6; + addr->destroy(addr); + } + else if (*value_type == VALUE_HEX) + { + *value_type = attr_info[i].value_type; + + if (*value_type == VALUE_ADDR) + { + if (blob->len == 16) + { + *type = attr_info[i].type_ip6; + } + else if (blob->len != 4) + { + fprintf(stderr, "the %s attribute requires " + "a valid IP address.\n", name); + free(blob->ptr); + return FALSE; + } + } + } + return TRUE; + } + } + + /* clean up */ + DESTROY_IF(addr); + + /* is the attribute type numeric? */ + *type = strtol(name, &endptr, 10); + + if (*endptr != '\0') + { + fprintf(stderr, "the %s attribute is not recognized.\n", name); + free(blob->ptr); + return FALSE; + } + if (*type < 1 || *type > 32767) + { + fprintf(stderr, "the attribute type must lie in the range 1..32767.\n"); + free(blob->ptr); + return FALSE; + } + if (*value_type == VALUE_NONE) + { + *value_type = VALUE_HEX; + } + return TRUE; +} + +/** + * Lookup/insert an attribute pool by name + */ +static u_int get_attr_pool(char *name) +{ + enumerator_t *e; + u_int row = 0; + + /* look for an existing attribute pool in the table */ + e = db->query(db, "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO attribute_pools (name) VALUES (?)", + DB_TEXT, name) != 1) + { + fprintf(stderr, "creating attribute pool '%s' failed.\n", name); + return 0; + } + return row; +} + +/** + * Lookup/insert an identity + */ +u_int get_identity(identification_t *id) +{ + enumerator_t *e; + u_int row; + + /* look for peer identity in the identities table */ + e = db->query(db, "SELECT id FROM identities WHERE type = ? AND data = ?", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), DB_UINT); + if (e && e->enumerate(e, &row)) + { + e->destroy(e); + return row; + } + DESTROY_IF(e); + /* not found, insert new one */ + if (db->execute(db, &row, "INSERT INTO identities (type,data) VALUES (?,?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id)) != 1) + { + fprintf(stderr, "creating id '%Y' failed.\n", id); + return 0; + } + return row; +} + +/** + * ipsec pool --addattr - add attribute entry + */ +void add_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob; + bool success; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (value_type == VALUE_NONE) + { + fprintf(stderr, "the value of the %s attribute is missing.\n", name); + usage(); + } + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + success = db->execute(db, NULL, + "INSERT INTO attributes (identity, pool, type, value) " + "VALUES (?, ?, ?, ?)", DB_UINT, identity_id, DB_UINT, pool_id, + DB_INT, type, DB_BLOB, blob) == 1; + free(blob.ptr); + + if (success) + { + printf("added %s attribute (%N)%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "adding %s attribute (%N)%s failed.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } +} + +/** + * ipsec pool --delattr - delete attribute entry + */ +void del_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type) +{ + configuration_attribute_type_t type, type_ip6, type_db; + u_int pool_id = 0, identity_id = 0; + char id_pool_str[128] = ""; + chunk_t blob, blob_db; + u_int id; + enumerator_t *query; + bool found = FALSE; + + if (pool) + { + pool_id = get_attr_pool(pool); + if (pool_id == 0) + { + exit(EXIT_FAILURE); + } + + if (identity) + { + identification_t *id; + + id = identification_create_from_string(identity); + identity_id = get_identity(id); + id->destroy(id); + if (identity_id == 0) + { + exit(EXIT_FAILURE); + } + snprintf(id_pool_str, sizeof(id_pool_str), + " for '%s' in pool '%s'", identity, pool); + } + else + { + snprintf(id_pool_str, sizeof(id_pool_str), " in pool '%s'", pool); + } + } + + if (!parse_attributes(name, value, &value_type, &type, &type_ip6, &blob)) + { + exit(EXIT_FAILURE); + } + + if (blob.len > 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ? AND value = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_BLOB, blob, DB_UINT, DB_INT, DB_BLOB); + } + else if (type_ip6 == 0) + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND type = ?", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_UINT, DB_INT, DB_BLOB); + } + else + { + query = db->query(db, + "SELECT id, type, value FROM attributes " + "WHERE identity = ? AND pool = ? AND (type = ? OR type = ?)", + DB_UINT, identity_id, DB_UINT, pool_id, DB_INT, type, + DB_INT, type_ip6, DB_UINT, DB_INT, DB_BLOB); + } + + if (!query) + { + fprintf(stderr, "deleting '%s' attribute (%N)%s failed.\n", + name, configuration_attribute_type_names, type, id_pool_str); + free(blob.ptr); + exit(EXIT_FAILURE); + } + + while (query->enumerate(query, &id, &type_db, &blob_db)) + { + host_t *server = NULL; + + found = TRUE; + + if (value_type == VALUE_ADDR) + { + int family = (type_db == type_ip6) ? AF_INET6 : AF_INET; + + server = host_create_from_chunk(family, blob_db, 0); + } + + if (db->execute(db, NULL, + "DELETE FROM attributes WHERE id = ?", + DB_UINT, id) != 1) + { + if (server) + { + fprintf(stderr, "deleting %s server %H%s failed\n", + name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + fprintf(stderr, "deleting %s attribute (%N) with value '%.*s'%s failed.\n", + name, configuration_attribute_type_names, type, + blob_db.len, blob_db.ptr, id_pool_str); + } + + else + { + fprintf(stderr, "deleting %s attribute (%N) with value %#B%s failed.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + query->destroy(query); + free(blob.ptr); + exit(EXIT_FAILURE); + } + if (server) + { + printf("deleted %s server %H%s\n", name, server, id_pool_str); + server->destroy(server); + } + else if (value_type == VALUE_STRING) + { + printf("deleted %s attribute (%N) with value '%.*s'%s.\n", + name, configuration_attribute_type_names, type, + blob_db.len, blob_db.ptr, id_pool_str); + } + else + { + printf("deleted %s attribute (%N) with value %#B%s.\n", + name, configuration_attribute_type_names, type, + &blob_db, id_pool_str); + } + } + query->destroy(query); + + if (!found) + { + if (blob.len == 0) + { + if (type_ip6 == 0) + { + fprintf(stderr, "no %s attribute (%N) was found%s.\n", name, + configuration_attribute_type_names, type, id_pool_str); + } + else + { + fprintf(stderr, "no %s attribute%s was found.\n", + name, id_pool_str); + } + } + else + { + if (value_type == VALUE_ADDR) + { + host_t *server = host_create_from_chunk(AF_UNSPEC, blob, 0); + + fprintf(stderr, "the %s server %H%s was not found.\n", name, + server, id_pool_str); + server->destroy(server); + } + else + { + fprintf(stderr, "the %s attribute (%N) with value '%.*s'%s " + "was not found.\n", name, + configuration_attribute_type_names, type, + blob.len, blob.ptr, id_pool_str); + } + } + } + free(blob.ptr); +} + +/** + * ipsec pool --statusattr - show all attribute entries + */ +void status_attr(bool hexout) +{ + configuration_attribute_type_t type; + value_type_t value_type; + chunk_t value, addr_chunk, mask_chunk, identity_chunk; + identification_t *identity; + enumerator_t *enumerator; + host_t *addr, *mask; + char type_name[30]; + bool first = TRUE; + int i, identity_type; + char *pool_name; + + /* enumerate over all attributes */ + enumerator = db->query(db, + "SELECT attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value " + "FROM attributes " + "LEFT OUTER JOIN identities " + "ON attributes.identity = identities.id " + "LEFT OUTER JOIN attribute_pools " + "ON attributes.pool = attribute_pools.id " + "ORDER BY attributes.type, attribute_pools.name, " + "identities.type, identities.data, attributes.value", + DB_INT, DB_TEXT, DB_INT, DB_BLOB, DB_BLOB); + if (enumerator) + { + while (enumerator->enumerate(enumerator, &type,&pool_name, + &identity_type, &identity_chunk, &value)) + { + if (first) + { + printf(" type description pool " + " identity value\n"); + first = FALSE; + } + snprintf(type_name, sizeof(type_name), "%N", + configuration_attribute_type_names, type); + if (type_name[0] == '(') + { + type_name[0] = '\0'; + } + printf("%5d %-20s ",type, type_name); + + printf(" %-10s ", (pool_name ? pool_name : "")); + + if (identity_type) + { + identity = identification_create_from_encoding(identity_type, identity_chunk); + printf(" %-20.20Y ", identity); + identity->destroy(identity); + } + else + { + printf(" "); + } + + value_type = VALUE_HEX; + if (!hexout) + { + for (i = 0; i < countof(attr_info); i++) + { + if (type == attr_info[i].type) + { + value_type = attr_info[i].value_type; + break; + } + } + } + switch (value_type) + { + case VALUE_ADDR: + addr = host_create_from_chunk(AF_UNSPEC, value, 0); + if (addr) + { + printf(" %H\n", addr); + addr->destroy(addr); + } + else + { + /* value cannot be represented as an IP address */ + printf(" %#B\n", &value); + } + break; + case VALUE_SUBNET: + if (value.len % UNITY_NETWORK_LEN == 0) + { + for (i = 0; i < value.len / UNITY_NETWORK_LEN; i++) + { + addr_chunk = chunk_create(value.ptr + i*UNITY_NETWORK_LEN, 4); + addr = host_create_from_chunk(AF_INET, addr_chunk, 0); + mask_chunk = chunk_create(addr_chunk.ptr + 4, 4); + mask = host_create_from_chunk(AF_INET, mask_chunk, 0); + printf("%s%H/%H", (i > 0) ? "," : " ", addr, mask); + addr->destroy(addr); + mask->destroy(mask); + } + printf("\n"); + } + else + { + /* value cannot be represented as a list of subnets */ + printf(" %#B\n", &value); + } + break; + case VALUE_STRING: + printf("\"%.*s\"\n", value.len, value.ptr); + break; + case VALUE_HEX: + default: + printf(" %#B\n", &value); + } + } + enumerator->destroy(enumerator); + } +} + +/** + * ipsec pool --showattr - show all supported attribute keywords + */ +void show_attr(void) +{ + int i; + + for (i = 0; i < countof(attr_info); i++) + { + char value_name[10]; + + + snprintf(value_name, sizeof(value_name), "%N", + value_type_names, attr_info[i].value_type); + + printf("%-20s --%-6s (%N", + attr_info[i].keyword, value_name, + configuration_attribute_type_names, attr_info[i].type); + + if (attr_info[i].type_ip6) + { + printf(", %N)\n", + configuration_attribute_type_names, attr_info[i].type_ip6); + } + else + { + printf(")\n"); + } + } +} + diff --git a/src/libhydra/plugins/attr_sql/pool_attributes.h b/src/libhydra/plugins/attr_sql/pool_attributes.h new file mode 100644 index 000000000..a42291f57 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_attributes.h @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef POOL_ATTRIBUTES_H_ +#define POOL_ATTRIBUTES_H_ + +#include + +typedef enum value_type_t value_type_t; + +enum value_type_t { + VALUE_NONE, + VALUE_HEX, + VALUE_STRING, + VALUE_ADDR, + VALUE_SUBNET +}; + +/** + * enum names for value_type_t. + */ +extern enum_name_t *value_type_names; + +/** + * lookup/insert an identity + */ +u_int get_identity(identification_t *id); + +/** + * ipsec pool --addattr - add attribute entry + */ +void add_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type); + +/** + * ipsec pool --delattr - delete attribute entry + */ +void del_attr(char *name, char *pool, char *identity, + char *value, value_type_t value_type); + +/** + * ipsec pool --statusattr - show all attribute entries + */ +void status_attr(bool hexout); + +/** + * ipsec pool --showattr - show all supported attribute keywords + */ +void show_attr(void); + +#endif /* POOL_ATTRIBUTES_H_ */ + + diff --git a/src/libhydra/plugins/attr_sql/pool_usage.c b/src/libhydra/plugins/attr_sql/pool_usage.c new file mode 100644 index 000000000..985bc3ae8 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_usage.c @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +/** + * print pool usage info + */ +void usage(void) +{ + printf("\ +Usage:\n\ + ipsec pool --status|--add|--replace|--del|--resize|--leases|--purge [options]\n\ + ipsec pool --showattr|--statusattr|--addattr|--delattr [options]\n\ + \n\ + ipsec pool --status\n\ + Show a list of installed pools with statistics plus nameserver info.\n\ + \n\ + ipsec pool --statusattr [--hexout]\n\ + Show a list of all attributes stored in the database with the values\n\ + converted to the correct format if the type is known by --showattr or\n\ + in hex format otherwise.\n\ + hexout: Output all values in hex format\n\ + \n\ + ipsec pool --showattr\n\ + Show a keyword list of the major attribute types.\n\ + \n\ + ipsec pool --add --start --end [--timeout ]\n\ + ipsec pool --replace --start --end [--timeout ]\n\ + Add a new pool to or replace an existing pool in the database.\n\ + name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ + start: Start address of the pool\n\ + end: End address of the pool\n\ + timeout: Lease time in hours, 0 for static leases\n\ + \n\ + ipsec pool --add --addresses [--timeout ]\n\ + ipsec pool --replace --addresses [--timeout ]\n\ + Add a new pool to or replace an existing pool in the database.\n\ + name: Name of the pool, as used in ipsec.conf rightsourceip=%%name\n\ + file: File newline separated addresses for the pool are read from.\n\ + Optionally each address can be pre-assigned to a roadwarrior\n\ + identity, e.g. 10.231.14.2=alice@strongswan.org.\n\ + If a - (hyphen) is given instead of a file name, the addresses\n\ + are read from STDIN. Reading addresses stops at the end of file\n\ + or an empty line. Pools created with this command can not be\n\ + resized.\n\ + timeout: Lease time in hours, 0 for static leases\n\ + \n\ + ipsec pool --addattr [--pool [--identity ]]\n\ + --addr|--mask|--server|--subnet|--string|--hex \n\ + Add a new attribute to the database. Attributes can be bundled by using\n\ + the --pool and --identity options. If a bundle matches a peer the contained\n\ + attributes are sent to that peer instead of the global ones.\n\ + type: a keyword from --showattr or a number from the range 1..32767\n\ + name: the name of the pool this attribute is added to\n\ + id: identity of the peer this attribute is bound to\n\ + addr: IPv4 or IPv6 address\n\ + mask: IPv4 or IPv6 netmask (synonym for --addr)\n\ + server: IPv4 or IPv6 address of a server (synonym for --addr)\n\ + subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]\n\ + string: value of a string-type attribute\n\ + hex: hex value of any attribute\n\ + \n\ + ipsec pool --del \n\ + Delete a pool from the database.\n\ + name: Name of the pool to delete\n\ + \n\ + ipsec pool --delattr [--pool [--identity ]]\n\ + [--addr|--mask|--server|--subnet|--string|--hex ]\n\ + Delete a specific or all attributes of a given type from the database.\n\ + type: a keyword from --showattr or a number from the range 1..32767\n\ + name: the name of the pool this attribute is added to\n\ + id: identity of the peer this attribute is bound to\n\ + addr: IPv4 or IPv6 address\n\ + mask: IPv4 or IPv6 netmask (synonym for --addr)\n\ + server: IPv4 or IPv6 address of a server (synonym for --addr)\n\ + subnet: IPv4 subnet[s] given by network/mask[,network/mask,...]\n\ + string: value of a string-type attribute\n\ + hex: hex value of any attribute\n\ + \n\ + ipsec pool --resize --end \n\ + Grow or shrink an existing pool.\n\ + name: Name of the pool to resize\n\ + end: New end address for the pool\n\ + \n\ + ipsec pool --leases [--filter ] [--utc]\n\ + Show lease information using filters:\n\ + filter: Filter string containing comma separated key=value filters,\n\ + e.g. id=alice@strongswan.org,addr=1.1.1.1\n\ + pool: name of the pool\n\ + id: assigned identity of the lease\n\ + addr: lease IP address\n\ + tstamp: UNIX timestamp when lease was valid, as integer\n\ + status: status of the lease: online|valid|expired\n\ + utc: Show times in UTC instead of local time\n\ + \n\ + ipsec pool --purge \n\ + Delete lease history of a pool:\n\ + name: Name of the pool to purge\n\ + \n\ + ipsec pool --batch \n\ + Read commands from a file and execute them atomically.\n\ + file: File to read the newline separated commands from. Commands\n\ + appear as they are written on the command line, e.g.\n\ + --replace mypool --start 10.0.0.1 --end 10.0.0.254\n\ + --del dns\n\ + --add dns --server 10.1.0.1\n\ + --add dns --server 10.1.1.1\n\ + If a - (hyphen) is given as a file name, the commands are read\n\ + from STDIN. Readin commands stops at the end of file. Empty\n\ + lines are ignored. The file may not contain a --batch command.\n\ + \n"); +} + diff --git a/src/libhydra/plugins/attr_sql/pool_usage.h b/src/libhydra/plugins/attr_sql/pool_usage.h new file mode 100644 index 000000000..a98b0d680 --- /dev/null +++ b/src/libhydra/plugins/attr_sql/pool_usage.h @@ -0,0 +1,26 @@ +/* + * Copyright (C) 2008 Martin Willi + * Copyright (C) 2009-2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#ifndef POOL_USAGE_H_ +#define POOL_USAGE_H_ + +/** + * print pool usage info + */ +void usage(void); + + +#endif /* POOL_USAGE_H_ */ diff --git a/src/libhydra/plugins/attr_sql/sql_attribute.c b/src/libhydra/plugins/attr_sql/sql_attribute.c index a7cfde649..7f7bb190c 100644 --- a/src/libhydra/plugins/attr_sql/sql_attribute.c +++ b/src/libhydra/plugins/attr_sql/sql_attribute.c @@ -73,6 +73,26 @@ static u_int get_identity(private_sql_attribute_t *this, identification_t *id) return 0; } +/** + * Lookup an attribute pool by name + */ +static u_int get_attr_pool(private_sql_attribute_t *this, char *name) +{ + enumerator_t *e; + u_int row = 0; + + e = this->db->query(this->db, + "SELECT id FROM attribute_pools WHERE name = ?", + DB_TEXT, name, DB_UINT); + if (e) + { + e->enumerate(e, &row); + } + DESTROY_IF(e); + + return row; +} + /** * Lookup pool by name */ @@ -327,20 +347,101 @@ static bool release_address(private_sql_attribute_t *this, * Implementation of sql_attribute_t.create_attribute_enumerator */ static enumerator_t* create_attribute_enumerator(private_sql_attribute_t *this, - identification_t *id, host_t *vip) + char *names, identification_t *id, host_t *vip) { + enumerator_t *attr_enumerator = NULL; + if (vip) { - enumerator_t *enumerator; + enumerator_t *names_enumerator; + u_int count; + char *name; - enumerator = this->db->query(this->db, - "SELECT type, value FROM attributes", DB_INT, DB_BLOB); - if (enumerator) + this->db->execute(this->db, NULL, "BEGIN EXCLUSIVE TRANSACTION"); + + /* in a first step check for attributes that match name and id */ + if (id) { - return enumerator; + u_int identity = get_identity(this, id); + + names_enumerator = enumerator_create_token(names, ",", " "); + while (names_enumerator->enumerate(names_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = ?", + DB_UINT, attr_pool, DB_UINT, identity, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = ?", DB_UINT, + attr_pool, DB_UINT, identity, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + names_enumerator->destroy(names_enumerator); + } + + /* in a second step check for attributes that match name */ + if (!attr_enumerator) + { + names_enumerator = enumerator_create_token(names, ",", " "); + while (names_enumerator->enumerate(names_enumerator, &name)) + { + u_int attr_pool = get_attr_pool(this, name); + if (!attr_pool) + { + continue; + } + + attr_enumerator = this->db->query(this->db, + "SELECT count(*) FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_UINT); + + if (attr_enumerator && + attr_enumerator->enumerate(attr_enumerator, &count) && + count != 0) + { + attr_enumerator->destroy(attr_enumerator); + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = ? AND identity = 0", + DB_UINT, attr_pool, DB_INT, DB_BLOB); + break; + } + DESTROY_IF(attr_enumerator); + attr_enumerator = NULL; + } + names_enumerator->destroy(names_enumerator); + } + + this->db->execute(this->db, NULL, "END TRANSACTION"); + + /* lastly try to find global attributes */ + if (!attr_enumerator) + { + attr_enumerator = this->db->query(this->db, + "SELECT type, value FROM attributes " + "WHERE pool = 0 AND identity = 0", + DB_INT, DB_BLOB); } } - return enumerator_create_empty(); + + return (attr_enumerator ? attr_enumerator : enumerator_create_empty()); } /** @@ -361,7 +462,7 @@ sql_attribute_t *sql_attribute_create(database_t *db) this->public.provider.acquire_address = (host_t*(*)(attribute_provider_t *this, char*, identification_t *, host_t *))acquire_address; this->public.provider.release_address = (bool(*)(attribute_provider_t *this, char*,host_t *, identification_t*))release_address; - this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, identification_t *id, host_t *host))create_attribute_enumerator; + this->public.provider.create_attribute_enumerator = (enumerator_t*(*)(attribute_provider_t*, char *names, identification_t *id, host_t *host))create_attribute_enumerator; this->public.destroy = (void(*)(sql_attribute_t*))destroy; this->db = db; diff --git a/src/libhydra/plugins/resolve/Makefile.am b/src/libhydra/plugins/resolve/Makefile.am new file mode 100644 index 000000000..f8830d42e --- /dev/null +++ b/src/libhydra/plugins/resolve/Makefile.am @@ -0,0 +1,18 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic \ + -DRESOLV_CONF=\"${resolv_conf}\" + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-resolve.la +else +plugin_LTLIBRARIES = libstrongswan-resolve.la +endif + +libstrongswan_resolve_la_SOURCES = \ + resolve_plugin.h resolve_plugin.c \ + resolve_handler.h resolve_handler.c + +libstrongswan_resolve_la_LDFLAGS = -module -avoid-version diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in new file mode 100644 index 000000000..e16c66923 --- /dev/null +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -0,0 +1,591 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libhydra/plugins/resolve +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_resolve_la_LIBADD = +am_libstrongswan_resolve_la_OBJECTS = resolve_plugin.lo \ + resolve_handler.lo +libstrongswan_resolve_la_OBJECTS = \ + $(am_libstrongswan_resolve_la_OBJECTS) +libstrongswan_resolve_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_resolve_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_resolve_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_resolve_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_resolve_la_SOURCES) +DIST_SOURCES = $(libstrongswan_resolve_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +AM_CFLAGS = -rdynamic \ + -DRESOLV_CONF=\"${resolv_conf}\" + +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-resolve.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-resolve.la +libstrongswan_resolve_la_SOURCES = \ + resolve_plugin.h resolve_plugin.c \ + resolve_handler.h resolve_handler.c + +libstrongswan_resolve_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libhydra/plugins/resolve/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-resolve.la: $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_DEPENDENCIES) + $(libstrongswan_resolve_la_LINK) $(am_libstrongswan_resolve_la_rpath) $(libstrongswan_resolve_la_OBJECTS) $(libstrongswan_resolve_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_handler.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/resolve_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libhydra/plugins/resolve/resolve_handler.c b/src/libhydra/plugins/resolve/resolve_handler.c new file mode 100644 index 000000000..cdc639038 --- /dev/null +++ b/src/libhydra/plugins/resolve/resolve_handler.c @@ -0,0 +1,252 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "resolve_handler.h" + +#include + +#include +#include +#include + +typedef struct private_resolve_handler_t private_resolve_handler_t; + +/** + * Private data of an resolve_handler_t object. + */ +struct private_resolve_handler_t { + + /** + * Public resolve_handler_t interface. + */ + resolve_handler_t public; + + /** + * resolv.conf file to use + */ + char *file; + + /** + * Mutex to access file exclusively + */ + mutex_t *mutex; +}; + +/** + * Implementation of attribute_handler_t.handle + */ +static bool handle(private_resolve_handler_t *this, identification_t *server, + configuration_attribute_type_t type, chunk_t data) +{ + FILE *in, *out; + char buf[1024]; + host_t *addr; + size_t len; + bool handled = FALSE; + + switch (type) + { + case INTERNAL_IP4_DNS: + addr = host_create_from_chunk(AF_INET, data, 0); + break; + case INTERNAL_IP6_DNS: + addr = host_create_from_chunk(AF_INET6, data, 0); + break; + default: + return FALSE; + } + + if (!addr || addr->is_anyaddr(addr)) + { + DESTROY_IF(addr); + return FALSE; + } + this->mutex->lock(this->mutex); + + in = fopen(this->file, "r"); + /* allows us to stream from in to out */ + unlink(this->file); + out = fopen(this->file, "w"); + if (out) + { + fprintf(out, "nameserver %H # by strongSwan, from %Y\n", addr, server); + DBG1(DBG_IKE, "installing DNS server %H to %s", addr, this->file); + handled = TRUE; + + /* copy rest of the file */ + if (in) + { + while ((len = fread(buf, 1, sizeof(buf), in))) + { + ignore_result(fwrite(buf, 1, len, out)); + } + } + fclose(out); + } + if (in) + { + fclose(in); + } + this->mutex->unlock(this->mutex); + addr->destroy(addr); + + if (!handled) + { + DBG1(DBG_IKE, "adding DNS server failed", this->file); + } + return handled; +} + +/** + * Implementation of attribute_handler_t.release + */ +static void release(private_resolve_handler_t *this, identification_t *server, + configuration_attribute_type_t type, chunk_t data) +{ + FILE *in, *out; + char line[1024], matcher[512], *pos; + host_t *addr; + int family; + + switch (type) + { + case INTERNAL_IP4_DNS: + family = AF_INET; + break; + case INTERNAL_IP6_DNS: + family = AF_INET6; + break; + default: + return; + } + + this->mutex->lock(this->mutex); + + in = fopen(this->file, "r"); + if (in) + { + /* allows us to stream from in to out */ + unlink(this->file); + out = fopen(this->file, "w"); + if (out) + { + addr = host_create_from_chunk(family, data, 0); + snprintf(matcher, sizeof(matcher), + "nameserver %H # by strongSwan, from %Y\n", + addr, server); + + /* copy all, but matching line */ + while ((pos = fgets(line, sizeof(line), in))) + { + if (strneq(line, matcher, strlen(matcher))) + { + DBG1(DBG_IKE, "removing DNS server %H from %s", + addr, this->file); + } + else + { + fputs(line, out); + } + } + addr->destroy(addr); + fclose(out); + } + fclose(in); + } + + this->mutex->unlock(this->mutex); +} + +/** + * Attribute enumerator implementation + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** virtual IP we are requesting */ + host_t *vip; +} attribute_enumerator_t; + +/** + * Implementation of create_attribute_enumerator().enumerate() + */ +static bool attribute_enumerate(attribute_enumerator_t *this, + configuration_attribute_type_t *type, chunk_t *data) +{ + switch (this->vip->get_family(this->vip)) + { + case AF_INET: + *type = INTERNAL_IP4_DNS; + break; + case AF_INET6: + *type = INTERNAL_IP6_DNS; + break; + default: + return FALSE; + } + *data = chunk_empty; + /* enumerate only once */ + this->public.enumerate = (void*)return_false; + return TRUE; +} + +/** + * Implementation of attribute_handler_t.create_attribute_enumerator + */ +static enumerator_t* create_attribute_enumerator(private_resolve_handler_t *this, + identification_t *server, host_t *vip) +{ + if (vip) + { + attribute_enumerator_t *enumerator; + + enumerator = malloc_thing(attribute_enumerator_t); + enumerator->public.enumerate = (void*)attribute_enumerate; + enumerator->public.destroy = (void*)free; + enumerator->vip = vip; + + return &enumerator->public; + } + return enumerator_create_empty(); +} + +/** + * Implementation of resolve_handler_t.destroy. + */ +static void destroy(private_resolve_handler_t *this) +{ + this->mutex->destroy(this->mutex); + free(this); +} + +/** + * See header + */ +resolve_handler_t *resolve_handler_create() +{ + private_resolve_handler_t *this = malloc_thing(private_resolve_handler_t); + + this->public.handler.handle = (bool(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))handle; + this->public.handler.release = (void(*)(attribute_handler_t*, identification_t*, configuration_attribute_type_t, chunk_t))release; + this->public.handler.create_attribute_enumerator = (enumerator_t*(*)(attribute_handler_t*, identification_t *server, host_t *vip))create_attribute_enumerator; + this->public.destroy = (void(*)(resolve_handler_t*))destroy; + + this->mutex = mutex_create(MUTEX_TYPE_DEFAULT); + this->file = lib->settings->get_str(lib->settings, + "%s.plugins.resolve.file", RESOLV_CONF, hydra->daemon); + + return &this->public; +} + diff --git a/src/libhydra/plugins/resolve/resolve_handler.h b/src/libhydra/plugins/resolve/resolve_handler.h new file mode 100644 index 000000000..77bf9781c --- /dev/null +++ b/src/libhydra/plugins/resolve/resolve_handler.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup resolve_handler resolve_handler + * @{ @ingroup resolve + */ + +#ifndef RESOLVE_HANDLER_H_ +#define RESOLVE_HANDLER_H_ + +#include + +typedef struct resolve_handler_t resolve_handler_t; + +/** + * Handle DNS configuration attributes by mangling a resolv.conf file. + */ +struct resolve_handler_t { + + /** + * Implements the attribute_handler_t interface + */ + attribute_handler_t handler; + + /** + * Destroy a resolve_handler_t. + */ + void (*destroy)(resolve_handler_t *this); +}; + +/** + * Create a resolve_handler instance. + */ +resolve_handler_t *resolve_handler_create(); + +#endif /** RESOLVE_HANDLER_H_ @}*/ diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c new file mode 100644 index 000000000..502129593 --- /dev/null +++ b/src/libhydra/plugins/resolve/resolve_plugin.c @@ -0,0 +1,62 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "resolve_plugin.h" +#include "resolve_handler.h" + +#include + +typedef struct private_resolve_plugin_t private_resolve_plugin_t; + +/** + * private data of resolve plugin + */ +struct private_resolve_plugin_t { + + /** + * implements plugin interface + */ + resolve_plugin_t public; + + /** + * The registerd DNS attribute handler + */ + resolve_handler_t *handler; +}; + +/** + * Implementation of plugin_t.destroy + */ +static void destroy(private_resolve_plugin_t *this) +{ + hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); + this->handler->destroy(this->handler); + free(this); +} + +/* + * see header file + */ +plugin_t *resolve_plugin_create() +{ + private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); + + this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + this->handler = resolve_handler_create(); + hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); + + return &this->public.plugin; +} + diff --git a/src/libhydra/plugins/resolve/resolve_plugin.h b/src/libhydra/plugins/resolve/resolve_plugin.h new file mode 100644 index 000000000..0148b10d7 --- /dev/null +++ b/src/libhydra/plugins/resolve/resolve_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup resolve resolve + * @ingroup cplugins + * + * @defgroup resolve_plugin resolve_plugin + * @{ @ingroup resolve + */ + +#ifndef RESOLVE_PLUGIN_H_ +#define RESOLVE_PLUGIN_H_ + +#include + +typedef struct resolve_plugin_t resolve_plugin_t; + +/** + * Plugin that writes received DNS servers in a resolv.conf file. + */ +struct resolve_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** RESOLVE_PLUGIN_H_ @}*/ diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index ab07cb214..d53df9bb2 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/Android.mk b/src/libstrongswan/Android.mk index d639220e3..1931dfa45 100644 --- a/src/libstrongswan/Android.mk +++ b/src/libstrongswan/Android.mk @@ -26,7 +26,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ -credentials/keys/key_encoding.c credentials/keys/key_encoding.h \ +credentials/cred_encoding.c credentials/cred_encoding.h \ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ @@ -39,6 +39,12 @@ credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \ +credentials/credential_manager.c credentials/credential_manager.h \ +credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ +credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ +credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ @@ -68,7 +74,7 @@ LOCAL_SRC_FILES += $(call add_plugin, des) LOCAL_SRC_FILES += $(call add_plugin, fips-prf) LOCAL_SRC_FILES += $(call add_plugin, gmp) -ifneq ($(call plugin_enabled, gmp)),) +ifneq ($(call plugin_enabled, gmp),) LOCAL_C_INCLUDES += $(libgmp_PATH) LOCAL_SHARED_LIBRARIES += libgmp endif @@ -80,7 +86,7 @@ LOCAL_SRC_FILES += $(call add_plugin, md4) LOCAL_SRC_FILES += $(call add_plugin, md5) LOCAL_SRC_FILES += $(call add_plugin, openssl) -ifneq ($(call plugin_enabled, openssl)),) +ifneq ($(call plugin_enabled, openssl),) LOCAL_C_INCLUDES += external/openssl/include LOCAL_SHARED_LIBRARIES += libcrypto endif diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 157d37b5e..3678abd5d 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -24,7 +24,7 @@ crypto/diffie_hellman.c crypto/diffie_hellman.h \ crypto/transform.c crypto/transform.h \ credentials/credential_factory.c credentials/credential_factory.h \ credentials/builder.c credentials/builder.h \ -credentials/keys/key_encoding.c credentials/keys/key_encoding.h \ +credentials/cred_encoding.c credentials/cred_encoding.h \ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ @@ -37,6 +37,12 @@ credentials/certificates/ocsp_request.h \ credentials/certificates/ocsp_response.h credentials/certificates/ocsp_response.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c credentials/ietf_attributes/ietf_attributes.h \ +credentials/credential_manager.c credentials/credential_manager.h \ +credentials/sets/auth_cfg_wrapper.c credentials/sets/auth_cfg_wrapper.h \ +credentials/sets/ocsp_response_wrapper.c credentials/sets/ocsp_response_wrapper.h \ +credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ +credentials/auth_cfg.c credentials/auth_cfg.h credentials/credential_set.h \ +credentials/cert_validator.h \ database/database.h database/database_factory.h database/database_factory.c \ fetcher/fetcher.h fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ selectors/traffic_selector.c selectors/traffic_selector.h \ @@ -203,6 +209,13 @@ if MONOLITHIC endif endif +if USE_REVOCATION + SUBDIRS += plugins/revocation +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/revocation/libstrongswan-revocation.la +endif +endif + if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index b8d967d4a..b6dcf6be5 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -68,36 +68,38 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la @USE_X509_TRUE@am__append_29 = plugins/x509 @MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la -@USE_PUBKEY_TRUE@am__append_31 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_32 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_33 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_34 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PGP_TRUE@am__append_35 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_36 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_37 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_38 = plugins/dnskey/libstrongswan-dnskey.la -@USE_PEM_TRUE@am__append_39 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_40 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_41 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_42 = plugins/curl/libstrongswan-curl.la -@USE_LDAP_TRUE@am__append_43 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_44 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_45 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_46 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_47 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_48 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_49 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_50 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_51 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_52 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_53 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_54 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_55 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_56 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_57 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_58 = plugins/agent/libstrongswan-agent.la -@USE_TEST_VECTORS_TRUE@am__append_59 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_60 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la +@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PGP_TRUE@am__append_37 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la +@USE_PEM_TRUE@am__append_41 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_43 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la +@USE_LDAP_TRUE@am__append_45 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_47 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_59 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la +@USE_TEST_VECTORS_TRUE@am__append_61 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_62 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -150,7 +152,7 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) + $(am__append_60) $(am__append_62) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -167,8 +169,8 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ - credentials/builder.h credentials/keys/key_encoding.c \ - credentials/keys/key_encoding.h credentials/keys/private_key.c \ + credentials/builder.h credentials/cred_encoding.c \ + credentials/cred_encoding.h credentials/keys/private_key.c \ credentials/keys/private_key.h credentials/keys/public_key.c \ credentials/keys/public_key.h credentials/keys/shared_key.c \ credentials/keys/shared_key.h \ @@ -184,6 +186,15 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c \ credentials/ietf_attributes/ietf_attributes.h \ + credentials/credential_manager.c \ + credentials/credential_manager.h \ + credentials/sets/auth_cfg_wrapper.c \ + credentials/sets/auth_cfg_wrapper.h \ + credentials/sets/ocsp_response_wrapper.c \ + credentials/sets/ocsp_response_wrapper.h \ + credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ + credentials/auth_cfg.c credentials/auth_cfg.h \ + credentials/credential_set.h credentials/cert_validator.h \ database/database.h database/database_factory.h \ database/database_factory.c fetcher/fetcher.h \ fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ @@ -208,9 +219,11 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ crypter.lo hasher.lo pkcs9.lo proposal_keywords.lo prf.lo \ rng.lo prf_plus.lo signer.lo crypto_factory.lo \ crypto_tester.lo diffie_hellman.lo transform.lo \ - credential_factory.lo builder.lo key_encoding.lo \ + credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ + credential_manager.lo auth_cfg_wrapper.lo \ + ocsp_response_wrapper.lo cert_cache.lo auth_cfg.lo \ database_factory.lo fetcher_manager.lo traffic_selector.lo \ thread.lo thread_value.lo mutex.lo rwlock.lo utils.lo host.lo \ identification.lo lexparser.lo linked_list.lo hashtable.lo \ @@ -249,10 +262,11 @@ CTAGS = ctags DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \ plugins/random plugins/hmac plugins/xcbc plugins/x509 \ - plugins/pubkey plugins/pkcs1 plugins/pgp plugins/dnskey \ - plugins/pem plugins/curl plugins/ldap plugins/mysql \ - plugins/sqlite plugins/padlock plugins/openssl plugins/gcrypt \ - plugins/fips_prf plugins/agent plugins/test_vectors + plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ + plugins/dnskey plugins/pem plugins/curl plugins/ldap \ + plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ + plugins/gcrypt plugins/fips_prf plugins/agent \ + plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -451,8 +465,8 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ crypto/diffie_hellman.h crypto/transform.c crypto/transform.h \ credentials/credential_factory.c \ credentials/credential_factory.h credentials/builder.c \ - credentials/builder.h credentials/keys/key_encoding.c \ - credentials/keys/key_encoding.h credentials/keys/private_key.c \ + credentials/builder.h credentials/cred_encoding.c \ + credentials/cred_encoding.h credentials/keys/private_key.c \ credentials/keys/private_key.h credentials/keys/public_key.c \ credentials/keys/public_key.h credentials/keys/shared_key.c \ credentials/keys/shared_key.h \ @@ -468,6 +482,15 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/certificates/pgp_certificate.h \ credentials/ietf_attributes/ietf_attributes.c \ credentials/ietf_attributes/ietf_attributes.h \ + credentials/credential_manager.c \ + credentials/credential_manager.h \ + credentials/sets/auth_cfg_wrapper.c \ + credentials/sets/auth_cfg_wrapper.h \ + credentials/sets/ocsp_response_wrapper.c \ + credentials/sets/ocsp_response_wrapper.h \ + credentials/sets/cert_cache.c credentials/sets/cert_cache.h \ + credentials/auth_cfg.c credentials/auth_cfg.h \ + credentials/credential_set.h credentials/cert_validator.h \ database/database.h database/database_factory.h \ database/database_factory.c fetcher/fetcher.h \ fetcher/fetcher_manager.h fetcher/fetcher_manager.c \ @@ -494,7 +517,7 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_42) $(am__append_44) $(am__append_46) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ - $(am__append_60) + $(am__append_60) $(am__append_62) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -525,7 +548,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_FALSE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_FALSE@ $(am__append_59) +@MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) # build plugins with their own Makefile ####################################### @@ -542,7 +565,7 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_47) $(am__append_49) \ @MONOLITHIC_TRUE@ $(am__append_51) $(am__append_53) \ @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ -@MONOLITHIC_TRUE@ $(am__append_59) +@MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -620,11 +643,16 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/asn1_parser.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/auth_cfg_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/backtrace.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/builder.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cert_cache.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/certificate.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/chunk.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/cred_encoding.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_factory.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/credential_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypto_factory.Plo@am__quote@ @@ -641,13 +669,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/identification.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ietf_attributes.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/integrity_checker.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key_encoding.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/leak_detective.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lexparser.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/library.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/linked_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/mutex.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp_response_wrapper.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/optionsfrom.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs9.Plo@am__quote@ @@ -810,12 +838,12 @@ builder.lo: credentials/builder.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o builder.lo `test -f 'credentials/builder.c' || echo '$(srcdir)/'`credentials/builder.c -key_encoding.lo: credentials/keys/key_encoding.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT key_encoding.lo -MD -MP -MF $(DEPDIR)/key_encoding.Tpo -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/key_encoding.Tpo $(DEPDIR)/key_encoding.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/keys/key_encoding.c' object='key_encoding.lo' libtool=yes @AMDEPBACKSLASH@ +cred_encoding.lo: credentials/cred_encoding.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cred_encoding.lo -MD -MP -MF $(DEPDIR)/cred_encoding.Tpo -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cred_encoding.Tpo $(DEPDIR)/cred_encoding.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/cred_encoding.c' object='cred_encoding.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o key_encoding.lo `test -f 'credentials/keys/key_encoding.c' || echo '$(srcdir)/'`credentials/keys/key_encoding.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cred_encoding.lo `test -f 'credentials/cred_encoding.c' || echo '$(srcdir)/'`credentials/cred_encoding.c private_key.lo: credentials/keys/private_key.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT private_key.lo -MD -MP -MF $(DEPDIR)/private_key.Tpo -c -o private_key.lo `test -f 'credentials/keys/private_key.c' || echo '$(srcdir)/'`credentials/keys/private_key.c @@ -873,6 +901,41 @@ ietf_attributes.lo: credentials/ietf_attributes/ietf_attributes.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ietf_attributes.lo `test -f 'credentials/ietf_attributes/ietf_attributes.c' || echo '$(srcdir)/'`credentials/ietf_attributes/ietf_attributes.c +credential_manager.lo: credentials/credential_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT credential_manager.lo -MD -MP -MF $(DEPDIR)/credential_manager.Tpo -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/credential_manager.Tpo $(DEPDIR)/credential_manager.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/credential_manager.c' object='credential_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o credential_manager.lo `test -f 'credentials/credential_manager.c' || echo '$(srcdir)/'`credentials/credential_manager.c + +auth_cfg_wrapper.lo: credentials/sets/auth_cfg_wrapper.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg_wrapper.lo -MD -MP -MF $(DEPDIR)/auth_cfg_wrapper.Tpo -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg_wrapper.Tpo $(DEPDIR)/auth_cfg_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/auth_cfg_wrapper.c' object='auth_cfg_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg_wrapper.lo `test -f 'credentials/sets/auth_cfg_wrapper.c' || echo '$(srcdir)/'`credentials/sets/auth_cfg_wrapper.c + +ocsp_response_wrapper.lo: credentials/sets/ocsp_response_wrapper.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ocsp_response_wrapper.lo -MD -MP -MF $(DEPDIR)/ocsp_response_wrapper.Tpo -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ocsp_response_wrapper.Tpo $(DEPDIR)/ocsp_response_wrapper.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/ocsp_response_wrapper.c' object='ocsp_response_wrapper.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ocsp_response_wrapper.lo `test -f 'credentials/sets/ocsp_response_wrapper.c' || echo '$(srcdir)/'`credentials/sets/ocsp_response_wrapper.c + +cert_cache.lo: credentials/sets/cert_cache.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT cert_cache.lo -MD -MP -MF $(DEPDIR)/cert_cache.Tpo -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/cert_cache.Tpo $(DEPDIR)/cert_cache.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/sets/cert_cache.c' object='cert_cache.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o cert_cache.lo `test -f 'credentials/sets/cert_cache.c' || echo '$(srcdir)/'`credentials/sets/cert_cache.c + +auth_cfg.lo: credentials/auth_cfg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT auth_cfg.lo -MD -MP -MF $(DEPDIR)/auth_cfg.Tpo -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/auth_cfg.Tpo $(DEPDIR)/auth_cfg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/auth_cfg.c' object='auth_cfg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o auth_cfg.lo `test -f 'credentials/auth_cfg.c' || echo '$(srcdir)/'`credentials/auth_cfg.c + database_factory.lo: database/database_factory.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT database_factory.lo -MD -MP -MF $(DEPDIR)/database_factory.Tpo -c -o database_factory.lo `test -f 'database/database_factory.c' || echo '$(srcdir)/'`database/database_factory.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/database_factory.Tpo $(DEPDIR)/database_factory.Plo @@ -1005,7 +1068,7 @@ clean-libtool: # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ @@ -1030,7 +1093,7 @@ $(RECURSIVE_TARGETS): fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): - @failcom='exit 1'; \ + @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 6264bdc54..6f549d42d 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -497,8 +497,14 @@ int asn1_parse_algorithmIdentifier(chunk_t blob, int level0, chunk_t *parameters bool is_asn1(chunk_t blob) { u_int len; - u_char tag = *blob.ptr; + u_char tag; + if (!blob.len || !blob.ptr) + { + return FALSE; + } + + tag = *blob.ptr; if (tag != ASN1_SEQUENCE && tag != ASN1_SET && tag != ASN1_OCTET_STRING) { DBG2(DBG_LIB, " file content is not binary ASN.1"); diff --git a/src/libstrongswan/chunk.c b/src/libstrongswan/chunk.c index ef69eb4e7..4d115a816 100644 --- a/src/libstrongswan/chunk.c +++ b/src/libstrongswan/chunk.c @@ -434,6 +434,69 @@ chunk_t chunk_from_base64(chunk_t base64, char *buf) return chunk_create(buf, outlen); } +/** base 32 conversion digits */ +static char b32digits[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZ234567"; + +/** + * Described in header. + */ +chunk_t chunk_to_base32(chunk_t chunk, char *buf) +{ + int i, len; + char *pos; + + len = chunk.len + ((5 - chunk.len % 5) % 5); + if (!buf) + { + buf = malloc(len * 8 / 5 + 1); + } + pos = buf; + for (i = 0; i < len; i+=5) + { + *pos++ = b32digits[chunk.ptr[i] >> 3]; + if (i+1 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i] & 0x07) << 2]; + memset(pos, '=', 6); + pos += 6; + break; + } + *pos++ = b32digits[((chunk.ptr[i] & 0x07) << 2) | + (chunk.ptr[i+1] >> 6)]; + *pos++ = b32digits[(chunk.ptr[i+1] & 0x3E) >> 1]; + if (i+2 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+1] & 0x01) << 4]; + memset(pos, '=', 4); + pos += 4; + break; + } + *pos++ = b32digits[((chunk.ptr[i+1] & 0x01) << 4) | + (chunk.ptr[i+2] >> 4)]; + if (i+3 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+2] & 0x0F) << 1]; + memset(pos, '=', 3); + pos += 3; + break; + } + *pos++ = b32digits[((chunk.ptr[i+2] & 0x0F) << 1) | + (chunk.ptr[i+3] >> 7)]; + *pos++ = b32digits[(chunk.ptr[i+3] & 0x7F) >> 2]; + if (i+4 >= chunk.len) + { + *pos++ = b32digits[(chunk.ptr[i+3] & 0x03) << 3]; + *pos++ = '='; + break; + } + *pos++ = b32digits[((chunk.ptr[i+3] & 0x03) << 3) | + (chunk.ptr[i+4] >> 5)]; + *pos++ = b32digits[chunk.ptr[i+4] & 0x1F]; + } + *pos = '\0'; + return chunk_create(buf, len * 8 / 5); +} + /** * Described in header. */ diff --git a/src/libstrongswan/chunk.h b/src/libstrongswan/chunk.h index f0f9a7366..5441ccf3c 100644 --- a/src/libstrongswan/chunk.h +++ b/src/libstrongswan/chunk.h @@ -147,6 +147,18 @@ chunk_t chunk_to_base64(chunk_t chunk, char *buf); */ chunk_t chunk_from_base64(chunk_t base64, char *buf); +/** + * Convert a chunk of data to its base32 encoding. + * + * The resulting string is '\\0' terminated, but the chunk does not include + * the '\\0'. If buf is supplied, it must hold (chunk.len * 8 / 5 + 1) bytes. + * + * @param chunk data to convert + * @param buf buffer to write to, NULL to malloc + * @return chunk of encoded data + */ +chunk_t chunk_to_base32(chunk_t chunk, char *buf); + /** * Free contents of a chunk */ diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c new file mode 100644 index 000000000..2573d0327 --- /dev/null +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -0,0 +1,830 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "auth_cfg.h" + +#include +#include +#include +#include +#include + +ENUM(auth_class_names, AUTH_CLASS_ANY, AUTH_CLASS_EAP, + "any", + "public key", + "pre-shared key", + "EAP", +); + +ENUM_BEGIN(eap_type_names, EAP_IDENTITY, EAP_GTC, + "EAP_IDENTITY", + "EAP_NOTIFICATION", + "EAP_NAK", + "EAP_MD5", + "EAP_OTP", + "EAP_GTC"); +ENUM_NEXT(eap_type_names, EAP_SIM, EAP_SIM, EAP_GTC, + "EAP_SIM"); +ENUM_NEXT(eap_type_names, EAP_AKA, EAP_AKA, EAP_SIM, + "EAP_AKA"); +ENUM_NEXT(eap_type_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "EAP_MSCHAPV2"); +ENUM_NEXT(eap_type_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, + "EAP_RADIUS", + "EAP_EXPANDED", + "EAP_EXPERIMENTAL"); +ENUM_END(eap_type_names, EAP_EXPERIMENTAL); + +ENUM_BEGIN(eap_type_short_names, EAP_IDENTITY, EAP_GTC, + "ID", + "NTF", + "NAK", + "MD5", + "OTP", + "GTC"); +ENUM_NEXT(eap_type_short_names, EAP_SIM, EAP_SIM, EAP_GTC, + "SIM"); +ENUM_NEXT(eap_type_short_names, EAP_AKA, EAP_AKA, EAP_SIM, + "AKA"); +ENUM_NEXT(eap_type_short_names, EAP_MSCHAPV2, EAP_MSCHAPV2, EAP_AKA, + "MSCHAPV2"); +ENUM_NEXT(eap_type_short_names, EAP_RADIUS, EAP_EXPERIMENTAL, EAP_MSCHAPV2, + "RAD", + "EXP", + "XP"); +ENUM_END(eap_type_short_names, EAP_EXPERIMENTAL); + +ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_SUBJECT_HASH_URL, + "RULE_IDENTITY", + "RULE_AUTH_CLASS", + "RULE_EAP_IDENTITY", + "RULE_EAP_TYPE", + "RULE_EAP_VENDOR", + "RULE_CA_CERT", + "RULE_IM_CERT", + "RULE_SUBJECT_CERT", + "RULE_CRL_VALIDATION", + "RULE_OCSP_VALIDATION", + "RULE_GROUP", + "HELPER_IM_CERT", + "HELPER_SUBJECT_CERT", + "HELPER_IM_HASH_URL", + "HELPER_SUBJECT_HASH_URL", +); + +typedef struct private_auth_cfg_t private_auth_cfg_t; + +/** + * private data of item_set + */ +struct private_auth_cfg_t { + + /** + * public functions + */ + auth_cfg_t public; + + /** + * list of entry_t + */ + linked_list_t *entries; +}; + +typedef struct entry_t entry_t; + +struct entry_t { + /** rule type */ + auth_rule_t type; + /** associated value */ + void *value; +}; + +/** + * enumerator for auth_cfg_t.create_enumerator() + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner enumerator from linked_list_t */ + enumerator_t *inner; + /** current entry */ + entry_t *current; +} entry_enumerator_t; + +/** + * enumerate function for item_enumerator_t + */ +static bool enumerate(entry_enumerator_t *this, auth_rule_t *type, void **value) +{ + entry_t *entry; + + if (this->inner->enumerate(this->inner, &entry)) + { + this->current = entry; + *type = entry->type; + *value = entry->value; + return TRUE; + } + return FALSE; +} + +/** + * destroy function for item_enumerator_t + */ +static void entry_enumerator_destroy(entry_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +/** + * Implementation of auth_cfg_t.create_enumerator. + */ +static enumerator_t* create_enumerator(private_auth_cfg_t *this) +{ + entry_enumerator_t *enumerator; + + enumerator = malloc_thing(entry_enumerator_t); + enumerator->inner = this->entries->create_enumerator(this->entries); + enumerator->public.enumerate = (void*)enumerate; + enumerator->public.destroy = (void*)entry_enumerator_destroy; + enumerator->current = NULL; + return &enumerator->public; +} + +/** + * Destroy the value associated with an entry + */ +static void destroy_entry_value(entry_t *entry) +{ + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + { + identification_t *id = (identification_t*)entry->value; + id->destroy(id); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + cert->destroy(cert); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + free(entry->value); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + break; + } +} + +/** + * Implementation of auth_cfg_t.replace. + */ +static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, + auth_rule_t type, ...) +{ + if (enumerator->current) + { + va_list args; + + va_start(args, type); + + destroy_entry_value(enumerator->current); + enumerator->current->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + enumerator->current->value = va_arg(args, void*); + break; + } + va_end(args); + } +} + +/** + * Implementation of auth_cfg_t.get. + */ +static void* get(private_auth_cfg_t *this, auth_rule_t type) +{ + enumerator_t *enumerator; + void *current_value, *best_value = NULL; + auth_rule_t current_type; + bool found = FALSE; + + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, ¤t_type, ¤t_value)) + { + if (type == current_type) + { + if (type == AUTH_RULE_CRL_VALIDATION || + type == AUTH_RULE_OCSP_VALIDATION) + { /* for CRL/OCSP validation, always get() the highest value */ + if (!found || current_value > best_value) + { + best_value = current_value; + } + found = TRUE; + continue; + } + best_value = current_value; + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + if (found) + { + return best_value; + } + switch (type) + { + /* use some sane defaults if we don't find an entry */ + case AUTH_RULE_AUTH_CLASS: + return (void*)AUTH_CLASS_ANY; + case AUTH_RULE_EAP_TYPE: + return (void*)EAP_NAK; + case AUTH_RULE_EAP_VENDOR: + return (void*)0; + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + return (void*)VALIDATION_FAILED; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + default: + return NULL; + } +} + +/** + * Implementation of auth_cfg_t.add. + */ +static void add(private_auth_cfg_t *this, auth_rule_t type, ...) +{ + entry_t *entry = malloc_thing(entry_t); + va_list args; + + va_start(args, type); + entry->type = type; + switch (type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + /* integer type */ + entry->value = (void*)(uintptr_t)va_arg(args, u_int); + break; + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* pointer type */ + entry->value = va_arg(args, void*); + break; + } + va_end(args); + this->entries->insert_last(this->entries, entry); +} + +/** + * Implementation of auth_cfg_t.complies. + */ +static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, + bool log_error) +{ + enumerator_t *e1, *e2; + bool success = TRUE, has_group = FALSE, group_match = FALSE; + auth_rule_t t1, t2; + void *value; + + e1 = constraints->create_enumerator(constraints); + while (e1->enumerate(e1, &t1, &value)) + { + switch (t1) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &c2)) + { + if ((t2 == AUTH_RULE_CA_CERT || t2 == AUTH_RULE_IM_CERT) && + c1->equals(c1, c2)) + { + success = TRUE; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated by CA '%Y'.", c1->get_subject(c1)); + } + break; + } + case AUTH_RULE_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)value; + c2 = get(this, AUTH_RULE_SUBJECT_CERT); + if (!c2 || !c1->equals(c1, c2)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: peer not " + "authenticated with peer cert '%Y'.", + c1->get_subject(c1)); + } + } + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + cert_validation_t validated, required; + + required = (uintptr_t)value; + validated = (uintptr_t)get(this, t1); + switch (required) + { + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %N is %N, " + "but requires at least %N", auth_rule_names, + t1, cert_validation_names, validated, + cert_validation_names, required); + } + break; + } + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + { + identification_t *id1, *id2; + + id1 = (identification_t*)value; + id2 = get(this, t1); + if (!id2 || !id2->matches(id2, id1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: %sidentity '%Y'" + " required ", t1 == AUTH_RULE_IDENTITY ? "" : + "EAP ", id1); + } + } + break; + } + case AUTH_RULE_AUTH_CLASS: + { + if ((uintptr_t)value != AUTH_CLASS_ANY && + (uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N authentication, " + "but %N was used", auth_class_names, (uintptr_t)value, + auth_class_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_TYPE: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %N, " + "but %N was used", eap_type_names, (uintptr_t)value, + eap_type_names, (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_EAP_VENDOR: + { + if ((uintptr_t)value != (uintptr_t)get(this, t1)) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires EAP vendor %d, " + "but %d was used", (uintptr_t)value, + (uintptr_t)get(this, t1)); + } + } + break; + } + case AUTH_RULE_GROUP: + { + identification_t *id1, *id2; + + /* for groups, a match of a single group is sufficient */ + has_group = TRUE; + id1 = (identification_t*)value; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &id2)) + { + if (t2 == AUTH_RULE_GROUP && id2->matches(id2, id1)) + { + group_match = TRUE; + } + } + e2->destroy(e2); + break; + } + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + /* skip helpers */ + continue; + } + if (!success) + { + break; + } + } + e1->destroy(e1); + + if (has_group && !group_match) + { + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: group membership required"); + } + return FALSE; + } + return success; +} + +/** + * Implementation of auth_cfg_t.merge. + */ +static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy) +{ + if (!other) + { /* nothing to merge */ + return; + } + if (copy) + { + enumerator_t *enumerator; + auth_rule_t type; + void *value; + + enumerator = create_enumerator(other); + while (enumerator->enumerate(enumerator, &type, &value)) + { + switch (type) + { + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)value; + + add(this, type, cert->get_ref(cert)); + break; + } + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + { + add(this, type, (uintptr_t)value); + break; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + { + identification_t *id = (identification_t*)value; + + add(this, type, id->clone(id)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + add(this, type, strdup((char*)value)); + break; + } + } + } + enumerator->destroy(enumerator); + } + else + { + entry_t *entry; + + while (other->entries->remove_first(other->entries, + (void**)&entry) == SUCCESS) + { + this->entries->insert_last(this->entries, entry); + } + } +} + +/** + * Implementation of auth_cfg_t.equals. + */ +static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) +{ + enumerator_t *e1, *e2; + entry_t *i1, *i2; + bool equal = TRUE, found; + + if (this->entries->get_count(this->entries) != + other->entries->get_count(other->entries)) + { + return FALSE; + } + e1 = this->entries->create_enumerator(this->entries); + while (e1->enumerate(e1, &i1)) + { + found = FALSE; + e2 = other->entries->create_enumerator(other->entries); + while (e2->enumerate(e2, &i2)) + { + if (i1->type == i2->type) + { + switch (i1->type) + { + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + { + if (i1->value == i2->value) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *c1, *c2; + + c1 = (certificate_t*)i1->value; + c2 = (certificate_t*)i2->value; + + if (c1->equals(c1, c2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + { + identification_t *id1, *id2; + + id1 = (identification_t*)i1->value; + id2 = (identification_t*)i2->value; + + if (id1->equals(id1, id2)) + { + found = TRUE; + break; + } + continue; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + if (streq(i1->value, i2->value)) + { + found = TRUE; + break; + } + continue; + } + } + break; + } + } + e2->destroy(e2); + if (!found) + { + equal = FALSE; + break; + } + } + e1->destroy(e1); + return equal; +} + +/** + * Implementation of auth_cfg_t.purge + */ +static void purge(private_auth_cfg_t *this, bool keep_ca) +{ + entry_t *entry; + linked_list_t *cas; + + cas = linked_list_create(); + while (this->entries->remove_last(this->entries, (void**)&entry) == SUCCESS) + { + if (keep_ca && entry->type == AUTH_RULE_CA_CERT) + { + cas->insert_first(cas, entry); + } + else + { + destroy_entry_value(entry); + free(entry); + } + } + while (cas->remove_last(cas, (void**)&entry) == SUCCESS) + { + this->entries->insert_first(this->entries, entry); + } + cas->destroy(cas); +} + +/** + * Implementation of auth_cfg_t.clone + */ +static auth_cfg_t* clone_(private_auth_cfg_t *this) +{ + enumerator_t *enumerator; + auth_cfg_t *clone; + entry_t *entry; + + clone = auth_cfg_create(); + enumerator = this->entries->create_enumerator(this->entries); + while (enumerator->enumerate(enumerator, &entry)) + { + switch (entry->type) + { + case AUTH_RULE_IDENTITY: + case AUTH_RULE_EAP_IDENTITY: + case AUTH_RULE_GROUP: + { + identification_t *id = (identification_t*)entry->value; + clone->add(clone, entry->type, id->clone(id)); + break; + } + case AUTH_RULE_CA_CERT: + case AUTH_RULE_IM_CERT: + case AUTH_RULE_SUBJECT_CERT: + case AUTH_HELPER_IM_CERT: + case AUTH_HELPER_SUBJECT_CERT: + { + certificate_t *cert = (certificate_t*)entry->value; + clone->add(clone, entry->type, cert->get_ref(cert)); + break; + } + case AUTH_HELPER_IM_HASH_URL: + case AUTH_HELPER_SUBJECT_HASH_URL: + { + clone->add(clone, entry->type, strdup(entry->value)); + break; + } + case AUTH_RULE_AUTH_CLASS: + case AUTH_RULE_EAP_TYPE: + case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_CRL_VALIDATION: + case AUTH_RULE_OCSP_VALIDATION: + clone->add(clone, entry->type, (uintptr_t)entry->value); + break; + } + } + enumerator->destroy(enumerator); + return clone; +} + +/** + * Implementation of auth_cfg_t.destroy + */ +static void destroy(private_auth_cfg_t *this) +{ + purge(this, FALSE); + this->entries->destroy(this->entries); + free(this); +} + +/* + * see header file + */ +auth_cfg_t *auth_cfg_create() +{ + private_auth_cfg_t *this = malloc_thing(private_auth_cfg_t); + + this->public.add = (void(*)(auth_cfg_t*, auth_rule_t type, ...))add; + this->public.get = (void*(*)(auth_cfg_t*, auth_rule_t type))get; + this->public.create_enumerator = (enumerator_t*(*)(auth_cfg_t*))create_enumerator; + this->public.replace = (void(*)(auth_cfg_t*,enumerator_t*,auth_rule_t,...))replace; + this->public.complies = (bool(*)(auth_cfg_t*, auth_cfg_t *,bool))complies; + this->public.merge = (void(*)(auth_cfg_t*, auth_cfg_t *other,bool))merge; + this->public.purge = (void(*)(auth_cfg_t*,bool))purge; + this->public.equals = (bool(*)(auth_cfg_t*, auth_cfg_t *other))equals; + this->public.clone = (auth_cfg_t*(*)(auth_cfg_t*))clone_; + this->public.destroy = (void(*)(auth_cfg_t*))destroy; + + this->entries = linked_list_create(); + + return &this->public; +} diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h new file mode 100644 index 000000000..713e16372 --- /dev/null +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -0,0 +1,255 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup auth_cfg auth_cfg + * @{ @ingroup credentials + */ + +#ifndef AUTH_CFG_H_ +#define AUTH_CFG_H_ + +#include + +typedef struct auth_cfg_t auth_cfg_t; +typedef enum auth_rule_t auth_rule_t; +typedef enum auth_class_t auth_class_t; +typedef enum eap_type_t eap_type_t; + +/** + * Class of authentication to use. This is different to auth_method_t in that + * it does not specify a method, but a class of acceptable methods. The found + * certificate finally dictates wich method is used. + */ +enum auth_class_t { + /** any class acceptable */ + AUTH_CLASS_ANY = 0, + /** authentication using public keys (RSA, ECDSA) */ + AUTH_CLASS_PUBKEY = 1, + /** authentication using a pre-shared secrets */ + AUTH_CLASS_PSK = 2, + /** authentication using EAP */ + AUTH_CLASS_EAP = 3, +}; + +/** + * enum strings for auth_class_t + */ +extern enum_name_t *auth_class_names; + +/** + * EAP types, defines the EAP method implementation + */ +enum eap_type_t { + EAP_IDENTITY = 1, + EAP_NOTIFICATION = 2, + EAP_NAK = 3, + EAP_MD5 = 4, + EAP_OTP = 5, + EAP_GTC = 6, + EAP_SIM = 18, + EAP_AKA = 23, + EAP_MSCHAPV2 = 26, + /** not a method, but an implementation providing different methods */ + EAP_RADIUS = 253, + EAP_EXPANDED = 254, + EAP_EXPERIMENTAL = 255, +}; + +/** + * enum names for eap_type_t. + */ +extern enum_name_t *eap_type_names; + +/** + * short string enum names for eap_type_t. + */ +extern enum_name_t *eap_type_short_names; + +/** + * Authentication config to use during authentication process. + * + * Each authentication config contains a set of rules. These rule-sets are used + * in two ways: + * - For configs specifying local authentication behavior, the rules define + * which authentication method in which way. + * - For configs specifying remote peer authentication, the rules define + * constraints the peer has to fullfill. + * + * Additionally to the rules, there is a set of helper items. These are used + * to transport credentials during the authentication process. + */ +enum auth_rule_t { + + /** identity to use for IKEv2 authentication exchange, identification_t* */ + AUTH_RULE_IDENTITY, + /** authentication class, auth_class_t */ + AUTH_RULE_AUTH_CLASS, + /** EAP identity to use within EAP-Identity exchange, identification_t* */ + AUTH_RULE_EAP_IDENTITY, + /** EAP type to propose for peer authentication, eap_type_t */ + AUTH_RULE_EAP_TYPE, + /** EAP vendor for vendor specific type, u_int32_t */ + AUTH_RULE_EAP_VENDOR, + /** certificate authority, certificate_t* */ + AUTH_RULE_CA_CERT, + /** intermediate certificate in trustchain, certificate_t* */ + AUTH_RULE_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_RULE_SUBJECT_CERT, + /** result of a CRL validation, cert_validation_t */ + AUTH_RULE_CRL_VALIDATION, + /** result of a OCSP validation, cert_validation_t */ + AUTH_RULE_OCSP_VALIDATION, + /** subject is member of a group, identification_t* + * The group membership constraint is fulfilled if the subject is member of + * one group defined in the constraints. */ + AUTH_RULE_GROUP, + + /** intermediate certificate, certificate_t* */ + AUTH_HELPER_IM_CERT, + /** subject certificate, certificate_t* */ + AUTH_HELPER_SUBJECT_CERT, + /** Hash and URL of a intermediate certificate, char* */ + AUTH_HELPER_IM_HASH_URL, + /** Hash and URL of a end-entity certificate, char* */ + AUTH_HELPER_SUBJECT_HASH_URL, +}; + +/** + * enum name for auth_rule_t. + */ +extern enum_name_t *auth_rule_names; + +/** + * Authentication/Authorization round. + * + * RFC4739 defines multiple authentication rounds. This class defines such + * a round from a configuration perspective, either for the local or the remote + * peer. Local config are called "rulesets", as they define how we authenticate. + * Remote peer configs are called "constraits", they define what is needed to + * complete the authentication round successfully. + * + * @verbatim + + [Repeat for each configuration] + +--------------------------------------------------+ + | | + | | + | +----------+ IKE_AUTH +--------- + | + | | config | -----------> | | | + | | ruleset | | | | + | +----------+ [ <----------- ] | | | + | [ optional EAP ] | Peer | | + | +----------+ [ -----------> ] | | | + | | config | | | | + | | constr. | <----------- | | | + | +----------+ IKE_AUTH +--------- + | + | | + | | + +--------------------------------------------------+ + + @endverbatim + * + * Values for each items are either pointers (casted to void*) or short + * integers (use uintptr_t cast). + */ +struct auth_cfg_t { + + /** + * Add an rule to the set. + * + * @param rule rule type + * @param ... associated value to rule + */ + void (*add)(auth_cfg_t *this, auth_rule_t rule, ...); + + /** + * Get an rule value. + * + * @param rule rule type + * @return bool if item has been found + */ + void* (*get)(auth_cfg_t *this, auth_rule_t rule); + + /** + * Create an enumerator over added rules. + * + * @return enumerator over (auth_rule_t, union{void*,uintpr_t}) + */ + enumerator_t* (*create_enumerator)(auth_cfg_t *this); + + /** + * Replace an rule at enumerator position. + * + * @param pos enumerator position position + * @param rule rule type + * @param ... associated value to rule + */ + void (*replace)(auth_cfg_t *this, enumerator_t *pos, + auth_rule_t rule, ...); + + /** + * Check if a used config fulfills a set of configured constraints. + * + * @param constraints required authorization rules + * @param log_error wheter to log compliance errors + * @return TRUE if this complies with constraints + */ + bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error); + + /** + * Merge items from other into this. + * + * @param other items to read for merge + * @param copy TRUE to copy items, FALSE to move them + */ + void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy); + + /** + * Purge all rules in a config. + * + * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries + */ + void (*purge)(auth_cfg_t *this, bool keep_ca); + + /** + * Check two configs for equality. + * + * @param other other config to compaire against this + * @return TRUE if auth infos identical + */ + bool (*equals)(auth_cfg_t *this, auth_cfg_t *other); + + /** + * Clone a authentication config, including all rules. + * + * @return cloned configuration + */ + auth_cfg_t* (*clone)(auth_cfg_t *this); + + /** + * Destroy a config with all associated rules/values. + */ + void (*destroy)(auth_cfg_t *this); +}; + +/** + * Create a authentication config. + */ +auth_cfg_t *auth_cfg_create(); + +#endif /** AUTH_CFG_H_ @}*/ diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index 8be1c1576..cfb708e33 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -44,6 +44,7 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", "BUILD_X509_FLAG", + "BUILD_REVOKED_ENUMERATOR", "BUILD_SMARTCARD_KEYID", "BUILD_SMARTCARD_PIN", "BUILD_RSA_MODULUS", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index 62a6ffaaf..ffb09f72a 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -101,6 +101,8 @@ enum builder_part_t { BUILD_PATHLEN, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, + /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ + BUILD_REVOKED_ENUMERATOR, /** key ID of a key on a smartcard, null terminated char* ([slot:]keyid) */ BUILD_SMARTCARD_KEYID, /** pin to access a key on a smartcard, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h new file mode 100644 index 000000000..1e67c23ab --- /dev/null +++ b/src/libstrongswan/credentials/cert_validator.h @@ -0,0 +1,51 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cert_validator cert_validator + * @{ @ingroup credentials + */ + +#ifndef CERT_VALIDATOR_H_ +#define CERT_VALIDATOR_H_ + +typedef struct cert_validator_t cert_validator_t; + +#include + +/** + * Certificate validator interface. + * + * A certificate validator checks constraints or revocation in a certificate + * or its issuing CA certificate. The interface allows plugins to do + * revocation checking or similar tasks. + */ +struct cert_validator_t { + + /** + * Validate a subject certificate in relation to its issuer. + * + * @param subject subject certificate to check + * @param issuer issuer of subject + * @param online wheter to do online revocation checking + * @param pathlen the current length of the path up to the root CA + * @param auth container for resulting authentication info + */ + bool (*validate)(cert_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, + auth_cfg_t *auth); +}; + +#endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 156d12358..661b69e36 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -15,6 +15,7 @@ #include "certificate.h" +#include #include ENUM(certificate_type_names, CERT_ANY, CERT_PLUTO_CRL, @@ -40,3 +41,24 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "REVOKED", ); +/** + * See header + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other) +{ + time_t this_update, that_update; + char *type = "certificate"; + bool newer; + + if (this->get_type(this) == CERT_X509_CRL) + { + type = "crl"; + } + this->get_validity(this, NULL, &this_update, NULL); + other->get_validity(other, NULL, &that_update, NULL); + newer = this_update > that_update; + DBG1(DBG_LIB, " %s from %T is %s - existing %s from %T %s", + type, &this_update, FALSE, newer ? "newer" : "not newer", + type, &that_update, FALSE, newer ? "replaced" : "retained"); + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index a4f9aa3e0..43bfe3dc1 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -28,6 +28,7 @@ typedef enum cert_validation_t cert_validation_t; #include #include #include +#include /** * Kind of a certificate_t @@ -163,18 +164,14 @@ struct certificate_t { time_t *not_before, time_t *not_after); /** - * Is this newer than that? + * Get the certificate in an encoded form as a chunk. * - * @return TRUE if newer, FALSE otherwise + * @param type type of the encoding, one of CERT_* + * @param encoding encoding of the key, allocated + * @return TRUE if encoding supported */ - bool (*is_newer)(certificate_t *this, certificate_t *that); - - /** - * Get the certificate in an encoded form. - * - * @return allocated chunk of encoded cert - */ - chunk_t (*get_encoding)(certificate_t *this); + bool (*get_encoding)(certificate_t *this, cred_encoding_type_t type, + chunk_t *encoding); /** * Check if two certificates are equal. @@ -197,4 +194,13 @@ struct certificate_t { void (*destroy)(certificate_t *this); }; +/** + * Generic check if a given certificate is newer than another. + * + * @param this first certificate to check + * @param other second certificate + * @return TRUE if this newer than other + */ +bool certificate_is_newer(certificate_t *this, certificate_t *other); + #endif /** CERTIFICATE_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.c b/src/libstrongswan/credentials/certificates/crl.c index 085ad16cc..69bd80b84 100644 --- a/src/libstrongswan/credentials/certificates/crl.c +++ b/src/libstrongswan/credentials/certificates/crl.c @@ -16,6 +16,8 @@ #include "crl.h" +#include + ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "unspecified", "key compromise", @@ -27,3 +29,29 @@ ENUM(crl_reason_names, CRL_REASON_UNSPECIFIED, CRL_REASON_REMOVE_FROM_CRL, "reason #7", "remove from crl", ); + +/** + * Check if this CRL is newer + */ +bool crl_is_newer(crl_t *this, crl_t *other) +{ + chunk_t this_num, other_num; + bool newer; + + this_num = this->get_serial(this); + other_num = other->get_serial(other); + + /* compare crlNumbers if available - otherwise use generic cert compare */ + if (this_num.ptr != NULL && other_num.ptr != NULL) + { + newer = chunk_compare(this_num, other_num) > 0; + DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", + &this_num, newer ? "newer" : "not newer", + &other_num, newer ? "replaced" : "retained"); + } + else + { + newer = certificate_is_newer(&this->certificate, &other->certificate); + } + return newer; +} diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 4b612390c..9425311fb 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -80,7 +80,15 @@ struct crl_t { * @return enumerator over revoked certificates. */ enumerator_t* (*create_enumerator)(crl_t *this); - }; +/** + * Generic check if a given CRL is newer than another. + * + * @param this first CRL to check + * @param other second CRL + * @return TRUE if this newer than other + */ +bool crl_is_newer(crl_t *this, crl_t *other); + #endif /** CRL_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 172bd9696..6e0a5002a 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -25,7 +25,6 @@ #include #define X509_NO_PATH_LEN_CONSTRAINT -1 -#define X509_MAX_PATH_LEN 7 typedef struct x509_t x509_t; typedef enum x509_flag_t x509_flag_t; diff --git a/src/libstrongswan/credentials/cred_encoding.c b/src/libstrongswan/credentials/cred_encoding.c new file mode 100644 index 000000000..edd76205b --- /dev/null +++ b/src/libstrongswan/credentials/cred_encoding.c @@ -0,0 +1,300 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "cred_encoding.h" + +#include + +#include +#include +#include + +typedef struct private_cred_encoding_t private_cred_encoding_t; + +/** + * Private data of an cred_encoding_t object. + */ +struct private_cred_encoding_t { + + /** + * Public cred_encoding_t interface. + */ + cred_encoding_t public; + + /** + * cached encodings, a table for each encoding_type_t, containing chunk_t* + */ + hashtable_t *cache[CRED_ENCODING_MAX]; + + /** + * Registered encoding fuctions, cred_encoder_t + */ + linked_list_t *encoders; + + /** + * lock to access cache/encoders + */ + rwlock_t *lock; +}; + +/** + * See header. + */ +bool cred_encoding_args(va_list args, ...) +{ + va_list parts, copy; + bool failed = FALSE; + + va_start(parts, args); + + while (!failed) + { + cred_encoding_part_t current, target; + chunk_t *out, data; + + /* get the part we are looking for */ + target = va_arg(parts, cred_encoding_part_t); + if (target == CRED_PART_END) + { + break; + } + out = va_arg(parts, chunk_t*); + + va_copy(copy, args); + while (!failed) + { + current = va_arg(copy, cred_encoding_part_t); + if (current == CRED_PART_END) + { + failed = TRUE; + break; + } + data = va_arg(copy, chunk_t); + if (current == target) + { + *out = data; + break; + } + } + va_end(copy); + } + va_end(parts); + return !failed; +} + +/** + * hashtable hash() function + */ +static u_int hash(void *key) +{ + return (uintptr_t)key; +} + +/** + * hashtable equals() function + */ +static bool equals(void *key1, void *key2) +{ + return key1 == key2; +} + +/** + * Implementation of cred_encoding_t.get_cache + */ +static bool get_cache(private_cred_encoding_t *this, cred_encoding_type_t type, + void *cache, chunk_t *encoding) +{ + chunk_t *chunk; + + if (type >= CRED_ENCODING_MAX || type < 0) + { + return FALSE; + } + this->lock->read_lock(this->lock); + chunk = this->cache[type]->get(this->cache[type], cache); + if (chunk) + { + *encoding = *chunk; + } + this->lock->unlock(this->lock); + return !!chunk; +} + +/** + * Implementation of cred_encoding_t.encode + */ +static bool encode(private_cred_encoding_t *this, cred_encoding_type_t type, + void *cache, chunk_t *encoding, ...) +{ + enumerator_t *enumerator; + va_list args, copy; + cred_encoder_t encode; + bool success = FALSE; + chunk_t *chunk; + + if (type >= CRED_ENCODING_MAX || type < 0) + { + return FALSE; + } + this->lock->read_lock(this->lock); + if (cache) + { + chunk = this->cache[type]->get(this->cache[type], cache); + if (chunk) + { + *encoding = *chunk; + this->lock->unlock(this->lock); + return TRUE; + } + } + va_start(args, encoding); + enumerator = this->encoders->create_enumerator(this->encoders); + while (enumerator->enumerate(enumerator, &encode)) + { + va_copy(copy, args); + success = encode(type, encoding, copy); + va_end(copy); + if (success) + { + break; + } + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + va_end(args); + + if (success && cache) + { + chunk = malloc_thing(chunk_t); + *chunk = *encoding; + this->lock->write_lock(this->lock); + this->cache[type]->put(this->cache[type], cache, chunk); + this->lock->unlock(this->lock); + } + return success; +} + +/** + * Implementation of cred_encoding_t.cache + */ +static void cache(private_cred_encoding_t *this, cred_encoding_type_t type, + void *cache, chunk_t encoding) +{ + chunk_t *chunk; + + if (type >= CRED_ENCODING_MAX || type < 0) + { + return free(encoding.ptr); + } + chunk = malloc_thing(chunk_t); + *chunk = encoding; + this->lock->write_lock(this->lock); + chunk = this->cache[type]->put(this->cache[type], cache, chunk); + this->lock->unlock(this->lock); + /* free an encoding already associated to the cache */ + if (chunk) + { + free(chunk->ptr); + free(chunk); + } +} + +/** + * Implementation of cred_encoding_t.clear_cache + */ +static void clear_cache(private_cred_encoding_t *this, void *cache) +{ + cred_encoding_type_t type; + chunk_t *chunk; + + this->lock->write_lock(this->lock); + for (type = 0; type < CRED_ENCODING_MAX; type++) + { + chunk = this->cache[type]->remove(this->cache[type], cache); + if (chunk) + { + chunk_free(chunk); + free(chunk); + } + } + this->lock->unlock(this->lock); +} + +/** + * Implementation of cred_encoding_t.add_encoder + */ +static void add_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) +{ + this->lock->write_lock(this->lock); + this->encoders->insert_last(this->encoders, encoder); + this->lock->unlock(this->lock); +} + +/** + * Implementation of cred_encoding_t.remove_encoder + */ +static void remove_encoder(private_cred_encoding_t *this, cred_encoder_t encoder) +{ + this->lock->write_lock(this->lock); + this->encoders->remove(this->encoders, encoder, NULL); + this->lock->unlock(this->lock); +} + +/** + * Implementation of cred_encoder_t.destroy. + */ +static void destroy(private_cred_encoding_t *this) +{ + cred_encoding_type_t type; + + for (type = 0; type < CRED_ENCODING_MAX; type++) + { + /* We explicitly do not free remaining encodings. All creds should + * have gone now, and they are responsible for cleaning out their + * cache entries. Not flushing here allows the leak detective to + * complain if a credential did not flush cached encodings. */ + this->cache[type]->destroy(this->cache[type]); + } + this->encoders->destroy(this->encoders); + this->lock->destroy(this->lock); + free(this); +} + +/** + * See header + */ +cred_encoding_t *cred_encoding_create() +{ + private_cred_encoding_t *this = malloc_thing(private_cred_encoding_t); + cred_encoding_type_t type; + + this->public.encode = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; + this->public.get_cache = (bool(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; + this->public.cache = (void(*)(cred_encoding_t*, cred_encoding_type_t type, void *cache, chunk_t encoding))cache; + this->public.clear_cache = (void(*)(cred_encoding_t*, void *cache))clear_cache; + this->public.add_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))add_encoder; + this->public.remove_encoder = (void(*)(cred_encoding_t*, cred_encoder_t encoder))remove_encoder; + this->public.destroy = (void(*)(cred_encoding_t*))destroy; + + for (type = 0; type < CRED_ENCODING_MAX; type++) + { + this->cache[type] = hashtable_create(hash, equals, 8); + } + this->encoders = linked_list_create(); + this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + + return &this->public; +} + diff --git a/src/libstrongswan/credentials/cred_encoding.h b/src/libstrongswan/credentials/cred_encoding.h new file mode 100644 index 000000000..e2d69691e --- /dev/null +++ b/src/libstrongswan/credentials/cred_encoding.h @@ -0,0 +1,224 @@ +/* + * Copyright (C) 2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cred_encoding cred_encoding + * @{ @ingroup credentials + */ + +#ifndef CRED_ENCODING_H_ +#define CRED_ENCODING_H_ + +typedef struct cred_encoding_t cred_encoding_t; +typedef enum cred_encoding_type_t cred_encoding_type_t; +typedef enum cred_encoding_part_t cred_encoding_part_t; + +#include + +/** + * Credential encoder function implementing encoding/fingerprinting. + * + * The variable argument list takes cred_encoding_part_t, followed by part + * specific arguments, terminated by KEY_PART_END. + * + * @param type format to encode the credential to + * @param args list of (cred_encoding_part_t, data) + * @param encoding encoding result, allocated + * @return TRUE if encoding successful + */ +typedef bool (*cred_encoder_t)(cred_encoding_type_t type, chunk_t *encoding, + va_list args); + +/** + * Helper function for cred_encoder_t implementations to parse argument list. + * + * Credential encoder functions get a variable argument list to parse. To + * simplify the job, this function reads the arguments and returns chunks for + * each part. + * The argument list of this function takes a cred_encoding_part_t, followed + * by a data pointer receiving the value, terminated by CRED_PART_END. + * + * @param args argument list passed to credential encoder function + * @param ... list of (cred_encoding_part_t, data*) + * @return TRUE if all parts found, FALSE otherwise + */ +bool cred_encoding_args(va_list args, ...); + +/** + * Encoding type of a fingerprint/credential. + * + * Fingerprints have have the KEYID_*, public keys the PUBKEY_* and + * private keys the PRIVKEY_* prefix. + */ +enum cred_encoding_type_t { + /** SHA1 fingerprint over subjectPublicKeyInfo */ + KEYID_PUBKEY_INFO_SHA1 = 0, + /** SHA1 fingerprint over subjectPublicKey */ + KEYID_PUBKEY_SHA1, + /** PGPv3 fingerprint */ + KEYID_PGPV3, + /** PGPv4 fingerprint */ + KEYID_PGPV4, + + KEYID_MAX, + + /** PKCS#1 and similar ASN.1 key encoding */ + PUBKEY_ASN1_DER, + PRIVKEY_ASN1_DER, + /** subjectPublicKeyInfo encoding */ + PUBKEY_SPKI_ASN1_DER, + /** PEM encoded PKCS#1 key */ + PUBKEY_PEM, + PRIVKEY_PEM, + /** PGP key encoding */ + PUBKEY_PGP, + PRIVKEY_PGP, + + /** ASN.1 DER encoded certificate */ + CERT_ASN1_DER, + /** PEM encoded certificate */ + CERT_PEM, + /** PGP Packet encoded certificate */ + CERT_PGP_PKT, + + CRED_ENCODING_MAX, +}; + +/** + * Parts of a credential to encode. + */ +enum cred_encoding_part_t { + /** modulus of a RSA key, n */ + CRED_PART_RSA_MODULUS, + /** public exponent of a RSA key, e */ + CRED_PART_RSA_PUB_EXP, + /** private exponent of a RSA key, d */ + CRED_PART_RSA_PRIV_EXP, + /** prime1 a RSA key, p */ + CRED_PART_RSA_PRIME1, + /** prime2 a RSA key, q */ + CRED_PART_RSA_PRIME2, + /** exponent1 a RSA key, exp1 */ + CRED_PART_RSA_EXP1, + /** exponent1 a RSA key, exp2 */ + CRED_PART_RSA_EXP2, + /** coefficient of RSA key, coeff */ + CRED_PART_RSA_COEFF, + /** a DER encoded RSA public key */ + CRED_PART_RSA_PUB_ASN1_DER, + /** a DER encoded RSA private key */ + CRED_PART_RSA_PRIV_ASN1_DER, + /** a DER encoded ECDSA public key */ + CRED_PART_ECDSA_PUB_ASN1_DER, + /** a DER encoded ECDSA private key */ + CRED_PART_ECDSA_PRIV_ASN1_DER, + /** a DER encoded X509 certificate */ + CRED_PART_X509_ASN1_DER, + /** a DER encoded X509 CRL */ + CRED_PART_X509_CRL_ASN1_DER, + /** a DER encoded X509 OCSP request */ + CRED_PART_X509_OCSP_REQ_ASN1_DER, + /** a DER encoded X509 OCSP response */ + CRED_PART_X509_OCSP_RES_ASN1_DER, + /** a DER encoded X509 attribute certificate */ + CRED_PART_X509_AC_ASN1_DER, + /** a DER encoded PKCS10 certificate request */ + CRED_PART_PKCS10_ASN1_DER, + /** a PGP encoded certificate */ + CRED_PART_PGP_CERT, + + CRED_PART_END, +}; + +/** + * Credential encoding and fingerprinting facility. + */ +struct cred_encoding_t { + + /** + * Encode a credential in a format using several parts, optional caching. + * + * The variable argument list takes cred_encoding_part_t, followed by part + * specific arguments, terminated by CRED_PART_END. + * If a cache key is given, the returned encoding points to internal data: + * do not free or modify. If no cache key is given, the encoding is + * allocated and must be freed by the caller. + * + * @param type format the credential should be encoded to + * @param cache key to use for caching, NULL to not cache + * @param encoding encoding result, allocated if caching disabled + * @param ... list of (cred_encoding_part_t, data) + * @return TRUE if encoding successful + */ + bool (*encode)(cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t *encoding, ...); + + /** + * Clear all cached encodings of a given cache key. + * + * @param cache key used in encode() for caching + */ + void (*clear_cache)(cred_encoding_t *this, void *cache); + + /** + * Check for a cached encoding. + * + * @param type format of the credential encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding result, internal data + * @return TRUE if cache entry found + */ + bool (*get_cache)(cred_encoding_t *this, cred_encoding_type_t type, + void *cache, chunk_t *encoding); + + /** + * Cache a credential encoding created externally. + * + * After calling cache(), the passed encoding is owned by the cred encoding + * facility. + * + * @param type format of the credential encoding + * @param cache key to use for caching, as given to encode() + * @param encoding encoding to cache, gets owned by this + */ + void (*cache)(cred_encoding_t *this, cred_encoding_type_t type, void *cache, + chunk_t encoding); + + /** + * Register a credential encoder function. + * + * @param encoder credential encoder function to add + */ + void (*add_encoder)(cred_encoding_t *this, cred_encoder_t encoder); + + /** + * Unregister a previously registered credential encoder function. + * + * @param encoder credential encoder function to remove + */ + void (*remove_encoder)(cred_encoding_t *this, cred_encoder_t encoder); + + /** + * Destroy a cred_encoding_t. + */ + void (*destroy)(cred_encoding_t *this); +}; + +/** + * Create a cred_encoding instance. + */ +cred_encoding_t *cred_encoding_create(); + +#endif /** CRED_ENCODING_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c new file mode 100644 index 000000000..46c36c941 --- /dev/null +++ b/src/libstrongswan/credentials/credential_manager.c @@ -0,0 +1,1097 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "credential_manager.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +/** + * Maximum length of a certificate trust chain + */ +#define MAX_TRUST_PATH_LEN 7 + +typedef struct private_credential_manager_t private_credential_manager_t; + +/** + * private data of credential_manager + */ +struct private_credential_manager_t { + + /** + * public functions + */ + credential_manager_t public; + + /** + * list of credential sets + */ + linked_list_t *sets; + + /** + * thread local set of credentials, linked_list_t with credential_set_t's + */ + thread_value_t *local_sets; + + /** + * trust relationship and certificate cache + */ + cert_cache_t *cache; + + /** + * certificates queued for persistent caching + */ + linked_list_t *cache_queue; + + /** + * list of certificate validators, cert_validator_t + */ + linked_list_t *validators; + + /** + * read-write lock to sets list + */ + rwlock_t *lock; + + /** + * mutex for cache queue + */ + mutex_t *queue_mutex; +}; + +/** data to pass to create_private_enumerator */ +typedef struct { + private_credential_manager_t *this; + key_type_t type; + identification_t* keyid; +} private_data_t; + +/** data to pass to create_cert_enumerator */ +typedef struct { + private_credential_manager_t *this; + certificate_type_t cert; + key_type_t key; + identification_t *id; + bool trusted; +} cert_data_t; + +/** data to pass to create_cdp_enumerator */ +typedef struct { + private_credential_manager_t *this; + certificate_type_t type; + identification_t *id; +} cdp_data_t; + +/** data to pass to create_shared_enumerator */ +typedef struct { + private_credential_manager_t *this; + shared_key_type_t type; + identification_t *me; + identification_t *other; +} shared_data_t; + +/** enumerator over local and global sets */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** enumerator over global sets */ + enumerator_t *global; + /** enumerator over local sets */ + enumerator_t *local; +} sets_enumerator_t; + + +METHOD(enumerator_t, sets_enumerate, bool, + sets_enumerator_t *this, credential_set_t **set) +{ + if (this->global) + { + if (this->global->enumerate(this->global, set)) + { + return TRUE; + } + /* end of global sets, look for local */ + this->global->destroy(this->global); + this->global = NULL; + } + if (this->local) + { + return this->local->enumerate(this->local, set); + } + return FALSE; +} + +METHOD(enumerator_t, sets_destroy, void, + sets_enumerator_t *this) +{ + DESTROY_IF(this->global); + DESTROY_IF(this->local); + free(this); +} + +/** + * create an enumerator over both, global and local sets + */ +static enumerator_t *create_sets_enumerator(private_credential_manager_t *this) +{ + sets_enumerator_t *enumerator; + linked_list_t *local; + + INIT(enumerator, + .public.enumerate = (void*)_sets_enumerate, + .public.destroy = _sets_destroy, + .global = this->sets->create_enumerator(this->sets), + ); + local = this->local_sets->get(this->local_sets); + if (local) + { + enumerator->local = local->create_enumerator(local); + } + return &enumerator->public; +} + +/** + * cleanup function for cert data + */ +static void destroy_cert_data(cert_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for certificates + */ +static enumerator_t *create_cert(credential_set_t *set, cert_data_t *data) +{ + return set->create_cert_enumerator(set, data->cert, data->key, + data->id, data->trusted); +} + +METHOD(credential_manager_t, create_cert_enumerator, enumerator_t*, + private_credential_manager_t *this, certificate_type_t certificate, + key_type_t key, identification_t *id, bool trusted) +{ + cert_data_t *data = malloc_thing(cert_data_t); + data->this = this; + data->cert = certificate; + data->key = key; + data->id = id; + data->trusted = trusted; + + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_cert, data, + (void*)destroy_cert_data); +} + +METHOD(credential_manager_t, get_cert, certificate_t*, + private_credential_manager_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + certificate_t *current, *found = NULL; + enumerator_t *enumerator; + + enumerator = create_cert_enumerator(this, cert, key, id, trusted); + if (enumerator->enumerate(enumerator, ¤t)) + { + /* TODO: best match? order by keyid, subject, sualtname */ + found = current->get_ref(current); + } + enumerator->destroy(enumerator); + return found; +} + + +/** + * cleanup function for cdp data + */ +static void destroy_cdp_data(cdp_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for CDPs + */ +static enumerator_t *create_cdp(credential_set_t *set, cdp_data_t *data) +{ + return set->create_cdp_enumerator(set, data->type, data->id); +} + +METHOD(credential_manager_t, create_cdp_enumerator, enumerator_t*, + private_credential_manager_t *this, certificate_type_t type, + identification_t *id) +{ + cdp_data_t *data; + + INIT(data, + .this = this, + .type = type, + .id = id, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_cdp, data, + (void*)destroy_cdp_data); +} + +/** + * cleanup function for private data + */ +static void destroy_private_data(private_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for private keys + */ +static enumerator_t *create_private(credential_set_t *set, private_data_t *data) +{ + return set->create_private_enumerator(set, data->type, data->keyid); +} + +/** + * Create an enumerator over private keys + */ +static enumerator_t *create_private_enumerator( + private_credential_manager_t *this, key_type_t key, identification_t *keyid) +{ + private_data_t *data; + + INIT(data, + .this = this, + .type = key, + .keyid = keyid, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_private, data, + (void*)destroy_private_data); +} + +/** + * Look up a private key by its key identifier + */ +static private_key_t* get_private_by_keyid(private_credential_manager_t *this, + key_type_t key, identification_t *keyid) +{ + private_key_t *found = NULL; + enumerator_t *enumerator; + + enumerator = create_private_enumerator(this, key, keyid); + if (enumerator->enumerate(enumerator, &found)) + { + found->get_ref(found); + } + enumerator->destroy(enumerator); + return found; +} + +/** + * cleanup function for shared data + */ +static void destroy_shared_data(shared_data_t *data) +{ + data->this->lock->unlock(data->this->lock); + free(data); +} + +/** + * enumerator constructor for shared keys + */ +static enumerator_t *create_shared(credential_set_t *set, shared_data_t *data) +{ + return set->create_shared_enumerator(set, data->type, data->me, data->other); +} + +METHOD(credential_manager_t, create_shared_enumerator, enumerator_t*, + private_credential_manager_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_data_t *data; + + INIT(data, + .this = this, + .type = type, + .me = me, + .other = other, + ); + this->lock->read_lock(this->lock); + return enumerator_create_nested(create_sets_enumerator(this), + (void*)create_shared, data, + (void*)destroy_shared_data); +} + +METHOD(credential_manager_t, get_shared, shared_key_t*, + private_credential_manager_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) +{ + shared_key_t *current, *found = NULL; + id_match_t *best_me = ID_MATCH_NONE, *best_other = ID_MATCH_NONE; + id_match_t *match_me, *match_other; + enumerator_t *enumerator; + + enumerator = create_shared_enumerator(this, type, me, other); + while (enumerator->enumerate(enumerator, ¤t, &match_me, &match_other)) + { + if (match_other > best_other || + (match_other == best_other && match_me > best_me)) + { + DESTROY_IF(found); + found = current->get_ref(current); + best_me = match_me; + best_other = match_other; + } + } + enumerator->destroy(enumerator); + return found; +} + +METHOD(credential_manager_t, add_local_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + linked_list_t *sets; + + sets = this->local_sets->get(this->local_sets); + if (!sets) + { /* first invocation */ + sets = linked_list_create(); + this->local_sets->set(this->local_sets, sets); + } + sets->insert_last(sets, set); +} + +METHOD(credential_manager_t, remove_local_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + linked_list_t *sets; + + sets = this->local_sets->get(this->local_sets); + sets->remove(sets, set, NULL); +} + +METHOD(credential_manager_t, cache_cert, void, + private_credential_manager_t *this, certificate_t *cert) +{ + credential_set_t *set; + enumerator_t *enumerator; + + if (this->lock->try_write_lock(this->lock)) + { + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + this->lock->unlock(this->lock); + } + else + { /* we can't cache now as other threads are active, queue for later */ + this->queue_mutex->lock(this->queue_mutex); + this->cache_queue->insert_last(this->cache_queue, cert->get_ref(cert)); + this->queue_mutex->unlock(this->queue_mutex); + } +} + +/** + * Try to cache certificates queued for caching + */ +static void cache_queue(private_credential_manager_t *this) +{ + credential_set_t *set; + certificate_t *cert; + enumerator_t *enumerator; + + this->queue_mutex->lock(this->queue_mutex); + if (this->cache_queue->get_count(this->cache_queue) > 0 && + this->lock->try_write_lock(this->lock)) + { + while (this->cache_queue->remove_last(this->cache_queue, + (void**)&cert) == SUCCESS) + { + enumerator = this->sets->create_enumerator(this->sets); + while (enumerator->enumerate(enumerator, &set)) + { + set->cache_cert(set, cert); + } + enumerator->destroy(enumerator); + cert->destroy(cert); + } + this->lock->unlock(this->lock); + } + this->queue_mutex->unlock(this->queue_mutex); +} + +/** + * check a certificate for its lifetime + */ +static bool check_certificate(private_credential_manager_t *this, + certificate_t *subject, certificate_t *issuer, + bool online, int pathlen, auth_cfg_t *auth) +{ + time_t not_before, not_after; + cert_validator_t *validator; + enumerator_t *enumerator; + + if (!subject->get_validity(subject, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "subject certificate invalid (valid from %T to %T)", + ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + if (!issuer->get_validity(issuer, NULL, ¬_before, ¬_after)) + { + DBG1(DBG_CFG, "issuer certificate invalid (valid from %T to %T)", + ¬_before, FALSE, ¬_after, FALSE); + return FALSE; + } + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + int pathlen_constraint; + x509_t *x509; + + /* check path length constraint */ + x509 = (x509_t*)issuer; + pathlen_constraint = x509->get_pathLenConstraint(x509); + if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + } + + enumerator = this->validators->create_enumerator(this->validators); + while (enumerator->enumerate(enumerator, &validator)) + { + if (!validator->validate(validator, subject, issuer, + online, pathlen, auth)) + { + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Get a trusted certificate from a credential set + */ +static certificate_t *get_pretrusted_cert(private_credential_manager_t *this, + key_type_t type, identification_t *id) +{ + certificate_t *subject; + public_key_t *public; + + subject = get_cert(this, CERT_ANY, type, id, TRUE); + if (!subject) + { + return NULL; + } + public = subject->get_public_key(subject); + if (!public) + { + subject->destroy(subject); + return NULL; + } + public->destroy(public); + return subject; +} + +/** + * Get the issuing certificate of a subject certificate + */ +static certificate_t *get_issuer_cert(private_credential_manager_t *this, + certificate_t *subject, bool trusted) +{ + enumerator_t *enumerator; + certificate_t *issuer = NULL, *candidate; + + enumerator = create_cert_enumerator(this, subject->get_type(subject), KEY_ANY, + subject->get_issuer(subject), trusted); + while (enumerator->enumerate(enumerator, &candidate)) + { + if (this->cache->issued_by(this->cache, subject, candidate)) + { + issuer = candidate->get_ref(candidate); + break; + } + } + enumerator->destroy(enumerator); + return issuer; +} + +/** + * try to verify the trust chain of subject, return TRUE if trusted + */ +static bool verify_trust_chain(private_credential_manager_t *this, + certificate_t *subject, auth_cfg_t *result, + bool trusted, bool online) +{ + certificate_t *current, *issuer; + auth_cfg_t *auth; + int pathlen; + + auth = auth_cfg_create(); + current = subject->get_ref(subject); + + for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) + { + issuer = get_issuer_cert(this, current, TRUE); + if (issuer) + { + /* accept only self-signed CAs as trust anchor */ + if (this->cache->issued_by(this->cache, issuer, issuer)) + { + auth->add(auth, AUTH_RULE_CA_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted ca certificate \"%Y\"", + issuer->get_subject(issuer)); + trusted = TRUE; + } + else + { + auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using trusted intermediate ca certificate " + "\"%Y\"", issuer->get_subject(issuer)); + } + } + else + { + issuer = get_issuer_cert(this, current, FALSE); + if (issuer) + { + if (current->equals(current, issuer)) + { + DBG1(DBG_CFG, " self-signed certificate \"%Y\" is not trusted", + current->get_subject(current)); + issuer->destroy(issuer); + break; + } + auth->add(auth, AUTH_RULE_IM_CERT, issuer->get_ref(issuer)); + DBG1(DBG_CFG, " using untrusted intermediate certificate " + "\"%Y\"", issuer->get_subject(issuer)); + } + else + { + DBG1(DBG_CFG, "no issuer certificate found for \"%Y\"", + current->get_subject(current)); + break; + } + } + if (!check_certificate(this, current, issuer, online, pathlen, + current == subject ? auth : NULL)) + { + trusted = FALSE; + issuer->destroy(issuer); + break; + } + current->destroy(current); + current = issuer; + if (trusted) + { + DBG1(DBG_CFG, " reached self-signed root ca with a path length of %d", + pathlen); + break; + } + } + current->destroy(current); + if (pathlen > MAX_TRUST_PATH_LEN) + { + DBG1(DBG_CFG, "maximum path length of %d exceeded", MAX_TRUST_PATH_LEN); + } + if (trusted) + { + result->merge(result, auth, FALSE); + } + auth->destroy(auth); + return trusted; +} + +/** + * enumerator for trusted certificates + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** enumerator over candidate peer certificates */ + enumerator_t *candidates; + /** reference to the credential_manager */ + private_credential_manager_t *this; + /** type of the requested key */ + key_type_t type; + /** identity the requested key belongs to */ + identification_t *id; + /** TRUE to do CRL/OCSP checking */ + bool online; + /** pretrusted certificate we have served at first invocation */ + certificate_t *pretrusted; + /** currently enumerating auth config */ + auth_cfg_t *auth; +} trusted_enumerator_t; + +METHOD(enumerator_t, trusted_enumerate, bool, + trusted_enumerator_t *this, certificate_t **cert, auth_cfg_t **auth) +{ + certificate_t *current; + + DESTROY_IF(this->auth); + this->auth = auth_cfg_create(); + + if (!this->candidates) + { + /* first invocation, build enumerator for next one */ + this->candidates = create_cert_enumerator(this->this, CERT_ANY, + this->type, this->id, FALSE); + /* check if we have a trusted certificate for that peer */ + this->pretrusted = get_pretrusted_cert(this->this, this->type, this->id); + if (this->pretrusted) + { + /* if we find a trusted self signed certificate, we just accept it. + * However, in order to fulfill authorization rules, we try to build + * the trust chain if it is not self signed */ + if (this->this->cache->issued_by(this->this->cache, + this->pretrusted, this->pretrusted) || + verify_trust_chain(this->this, this->pretrusted, this->auth, + TRUE, this->online)) + { + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + DBG1(DBG_CFG, " using trusted certificate \"%Y\"", + this->pretrusted->get_subject(this->pretrusted)); + *cert = this->pretrusted; + if (auth) + { + *auth = this->auth; + } + return TRUE; + } + } + } + /* try to verify the trust chain for each certificate found */ + while (this->candidates->enumerate(this->candidates, ¤t)) + { + if (this->pretrusted && + this->pretrusted->equals(this->pretrusted, current)) + { /* skip pretrusted certificate we already served */ + continue; + } + + DBG1(DBG_CFG, " using certificate \"%Y\"", + current->get_subject(current)); + if (verify_trust_chain(this->this, current, this->auth, FALSE, + this->online)) + { + *cert = current; + if (auth) + { + *auth = this->auth; + } + return TRUE; + } + } + return FALSE; +} + +METHOD(enumerator_t, trusted_destroy, void, + trusted_enumerator_t *this) +{ + DESTROY_IF(this->pretrusted); + DESTROY_IF(this->auth); + DESTROY_IF(this->candidates); + free(this); +} + +METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, + private_credential_manager_t *this, key_type_t type, + identification_t *id, bool online) +{ + trusted_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_trusted_enumerate, + .destroy = _trusted_destroy, + }, + .this = this, + .type = type, + .id = id, + .online = online, + ); + return &enumerator->public; +} + +/** + * enumerator for public keys + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** enumerator over candidate peer certificates */ + enumerator_t *inner; + /** reference to the credential_manager */ + private_credential_manager_t *this; + /** currently enumerating key */ + public_key_t *current; + /** credset wrapper around auth config */ + auth_cfg_wrapper_t *wrapper; +} public_enumerator_t; + +METHOD(enumerator_t, public_enumerate, bool, + public_enumerator_t *this, public_key_t **key, auth_cfg_t **auth) +{ + certificate_t *cert; + + while (this->inner->enumerate(this->inner, &cert, auth)) + { + DESTROY_IF(this->current); + this->current = cert->get_public_key(cert); + if (this->current) + { + *key = this->current; + return TRUE; + } + } + return FALSE; +} + +METHOD(enumerator_t, public_destroy, void, + public_enumerator_t *this) +{ + DESTROY_IF(this->current); + this->inner->destroy(this->inner); + if (this->wrapper) + { + remove_local_set(this->this, &this->wrapper->set); + this->wrapper->destroy(this->wrapper); + } + this->this->lock->unlock(this->this->lock); + + /* check for delayed certificate cache queue */ + cache_queue(this->this); + free(this); +} + +METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, + private_credential_manager_t *this, key_type_t type, identification_t *id, + auth_cfg_t *auth) +{ + public_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_public_enumerate, + .destroy = _public_destroy, + }, + .inner = create_trusted_enumerator(this, type, id, TRUE), + .this = this, + ); + if (auth) + { + enumerator->wrapper = auth_cfg_wrapper_create(auth); + add_local_set(this, &enumerator->wrapper->set); + } + this->lock->read_lock(this->lock); + return &enumerator->public; +} + +/** + * Check if a certificate's keyid is contained in the auth helper + */ +static bool auth_contains_cacert(auth_cfg_t *auth, certificate_t *cert) +{ + enumerator_t *enumerator; + identification_t *value; + auth_rule_t type; + bool found = FALSE; + + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &value)) + { + if (type == AUTH_RULE_CA_CERT && + cert->equals(cert, (certificate_t*)value)) + { + found = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return found; +} + +/** + * build a trustchain from subject up to a trust anchor in trusted + */ +static auth_cfg_t *build_trustchain(private_credential_manager_t *this, + certificate_t *subject, auth_cfg_t *auth) +{ + certificate_t *issuer, *current; + auth_cfg_t *trustchain; + int pathlen = 0; + + trustchain = auth_cfg_create(); + + current = auth->get(auth, AUTH_RULE_CA_CERT); + if (!current) + { + /* no trust anchor specified, return this cert only */ + trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, + subject->get_ref(subject)); + return trustchain; + } + current = subject->get_ref(subject); + while (TRUE) + { + if (auth_contains_cacert(auth, current)) + { + trustchain->add(trustchain, AUTH_RULE_CA_CERT, current); + return trustchain; + } + if (subject == current) + { + trustchain->add(trustchain, AUTH_RULE_SUBJECT_CERT, current); + } + else + { + trustchain->add(trustchain, AUTH_RULE_IM_CERT, current); + } + issuer = get_issuer_cert(this, current, FALSE); + if (!issuer || issuer->equals(issuer, current) || + pathlen > MAX_TRUST_PATH_LEN) + { + DESTROY_IF(issuer); + break; + } + current = issuer; + pathlen++; + } + trustchain->destroy(trustchain); + return NULL; +} + +/** + * find a private key of a give certificate + */ +static private_key_t *get_private_by_cert(private_credential_manager_t *this, + certificate_t *cert, key_type_t type) +{ + private_key_t *private = NULL; + identification_t *keyid; + chunk_t chunk; + public_key_t *public; + + public = cert->get_public_key(cert); + if (public) + { + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + private = get_private_by_keyid(this, type, keyid); + keyid->destroy(keyid); + } + public->destroy(public); + } + return private; +} + +METHOD(credential_manager_t, get_private, private_key_t*, + private_credential_manager_t *this, key_type_t type, identification_t *id, + auth_cfg_t *auth) +{ + enumerator_t *enumerator; + certificate_t *cert; + private_key_t *private = NULL; + auth_cfg_t *trustchain; + + /* check if this is a lookup by key ID, and do it if so */ + if (id && id->get_type(id) == ID_KEY_ID) + { + private = get_private_by_keyid(this, type, id); + if (private) + { + return private; + } + } + + /* if a specific certificate is preferred, check for a matching key */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + trustchain = build_trustchain(this, cert, auth); + if (trustchain) + { + auth->merge(auth, trustchain, FALSE); + trustchain->destroy(trustchain); + } + return private; + } + } + + /* try to build a trust chain for each certificate found */ + enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + trustchain = build_trustchain(this, cert, auth); + if (trustchain) + { + auth->merge(auth, trustchain, FALSE); + trustchain->destroy(trustchain); + break; + } + private->destroy(private); + private = NULL; + } + } + enumerator->destroy(enumerator); + + /* if no valid trustchain was found, fall back to the first usable cert */ + if (!private) + { + enumerator = create_cert_enumerator(this, CERT_ANY, type, id, FALSE); + while (enumerator->enumerate(enumerator, &cert)) + { + private = get_private_by_cert(this, cert, type); + if (private) + { + auth->add(auth, AUTH_RULE_SUBJECT_CERT, cert->get_ref(cert)); + break; + } + } + enumerator->destroy(enumerator); + } + return private; +} + +METHOD(credential_manager_t, flush_cache, void, + private_credential_manager_t *this, certificate_type_t type) +{ + this->cache->flush(this->cache, type); +} + +METHOD(credential_manager_t, issued_by, bool, + private_credential_manager_t *this, certificate_t *subject, + certificate_t *issuer) +{ + return this->cache->issued_by(this->cache, subject, issuer); +} + +METHOD(credential_manager_t, add_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + this->lock->write_lock(this->lock); + this->sets->insert_last(this->sets, set); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, remove_set, void, + private_credential_manager_t *this, credential_set_t *set) +{ + this->lock->write_lock(this->lock); + this->sets->remove(this->sets, set, NULL); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, add_validator, void, + private_credential_manager_t *this, cert_validator_t *vdtr) +{ + this->lock->write_lock(this->lock); + this->sets->insert_last(this->validators, vdtr); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, remove_validator, void, + private_credential_manager_t *this, cert_validator_t *vdtr) +{ + this->lock->write_lock(this->lock); + this->validators->remove(this->validators, vdtr, NULL); + this->lock->unlock(this->lock); +} + +METHOD(credential_manager_t, destroy, void, + private_credential_manager_t *this) +{ + cache_queue(this); + this->cache_queue->destroy(this->cache_queue); + this->sets->remove(this->sets, this->cache, NULL); + this->sets->destroy(this->sets); + this->local_sets->destroy(this->local_sets); + this->cache->destroy(this->cache); + this->validators->destroy(this->validators); + this->lock->destroy(this->lock); + this->queue_mutex->destroy(this->queue_mutex); + free(this); +} + +/* + * see header file + */ +credential_manager_t *credential_manager_create() +{ + private_credential_manager_t *this; + + INIT(this, + .public = { + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_cdp_enumerator = _create_cdp_enumerator, + .get_cert = _get_cert, + .get_shared = _get_shared, + .get_private = _get_private, + .create_trusted_enumerator = _create_trusted_enumerator, + .create_public_enumerator = _create_public_enumerator, + .flush_cache = _flush_cache, + .cache_cert = _cache_cert, + .issued_by = _issued_by, + .add_set = _add_set, + .remove_set = _remove_set, + .add_local_set = _add_local_set, + .remove_local_set = _remove_local_set, + .add_validator = _add_validator, + .remove_validator = _remove_validator, + .destroy = _destroy, + }, + .sets = linked_list_create(), + .validators = linked_list_create(), + .cache = cert_cache_create(), + .cache_queue = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .queue_mutex = mutex_create(MUTEX_TYPE_DEFAULT), + ); + + this->local_sets = thread_value_create((thread_cleanup_t)this->sets->destroy); + this->sets->insert_first(this->sets, this->cache); + + return &this->public; +} diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h new file mode 100644 index 000000000..04269cfbf --- /dev/null +++ b/src/libstrongswan/credentials/credential_manager.h @@ -0,0 +1,270 @@ +/* + * Copyright (C) 2007-2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup credential_manager credential_manager + * @{ @ingroup credentials + */ + +#ifndef CREDENTIAL_MANAGER_H_ +#define CREDENTIAL_MANAGER_H_ + +typedef struct credential_manager_t credential_manager_t; + +#include +#include +#include +#include +#include +#include +#include +#include + +/** + * Manages credentials using credential_sets. + * + * The credential manager is the entry point of the credential framework. It + * uses so called "sets" to access credentials in a modular fashion, these + * are implemented through the credential_set_t interface. + * The manager additionally does trust chain verification and trust status + * chaching. A set may call the managers methods if it needs credentials itself, + * the manager uses recursive locking. + * + * @verbatim + + +-------+ +----------------+ + | A | | | +------------------+ + | u | -----> | | ------> | +------------------+ + | t | | credential- | | | +------------------+ + | h | -----> | manager | ------> +--| | credential- | => IPC + | e | | | +--| sets | + | n | +--> | | ------> +------------------+ + | t | | | | | + | i | | | | | + | c | | +----------------+ | + | a | | | + | t | +----------------------------------------------+ + | o | may be recursive + | r | + +-------+ + + @endverbatim + * + * The credential manager uses rwlocks for performance reasons, credential + * sets must be fully thread save. + */ +struct credential_manager_t { + + /** + * Create an enumerator over all certificates. + * + * @param cert kind of certificate + * @param key kind of key in certificate + * @param id subject this certificate belongs to + * @param trusted TRUE to list trusted certificates only + * @return enumerator over the certificates + */ + enumerator_t *(*create_cert_enumerator)(credential_manager_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted); + /** + * Create an enumerator over all shared keys. + * + * The enumerator enumerates over: + * shared_key_t*, id_match_t me, id_match_t other + * But must accepts values for the id_matches. + * + * @param type kind of requested shared key + * @param first first subject between key is shared + * @param second second subject between key is shared + * @return enumerator over shared keys + */ + enumerator_t *(*create_shared_enumerator)(credential_manager_t *this, + shared_key_type_t type, + identification_t *first, identification_t *second); + /** + * Create an enumerator over all Certificate Distribution Points. + * + * @param type kind of certificate the point distributes + * @param id identification of the distributed certificate + * @return enumerator of CDPs as char* + */ + enumerator_t *(*create_cdp_enumerator)(credential_manager_t *this, + certificate_type_t type, identification_t *id); + /** + * Get a trusted or untrusted certificate. + * + * @param cert kind of certificate + * @param key kind of key in certificate + * @param id subject this certificate belongs to + * @param trusted TRUE to get a trusted certificate only + * @return certificate, if found, NULL otherwise + */ + certificate_t *(*get_cert)(credential_manager_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted); + /** + * Get the best matching shared key for two IDs. + * + * @param type kind of requested shared key + * @param me own identity + * @param other peers identity + * @return shared_key_t, NULL if none found + */ + shared_key_t *(*get_shared)(credential_manager_t *this, shared_key_type_t type, + identification_t *me, identification_t *other); + /** + * Get a private key to create a signature. + * + * The get_private() method gets a secret private key identified by either + * the keyid itself or an id the key belongs to. + * The auth parameter contains additional information, such as receipients + * trusted CA certs. Auth gets filled with subject and CA certificates + * needed to validate a created signature. + * + * @param type type of the key to get + * @param id identification the key belongs to + * @param auth auth config, including trusted CA certificates + * @return private_key_t, NULL if none found + */ + private_key_t* (*get_private)(credential_manager_t *this, key_type_t type, + identification_t *id, auth_cfg_t *auth); + + /** + * Create an enumerator over trusted certificates. + * + * This method creates an enumerator over trusted certificates. The auth + * parameter (if given) recevies the trustchain used to validate + * the certificate. The resulting enumerator enumerates over + * certificate_t*, auth_cfg_t*. + * If online is set, revocations are checked online for the whole + * trustchain. + * + * @param type type of the key we want a certificate for + * @param id subject of the certificate + * @param online whether revocations should be checked online + * @return enumerator + */ + enumerator_t* (*create_trusted_enumerator)(credential_manager_t *this, + key_type_t type, identification_t *id, bool online); + + /** + * Create an enumerator over trusted public keys. + * + * This method gets a an enumerator over trusted public keys to verify a + * signature created by id. The auth parameter contains additional + * authentication infos, e.g. peer and intermediate certificates. + * The resulting enumerator enumerates over public_key_t *, auth_cfg_t *, + * where the auth config helper contains rules for constraint checks. + * This function is very similar to create_trusted_enumerator(), but + * gets public keys directly. + * + * @param type type of the key to get + * @param id owner of the key, signer of the signature + * @param auth authentication infos + * @return enumerator + */ + enumerator_t* (*create_public_enumerator)(credential_manager_t *this, + key_type_t type, identification_t *id, auth_cfg_t *auth); + + /** + * Cache a certificate by invoking cache_cert() on all registerd sets. + * + * @param cert certificate to cache + */ + void (*cache_cert)(credential_manager_t *this, certificate_t *cert); + + /** + * Flush the certificate cache. + * + * Only the managers local cache is flushed, but not the sets cache filled + * by the cache_cert() method. + * + * @param type type of certificate to flush, or CERT_ANY + */ + void (*flush_cache)(credential_manager_t *this, certificate_type_t type); + + /** + * Check if a given subject certificate is issued by an issuer certificate. + * + * This operation does signature verification, but uses the credential + * managers cache for to speed up the operation. + * + * @param subject subject certificate to check + * @param issuer issuer certificate that potentially has signed subject + * @return TRUE if issuer signed subject + */ + bool (*issued_by)(credential_manager_t *this, + certificate_t *subject, certificate_t *issuer); + + /** + * Register a credential set to the manager. + * + * @param set set to register + */ + void (*add_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Unregister a credential set from the manager. + * + * @param set set to unregister + */ + void (*remove_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Register a thread local credential set to the manager. + * + * To add a credential set for the current trustchain verification + * operation, sets may be added for the calling thread only. This + * does not require a write lock and is therefore a much less expensive + * operation. + * + * @param set set to register + */ + void (*add_local_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Unregister a thread local credential set from the manager. + * + * @param set set to unregister + */ + void (*remove_local_set)(credential_manager_t *this, credential_set_t *set); + + /** + * Register a certificate validator to the manager. + * + * @param vdtr validator to register + */ + void (*add_validator)(credential_manager_t *this, cert_validator_t *vdtr); + + /** + * Remove a certificate validator from the manager. + * + * @param vdtr validator to unregister + */ + void (*remove_validator)(credential_manager_t *this, cert_validator_t *vdtr); + + /** + * Destroy a credential_manager instance. + */ + void (*destroy)(credential_manager_t *this); +}; + +/** + * Create a credential_manager instance. + */ +credential_manager_t *credential_manager_create(); + +#endif /** CREDENTIAL_MANAGER_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_set.h b/src/libstrongswan/credentials/credential_set.h new file mode 100644 index 000000000..0eee237cb --- /dev/null +++ b/src/libstrongswan/credentials/credential_set.h @@ -0,0 +1,108 @@ +/* + * Copyright (C) 2007 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup credential_set credential_set + * @{ @ingroup credentials + */ + +#ifndef CREDENTIAL_SET_H_ +#define CREDENTIAL_SET_H_ + +typedef struct credential_set_t credential_set_t; + +#include +#include +#include + +/** + * A set of credentials. + * + * Contains private keys, shared keys and different kinds of certificates. + * Enumerators are used because queries might return multiple matches. + * Filter parameters restrict enumeration over specific items only. + * See credential_manager_t for an overview of the credential framework. + * + * A credential set enumerator may not block the credential set, i.e. multiple + * threads must be able to hold multiple enumerators, as the credential manager + * is higly parallelized. The best way to achieve this is by using shared + * read locks for the enumerators only. Otherwiese deadlocks will occur. + * The writing cache_cert() routine is called by the manager only if no + * enumerator is alive, so it is save to use a write lock there. + */ +struct credential_set_t { + + /** + * Create an enumerator over private keys (private_key_t). + * + * The id is either a key identifier of the requested key, or an identity + * of the key owner. + * + * @param type type of requested private key + * @param id key identifier/owner + * @return enumerator over private_key_t's. + */ + enumerator_t *(*create_private_enumerator)(credential_set_t *this, + key_type_t type, identification_t *id); + /** + * Create an enumerator over certificates (certificate_t). + * + * @param cert kind of certificate + * @param key kind of key in certificate + * @param id identity (subject) this certificate belongs to + * @param trusted whether the certificate must be trustworthy + * @return enumerator as described above + */ + enumerator_t *(*create_cert_enumerator)(credential_set_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted); + /** + * Create an enumerator over shared keys (shared_key_t). + * + * The enumerator enumerates over: + * shared_key_t*, id_match_t me, id_match_t other + * But must accept NULL values for the id_matches. + * + * @param type kind of requested shared key + * @param me own identity + * @param other other identity who owns that secret + * @return enumerator as described above + */ + enumerator_t *(*create_shared_enumerator)(credential_set_t *this, + shared_key_type_t type, + identification_t *me, identification_t *other); + + /** + * Create an enumerator over certificate distribution points. + * + * @param type type of the certificate to get a CDP + * @param id identification of the distributed certificate + * @return an enumerator over CDPs as char* + */ + enumerator_t *(*create_cdp_enumerator)(credential_set_t *this, + certificate_type_t type, identification_t *id); + + /** + * Cache a certificate in the credential set. + * + * The caching policy is implementation dependent, the sets may cache the + * certificate in-memory, persistent on disk or not at all. + * + * @param cert certificate to cache + */ + void (*cache_cert)(credential_set_t *this, certificate_t *cert); +}; + +#endif /** CREDENTIAL_SET_H_ @}*/ diff --git a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c index ff3ddeb6f..de5b85bae 100644 --- a/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c +++ b/src/libstrongswan/credentials/ietf_attributes/ietf_attributes.c @@ -159,7 +159,7 @@ static char* get_string(private_ietf_attributes_t *this) enumerator = this->list->create_enumerator(this->list); while (enumerator->enumerate(enumerator, &attr)) { - int written = 0; + int written; if (first) { @@ -168,8 +168,12 @@ static char* get_string(private_ietf_attributes_t *this) else { written = snprintf(pos, len, ", "); + if (written < 0 || written >= len) + { + break; + } pos += written; - len -= written; + len -= written; } switch (attr->type) @@ -194,8 +198,13 @@ static char* get_string(private_ietf_attributes_t *this) break; } default: + written = 0; break; } + if (written < 0 || written >= len) + { + break; + } pos += written; len -= written; } diff --git a/src/libstrongswan/credentials/keys/key_encoding.c b/src/libstrongswan/credentials/keys/key_encoding.c deleted file mode 100644 index 89b25226c..000000000 --- a/src/libstrongswan/credentials/keys/key_encoding.c +++ /dev/null @@ -1,299 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "key_encoding.h" - -#include - -#include -#include -#include - -typedef struct private_key_encoding_t private_key_encoding_t; - -/** - * Private data of an key_encoding_t object. - */ -struct private_key_encoding_t { - - /** - * Public key_encoding_t interface. - */ - key_encoding_t public; - - /** - * cached encodings, a table for each encoding_type_t, containing chunk_t* - */ - hashtable_t *cache[KEY_ENCODING_MAX]; - - /** - * Registered encoding fuctions, key_encoder_t - */ - linked_list_t *encoders; - - /** - * lock to access cache/encoders - */ - rwlock_t *lock; -}; - -/** - * See header. - */ -bool key_encoding_args(va_list args, ...) -{ - va_list parts, copy; - bool failed = FALSE; - - va_start(parts, args); - - while (!failed) - { - key_encoding_part_t current, target; - chunk_t *out, data; - - /* get the part we are looking for */ - target = va_arg(parts, key_encoding_part_t); - if (target == KEY_PART_END) - { - break; - } - out = va_arg(parts, chunk_t*); - - va_copy(copy, args); - while (!failed) - { - current = va_arg(copy, key_encoding_part_t); - if (current == KEY_PART_END) - { - failed = TRUE; - break; - } - data = va_arg(copy, chunk_t); - if (current == target) - { - *out = data; - break; - } - } - va_end(copy); - } - va_end(parts); - return !failed; -} - -/** - * hashtable hash() function - */ -static u_int hash(void *key) -{ - return (uintptr_t)key; -} - -/** - * hashtable equals() function - */ -static bool equals(void *key1, void *key2) -{ - return key1 == key2; -} - -/** - * Implementation of key_encoding_t.get_cache - */ -static bool get_cache(private_key_encoding_t *this, key_encoding_type_t type, - void *cache, chunk_t *encoding) -{ - chunk_t *chunk; - - if (type >= KEY_ENCODING_MAX || type < 0) - { - return FALSE; - } - this->lock->read_lock(this->lock); - chunk = this->cache[type]->get(this->cache[type], cache); - if (chunk) - { - *encoding = *chunk; - } - this->lock->unlock(this->lock); - return !!chunk; -} - -/** - * Implementation of key_encoding_t.encode - */ -static bool encode(private_key_encoding_t *this, key_encoding_type_t type, - void *cache, chunk_t *encoding, ...) -{ - enumerator_t *enumerator; - va_list args, copy; - key_encoder_t encode; - bool success = FALSE; - chunk_t *chunk; - - if (type >= KEY_ENCODING_MAX || type < 0) - { - return FALSE; - } - this->lock->read_lock(this->lock); - if (cache) - { - chunk = this->cache[type]->get(this->cache[type], cache); - if (chunk) - { - *encoding = *chunk; - this->lock->unlock(this->lock); - return TRUE; - } - } - va_start(args, encoding); - enumerator = this->encoders->create_enumerator(this->encoders); - while (enumerator->enumerate(enumerator, &encode)) - { - va_copy(copy, args); - success = encode(type, encoding, copy); - va_end(copy); - if (success) - { - if (cache) - { - chunk = malloc_thing(chunk_t); - *chunk = *encoding; - this->lock->unlock(this->lock); - this->lock->write_lock(this->lock); - this->cache[type]->put(this->cache[type], cache, chunk); - } - break; - } - } - enumerator->destroy(enumerator); - va_end(args); - this->lock->unlock(this->lock); - return success; -} - -/** - * Implementation of key_encoding_t.cache - */ -static void cache(private_key_encoding_t *this, key_encoding_type_t type, - void *cache, chunk_t encoding) -{ - chunk_t *chunk; - - if (type >= KEY_ENCODING_MAX || type < 0) - { - return free(encoding.ptr); - } - chunk = malloc_thing(chunk_t); - *chunk = encoding; - this->lock->write_lock(this->lock); - chunk = this->cache[type]->put(this->cache[type], cache, chunk); - this->lock->unlock(this->lock); - /* free an encoding already associated to the cache */ - if (chunk) - { - free(chunk->ptr); - free(chunk); - } -} - -/** - * Implementation of key_encoding_t.clear_cache - */ -static void clear_cache(private_key_encoding_t *this, void *cache) -{ - key_encoding_type_t type; - chunk_t *chunk; - - this->lock->write_lock(this->lock); - for (type = 0; type < KEY_ENCODING_MAX; type++) - { - chunk = this->cache[type]->remove(this->cache[type], cache); - if (chunk) - { - chunk_free(chunk); - free(chunk); - } - } - this->lock->unlock(this->lock); -} - -/** - * Implementation of key_encoding_t.add_encoder - */ -static void add_encoder(private_key_encoding_t *this, key_encoder_t encoder) -{ - this->lock->write_lock(this->lock); - this->encoders->insert_last(this->encoders, encoder); - this->lock->unlock(this->lock); -} - -/** - * Implementation of key_encoding_t.remove_encoder - */ -static void remove_encoder(private_key_encoding_t *this, key_encoder_t encoder) -{ - this->lock->write_lock(this->lock); - this->encoders->remove(this->encoders, encoder, NULL); - this->lock->unlock(this->lock); -} - -/** - * Implementation of key_encoder_t.destroy. - */ -static void destroy(private_key_encoding_t *this) -{ - key_encoding_type_t type; - - for (type = 0; type < KEY_ENCODING_MAX; type++) - { - /* We explicitly do not free remaining encodings. All keys should - * have gone now, and they are responsible for cleaning out their - * cache entries. Not flushing here allows the leak detective to - * complain if a key did not flush cached encodings. */ - this->cache[type]->destroy(this->cache[type]); - } - this->encoders->destroy(this->encoders); - this->lock->destroy(this->lock); - free(this); -} - -/** - * See header - */ -key_encoding_t *key_encoding_create() -{ - private_key_encoding_t *this = malloc_thing(private_key_encoding_t); - key_encoding_type_t type; - - this->public.encode = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding, ...))encode; - this->public.get_cache = (bool(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t *encoding))get_cache; - this->public.cache = (void(*)(key_encoding_t*, key_encoding_type_t type, void *cache, chunk_t encoding))cache; - this->public.clear_cache = (void(*)(key_encoding_t*, void *cache))clear_cache; - this->public.add_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))add_encoder; - this->public.remove_encoder = (void(*)(key_encoding_t*, key_encoder_t encoder))remove_encoder; - this->public.destroy = (void(*)(key_encoding_t*))destroy; - - for (type = 0; type < KEY_ENCODING_MAX; type++) - { - this->cache[type] = hashtable_create(hash, equals, 8); - } - this->encoders = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - - return &this->public; -} - diff --git a/src/libstrongswan/credentials/keys/key_encoding.h b/src/libstrongswan/credentials/keys/key_encoding.h deleted file mode 100644 index d8435f4b4..000000000 --- a/src/libstrongswan/credentials/keys/key_encoding.h +++ /dev/null @@ -1,203 +0,0 @@ -/* - * Copyright (C) 2009 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup key_encoding key_encoding - * @{ @ingroup keys - */ - -#ifndef KEY_ENCODING_H_ -#define KEY_ENCODING_H_ - -typedef struct key_encoding_t key_encoding_t; -typedef enum key_encoding_type_t key_encoding_type_t; -typedef enum key_encoding_part_t key_encoding_part_t; - -#include - -/** - * Key encoder function implementing encoding/fingerprinting. - * - * The variable argument list takes key_encoding_part_t, followed by part - * specific arguments, terminated by KEY_PART_END. - * - * @param type format to encode the key to - * @param args list of (key_encoding_part_t, data) - * @param encoding encoding result, allocated - * @return TRUE if encoding successful - */ -typedef bool (*key_encoder_t)(key_encoding_type_t type, chunk_t *encoding, - va_list args); - -/** - * Helper function for key_encoder_t implementations to parse argument list. - * - * Key encoder functions get a variable argument list to parse. To simplify - * the job, this function reads the arguments and returns chunks for each - * part. - * The argument list of this function takes a key_encoding_part_t, followed - * by a data pointer receiving the value, terminated by KEY_PART_END. - * - * @param args argument list passed to key encoder function - * @param ... list of (key_encoding_part_t, data*) - * @return TRUE if all parts found, FALSE otherwise - */ -bool key_encoding_args(va_list args, ...); - -/** - * Encoding type of a fingerprint/private-/public-key. - * - * Fingerprints have have the KEY_ID_*, public keys the KEY_PUB_* and - * private keys the KEY_PRIV_* prefix. - */ -enum key_encoding_type_t { - /** SHA1 fingerprint over subjectPublicKeyInfo */ - KEY_ID_PUBKEY_INFO_SHA1 = 0, - /** SHA1 fingerprint over subjectPublicKey */ - KEY_ID_PUBKEY_SHA1, - /** PGPv3 fingerprint */ - KEY_ID_PGPV3, - /** PGPv4 fingerprint */ - KEY_ID_PGPV4, - - KEY_ID_MAX, - - /** PKCS#1 and similar ASN.1 key encoding */ - KEY_PUB_ASN1_DER, - KEY_PRIV_ASN1_DER, - /** subjectPublicKeyInfo encoding */ - KEY_PUB_SPKI_ASN1_DER, - /** PEM encoded PKCS#1 key */ - KEY_PUB_PEM, - KEY_PRIV_PEM, - /** PGP key encoding */ - KEY_PUB_PGP, - KEY_PRIV_PGP, - - KEY_ENCODING_MAX, -}; - -/** - * Parts of a key to encode. - */ -enum key_encoding_part_t { - /** modulus of a RSA key, n */ - KEY_PART_RSA_MODULUS, - /** public exponent of a RSA key, e */ - KEY_PART_RSA_PUB_EXP, - /** private exponent of a RSA key, d */ - KEY_PART_RSA_PRIV_EXP, - /** prime1 a RSA key, p */ - KEY_PART_RSA_PRIME1, - /** prime2 a RSA key, q */ - KEY_PART_RSA_PRIME2, - /** exponent1 a RSA key, exp1 */ - KEY_PART_RSA_EXP1, - /** exponent1 a RSA key, exp2 */ - KEY_PART_RSA_EXP2, - /** coefficient of RSA key, coeff */ - KEY_PART_RSA_COEFF, - /** a DER encoded RSA public key */ - KEY_PART_RSA_PUB_ASN1_DER, - /** a DER encoded RSA private key */ - KEY_PART_RSA_PRIV_ASN1_DER, - /** a DER encoded ECDSA public key */ - KEY_PART_ECDSA_PUB_ASN1_DER, - /** a DER encoded ECDSA private key */ - KEY_PART_ECDSA_PRIV_ASN1_DER, - - KEY_PART_END, -}; - -/** - * Private/Public key encoding and fingerprinting facility. - */ -struct key_encoding_t { - - /** - * Encode a key into a format using several key parts, optional caching. - * - * The variable argument list takes key_encoding_part_t, followed by part - * specific arguments, terminated by KEY_PART_END. - * If a cache key is given, the returned encoding points to internal data: - * do not free or modify. If no cache key is given, the encoding is - * allocated and must be freed by the caller. - * - * @param type format the key should be encoded to - * @param cache key to use for caching, NULL to not cache - * @param encoding encoding result, allocated if caching disabled - * @param ... list of (key_encoding_part_t, data) - * @return TRUE if encoding successful - */ - bool (*encode)(key_encoding_t *this, key_encoding_type_t type, void *cache, - chunk_t *encoding, ...); - - /** - * Clear all cached encodings of a given cache key. - * - * @param cache key used in encode() for caching - */ - void (*clear_cache)(key_encoding_t *this, void *cache); - - /** - * Check for a cached encoding. - * - * @param type format of the key encoding - * @param cache key to use for caching, as given to encode() - * @param encoding encoding result, internal data - * @return TRUE if cache entry found - */ - bool (*get_cache)(key_encoding_t *this, key_encoding_type_t type, - void *cache, chunk_t *encoding); - - /** - * Cache a key encoding created externally. - * - * After calling cache(), the passed encoding is owned by the key encoding - * facility. - * - * @param type format of the key encoding - * @param cache key to use for caching, as given to encode() - * @param encoding encoding to cache, gets owned by this - */ - void (*cache)(key_encoding_t *this, key_encoding_type_t type, void *cache, - chunk_t encoding); - - /** - * Register a key encoder function. - * - * @param encoder key encoder function to add - */ - void (*add_encoder)(key_encoding_t *this, key_encoder_t encoder); - - /** - * Unregister a previously registered key encoder function. - * - * @param encoder key encoder function to remove - */ - void (*remove_encoder)(key_encoding_t *this, key_encoder_t encoder); - - /** - * Destroy a key_encoding_t. - */ - void (*destroy)(key_encoding_t *this); -}; - -/** - * Create a key_encoding instance. - */ -key_encoding_t *key_encoding_create(); - -#endif /** KEY_ENCODING_H_ @}*/ diff --git a/src/libstrongswan/credentials/keys/private_key.c b/src/libstrongswan/credentials/keys/private_key.c index c3b5ac55b..8292af495 100644 --- a/src/libstrongswan/credentials/keys/private_key.c +++ b/src/libstrongswan/credentials/keys/private_key.c @@ -20,7 +20,7 @@ */ bool private_key_equals(private_key_t *this, private_key_t *other) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; if (this == other) @@ -28,7 +28,7 @@ bool private_key_equals(private_key_t *this, private_key_t *other) return TRUE; } - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->get_fingerprint(this, type, &a) && other->get_fingerprint(other, type, &b)) @@ -44,10 +44,10 @@ bool private_key_equals(private_key_t *this, private_key_t *other) */ bool private_key_belongs_to(private_key_t *private, public_key_t *public) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (private->get_fingerprint(private, type, &a) && public->get_fingerprint(public, type, &b)) @@ -63,10 +63,10 @@ bool private_key_belongs_to(private_key_t *private, public_key_t *public) */ bool private_key_has_fingerprint(private_key_t *private, chunk_t fingerprint) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t current; - for (type = 0; type < KEY_ID_MAX; type++) + for (type = 0; type < KEYID_MAX; type++) { if (private->get_fingerprint(private, type, ¤t) && chunk_equals(current, fingerprint)) diff --git a/src/libstrongswan/credentials/keys/private_key.h b/src/libstrongswan/credentials/keys/private_key.h index d4517f296..27f4ab098 100644 --- a/src/libstrongswan/credentials/keys/private_key.h +++ b/src/libstrongswan/credentials/keys/private_key.h @@ -23,6 +23,7 @@ typedef struct private_key_t private_key_t; +#include #include /** @@ -89,11 +90,11 @@ struct private_key_t { /** * Get the fingerprint of the key. * - * @param type type of fingerprint, one of KEY_ID_* + * @param type type of fingerprint, one of KEYID_* * @param fp fingerprint, points to internal data * @return TRUE if fingerprint type supported */ - bool (*get_fingerprint)(private_key_t *this, key_encoding_type_t type, + bool (*get_fingerprint)(private_key_t *this, cred_encoding_type_t type, chunk_t *fp); /** @@ -107,11 +108,11 @@ struct private_key_t { /** * Get the key in an encoded form as a chunk. * - * @param type type of the encoding, one of KEY_PRIV_* + * @param type type of the encoding, one of PRIVKEY_* * @param encoding encoding of the key, allocated * @return TRUE if encoding supported */ - bool (*get_encoding)(private_key_t *this, key_encoding_type_t type, + bool (*get_encoding)(private_key_t *this, cred_encoding_type_t type, chunk_t *encoding); /** diff --git a/src/libstrongswan/credentials/keys/public_key.c b/src/libstrongswan/credentials/keys/public_key.c index ba3036793..ce342de33 100644 --- a/src/libstrongswan/credentials/keys/public_key.c +++ b/src/libstrongswan/credentials/keys/public_key.c @@ -47,7 +47,7 @@ ENUM(signature_scheme_names, SIGN_UNKNOWN, SIGN_ECDSA_521, */ bool public_key_equals(public_key_t *this, public_key_t *other) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t a, b; if (this == other) @@ -55,7 +55,7 @@ bool public_key_equals(public_key_t *this, public_key_t *other) return TRUE; } - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->get_fingerprint(this, type, &a) && other->get_fingerprint(other, type, &b)) @@ -71,10 +71,10 @@ bool public_key_equals(public_key_t *this, public_key_t *other) */ bool public_key_has_fingerprint(public_key_t *public, chunk_t fingerprint) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t current; - for (type = 0; type < KEY_ID_MAX; type++) + for (type = 0; type < KEYID_MAX; type++) { if (public->get_fingerprint(public, type, ¤t) && chunk_equals(current, fingerprint)) diff --git a/src/libstrongswan/credentials/keys/public_key.h b/src/libstrongswan/credentials/keys/public_key.h index a421e7b5b..ff827a189 100644 --- a/src/libstrongswan/credentials/keys/public_key.h +++ b/src/libstrongswan/credentials/keys/public_key.h @@ -23,12 +23,11 @@ typedef struct public_key_t public_key_t; typedef enum key_type_t key_type_t; -typedef enum key_id_type_t key_id_type_t; typedef enum signature_scheme_t signature_scheme_t; #include #include -#include +#include /** * Type of a key pair, the used crypto system @@ -147,11 +146,11 @@ struct public_key_t { /** * Get the fingerprint of the key. * - * @param type type of fingerprint, one of KEY_ID_* + * @param type type of fingerprint, one of KEYID_* * @param fp fingerprint, points to internal data * @return TRUE if fingerprint type supported */ - bool (*get_fingerprint)(public_key_t *this, key_encoding_type_t type, + bool (*get_fingerprint)(public_key_t *this, cred_encoding_type_t type, chunk_t *fp); /** @@ -165,11 +164,11 @@ struct public_key_t { /** * Get the key in an encoded form as a chunk. * - * @param type type of the encoding, one of KEY_PRIV_* + * @param type type of the encoding, one of PRIVKEY_* * @param encoding encoding of the key, allocated * @return TRUE if encoding supported */ - bool (*get_encoding)(public_key_t *this, key_encoding_type_t type, + bool (*get_encoding)(public_key_t *this, cred_encoding_type_t type, chunk_t *encoding); /** diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c new file mode 100644 index 000000000..5e8458616 --- /dev/null +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -0,0 +1,223 @@ +/* + * Copyright (C) 2008-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include "auth_cfg_wrapper.h" + +typedef struct private_auth_cfg_wrapper_t private_auth_cfg_wrapper_t; + +/** + * private data of auth_cfg_wrapper + */ +struct private_auth_cfg_wrapper_t { + + /** + * public functions + */ + auth_cfg_wrapper_t public; + + /** + * wrapped auth info + */ + auth_cfg_t *auth; +}; + +/** + * enumerator for auth_cfg_wrapper_t.create_cert_enumerator() + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner enumerator from auth_cfg */ + enumerator_t *inner; + /** wrapped auth round */ + auth_cfg_t *auth; + /** enumerated cert type */ + certificate_type_t cert; + /** enumerated key type */ + key_type_t key; + /** enumerated id */ + identification_t *id; +} wrapper_enumerator_t; + +/** + * Tries to fetch a certificate that was supplied as "Hash and URL" + * (replaces rule type and value in place). + */ +static bool fetch_cert(wrapper_enumerator_t *enumerator, + auth_rule_t *rule, void **value) +{ + char *url = (char*)*value; + if (!url) + { + /* fetching the certificate previously failed */ + return FALSE; + } + + chunk_t data; + certificate_t *cert; + + DBG1(DBG_CFG, " fetching certificate from '%s' ...", url); + if (lib->fetcher->fetch(lib->fetcher, url, &data, FETCH_END) != SUCCESS) + { + DBG1(DBG_CFG, " fetching certificate failed"); + /* we set the item to NULL, so we can skip it */ + enumerator->auth->replace(enumerator->auth, enumerator->inner, + *rule, NULL); + return FALSE; + } + + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_BLOB_ASN1_DER, data, BUILD_END); + free(data.ptr); + + if (!cert) + { + DBG1(DBG_CFG, " parsing fetched certificate failed"); + /* we set the item to NULL, so we can skip it */ + enumerator->auth->replace(enumerator->auth, enumerator->inner, + *rule, NULL); + return FALSE; + } + + DBG1(DBG_CFG, " fetched certificate \"%Y\"", cert->get_subject(cert)); + lib->credmgr->cache_cert(lib->credmgr, cert); + + if (*rule == AUTH_HELPER_IM_HASH_URL) + { + *rule = AUTH_HELPER_IM_CERT; + } + else + { + *rule = AUTH_HELPER_SUBJECT_CERT; + } + *value = cert; + enumerator->auth->replace(enumerator->auth, enumerator->inner, + *rule, cert->get_ref(cert)); + return TRUE; +} + +/** + * enumerate function for wrapper_enumerator_t + */ +static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) +{ + auth_rule_t rule; + certificate_t *current; + public_key_t *public; + + while (this->inner->enumerate(this->inner, &rule, ¤t)) + { + if (rule == AUTH_HELPER_IM_HASH_URL || + rule == AUTH_HELPER_SUBJECT_HASH_URL) + { /* on-demand fetching of hash and url certificates */ + if (!fetch_cert(this, &rule, (void**)¤t)) + { + continue; + } + } + else if (rule != AUTH_HELPER_SUBJECT_CERT && + rule != AUTH_HELPER_IM_CERT) + { /* handle only HELPER certificates */ + continue; + } + if (this->cert != CERT_ANY && this->cert != current->get_type(current)) + { /* CERT type requested, but does not match */ + continue; + } + public = current->get_public_key(current); + if (this->key != KEY_ANY && !public) + { /* key type requested, but no public key */ + DESTROY_IF(public); + continue; + } + if (this->key != KEY_ANY && public && this->key != public->get_type(public)) + { /* key type requested, but public key has another type */ + DESTROY_IF(public); + continue; + } + DESTROY_IF(public); + if (this->id && !current->has_subject(current, this->id)) + { /* subject requested, but does not match */ + continue; + } + *cert = current; + return TRUE; + } + return FALSE; +} + +/** + * destroy function for wrapper_enumerator_t + */ +static void wrapper_enumerator_destroy(wrapper_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +/** + * implementation of auth_cfg_wrapper_t.set.create_cert_enumerator + */ +static enumerator_t *create_enumerator(private_auth_cfg_wrapper_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + wrapper_enumerator_t *enumerator; + + if (trusted) + { + return NULL; + } + enumerator = malloc_thing(wrapper_enumerator_t); + enumerator->auth = this->auth; + enumerator->cert = cert; + enumerator->key = key; + enumerator->id = id; + enumerator->inner = this->auth->create_enumerator(this->auth); + enumerator->public.enumerate = (void*)enumerate; + enumerator->public.destroy = (void*)wrapper_enumerator_destroy; + return &enumerator->public; +} + +/** + * Implementation of auth_cfg_wrapper_t.destroy + */ +static void destroy(private_auth_cfg_wrapper_t *this) +{ + free(this); +} + +/* + * see header file + */ +auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth) +{ + private_auth_cfg_wrapper_t *this = malloc_thing(private_auth_cfg_wrapper_t); + + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)create_enumerator; + this->public.set.create_shared_enumerator = (void*)return_null; + this->public.set.create_cdp_enumerator = (void*)return_null; + this->public.set.cache_cert = (void*)nop; + this->public.destroy = (void(*)(auth_cfg_wrapper_t*))destroy; + + this->auth = auth; + + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h new file mode 100644 index 000000000..3a4b197ac --- /dev/null +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.h @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2008-2009 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup auth_cfg_wrapper auth_cfg_wrapper + * @{ @ingroup sets + */ + +#ifndef AUTH_CFG_WRAPPER_H_ +#define AUTH_CFG_WRAPPER_H_ + +#include +#include + +typedef struct auth_cfg_wrapper_t auth_cfg_wrapper_t; + +/** + * A wrapper around auth_cfg_t to handle it as a credential set. + */ +struct auth_cfg_wrapper_t { + + /** + * implements credential_set_t + */ + credential_set_t set; + + /** + * Destroy a auth_cfg_wrapper instance. + */ + void (*destroy)(auth_cfg_wrapper_t *this); +}; + +/** + * Create a auth_cfg_wrapper instance. + * + * @param auth the wrapped auth info + * @return wrapper around auth + */ +auth_cfg_wrapper_t *auth_cfg_wrapper_create(auth_cfg_t *auth); + +#endif /** AUTH_CFG_WRAPPER_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/cert_cache.c b/src/libstrongswan/credentials/sets/cert_cache.c new file mode 100644 index 000000000..7161ac9ac --- /dev/null +++ b/src/libstrongswan/credentials/sets/cert_cache.c @@ -0,0 +1,389 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "cert_cache.h" + +#include +#include + +#include +#include +#include + +/** cache size, a power of 2 for fast modulo */ +#define CACHE_SIZE 32 + +/** attempts to acquire a cache lock */ +#define REPLACE_TRIES 5 + +typedef struct private_cert_cache_t private_cert_cache_t; +typedef struct relation_t relation_t; + +/** + * A trusted relation between subject and issuer + */ +struct relation_t { + + /** + * subject of this relation + */ + certificate_t *subject; + + /** + * issuer of this relation + */ + certificate_t *issuer; + + /** + * Cache hits + */ + u_int hits; + + /** + * Lock for this relation + */ + rwlock_t *lock; +}; + +/** + * private data of cert_cache + */ +struct private_cert_cache_t { + + /** + * public functions + */ + cert_cache_t public; + + /** + * array of trusted subject-issuer relations + */ + relation_t relations[CACHE_SIZE]; +}; + +/** + * Cache relation in a free slot/replace an other + */ +static void cache(private_cert_cache_t *this, + certificate_t *subject, certificate_t *issuer) +{ + relation_t *rel; + int i, offset, try; + u_int total_hits = 0; + + /* check for a unused relation slot first */ + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[i]; + + if (!rel->subject && rel->lock->try_write_lock(rel->lock)) + { + /* double-check having lock */ + if (!rel->subject) + { + rel->subject = subject->get_ref(subject); + rel->issuer = issuer->get_ref(issuer); + return rel->lock->unlock(rel->lock); + } + rel->lock->unlock(rel->lock); + } + total_hits += rel->hits; + } + /* run several attempts to replace a random slot, never block. */ + for (try = 0; try < REPLACE_TRIES; try++) + { + /* replace a random relation */ + offset = random(); + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[(i + offset) % CACHE_SIZE]; + + if (rel->hits > total_hits / CACHE_SIZE) + { /* skip often used slots */ + continue; + } + if (rel->lock->try_write_lock(rel->lock)) + { + if (rel->subject) + { + rel->subject->destroy(rel->subject); + rel->issuer->destroy(rel->issuer); + } + rel->subject = subject->get_ref(subject); + rel->issuer = issuer->get_ref(issuer); + rel->hits = 0; + return rel->lock->unlock(rel->lock); + } + } + /* give other threads a chance to release locks */ + sched_yield(); + } +} + +/** + * Implementation of cert_cache_t.issued_by. + */ +static bool issued_by(private_cert_cache_t *this, + certificate_t *subject, certificate_t *issuer) +{ + relation_t *found = NULL, *current; + int i; + + for (i = 0; i < CACHE_SIZE; i++) + { + current = &this->relations[i]; + + current->lock->read_lock(current->lock); + if (current->subject) + { + /* check for equal issuer */ + if (issuer->equals(issuer, current->issuer)) + { + /* reuse issuer instance in cache() */ + issuer = current->issuer; + if (subject->equals(subject, current->subject)) + { + /* write hit counter is not locked, but not critical */ + current->hits++; + found = current; + } + } + } + current->lock->unlock(current->lock); + if (found) + { + return TRUE; + } + } + /* no cache hit, check and cache signature */ + if (subject->issued_by(subject, issuer)) + { + cache(this, subject, issuer); + return TRUE; + } + return FALSE; +} + +/** + * certificate enumerator implemenation + */ +typedef struct { + /** implements enumerator_t interface */ + enumerator_t public; + /** type of requested certificate */ + certificate_type_t cert; + /** type of requested key */ + key_type_t key; + /** ID to get a cert for */ + identification_t *id; + /** cache */ + relation_t *relations; + /** current position in array cache */ + int index; + /** currently locked relation */ + int locked; +} cert_enumerator_t; + +/** + * filter function for certs enumerator + */ +static bool cert_enumerate(cert_enumerator_t *this, certificate_t **out) +{ + public_key_t *public; + relation_t *rel; + + if (this->locked >= 0) + { + rel = &this->relations[this->locked]; + rel->lock->unlock(rel->lock); + this->locked = -1; + } + + while (++this->index < CACHE_SIZE) + { + rel = &this->relations[this->index]; + rel->lock->read_lock(rel->lock); + this->locked = this->index; + if (rel->subject) + { + /* CRL lookup is done using issuer/authkeyidentifier */ + if (this->key == KEY_ANY && this->id && + (this->cert == CERT_ANY || this->cert == CERT_X509_CRL) && + rel->subject->get_type(rel->subject) == CERT_X509_CRL && + rel->subject->has_issuer(rel->subject, this->id)) + { + *out = rel->subject; + return TRUE; + } + if ((this->cert == CERT_ANY || + rel->subject->get_type(rel->subject) == this->cert) && + (!this->id || rel->subject->has_subject(rel->subject, this->id))) + { + if (this->key == KEY_ANY) + { + *out = rel->subject; + return TRUE; + } + public = rel->subject->get_public_key(rel->subject); + if (public) + { + if (public->get_type(public) == this->key) + { + public->destroy(public); + *out = rel->subject; + return TRUE; + } + public->destroy(public); + } + } + } + this->locked = -1; + rel->lock->unlock(rel->lock); + } + return FALSE; +} + +/** + * clean up enumeration data + */ +static void cert_enumerator_destroy(cert_enumerator_t *this) +{ + relation_t *rel; + + if (this->locked >= 0) + { + rel = &this->relations[this->locked]; + rel->lock->unlock(rel->lock); + } + free(this); +} + +/** + * implementation of credential_set_t.create_cert_enumerator + */ +static enumerator_t *create_enumerator(private_cert_cache_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + cert_enumerator_t *enumerator; + + if (trusted) + { + return NULL; + } + enumerator = malloc_thing(cert_enumerator_t); + enumerator->public.enumerate = (void*)cert_enumerate; + enumerator->public.destroy = (void*)cert_enumerator_destroy; + enumerator->cert = cert; + enumerator->key = key; + enumerator->id = id; + enumerator->relations = this->relations; + enumerator->index = -1; + enumerator->locked = -1; + + return &enumerator->public; +} + +/** + * Implementation of cert_cache_t.flush. + */ +static void flush(private_cert_cache_t *this, certificate_type_t type) +{ + relation_t *rel; + int i; + + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[i]; + if (!rel->subject) + { + continue; + } + /* check with cheap read lock first */ + if (type != CERT_ANY) + { + rel->lock->read_lock(rel->lock); + if (!rel->subject || type != rel->subject->get_type(rel->subject)) + { + rel->lock->unlock(rel->lock); + continue; + } + rel->lock->unlock(rel->lock); + } + /* double check in write lock */ + rel->lock->write_lock(rel->lock); + if (rel->subject) + { + if (type == CERT_ANY || type == rel->subject->get_type(rel->subject)) + { + rel->subject->destroy(rel->subject); + rel->issuer->destroy(rel->issuer); + rel->subject = NULL; + rel->issuer = NULL; + rel->hits = 0; + } + } + rel->lock->unlock(rel->lock); + } +} + +/** + * Implementation of cert_cache_t.destroy + */ +static void destroy(private_cert_cache_t *this) +{ + relation_t *rel; + int i; + + for (i = 0; i < CACHE_SIZE; i++) + { + rel = &this->relations[i]; + if (rel->subject) + { + rel->subject->destroy(rel->subject); + rel->issuer->destroy(rel->issuer); + } + rel->lock->destroy(rel->lock); + } + free(this); +} + +/* + * see header file + */ +cert_cache_t *cert_cache_create() +{ + private_cert_cache_t *this; + int i; + + this = malloc_thing(private_cert_cache_t); + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)create_enumerator; + this->public.set.create_shared_enumerator = (void*)return_null; + this->public.set.create_cdp_enumerator = (void*)return_null; + this->public.set.cache_cert = (void*)nop; + this->public.issued_by = (bool(*)(cert_cache_t*, certificate_t *subject, certificate_t *issuer))issued_by; + this->public.flush = (void(*)(cert_cache_t*, certificate_type_t type))flush; + this->public.destroy = (void(*)(cert_cache_t*))destroy; + + for (i = 0; i < CACHE_SIZE; i++) + { + this->relations[i].subject = NULL; + this->relations[i].issuer = NULL; + this->relations[i].hits = 0; + this->relations[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + } + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/cert_cache.h b/src/libstrongswan/credentials/sets/cert_cache.h new file mode 100644 index 000000000..d2721866e --- /dev/null +++ b/src/libstrongswan/credentials/sets/cert_cache.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup cert_cache cert_cache + * @{ @ingroup sets + */ + +#ifndef CERT_CACHE_H_ +#define CERT_CACHE_H_ + +#include + +typedef struct cert_cache_t cert_cache_t; + +/** + * Certificate signature verification and certificate cache. + * + * This cache serves all certificates seen in its issued_by method + * and serves them as untrusted through the credential set interface. Further, + * it caches valid subject-issuer relationships to speed up the issued_by + * method. + */ +struct cert_cache_t { + + /** + * Implements credential_set_t. + */ + credential_set_t set; + + /** + * Caching wrapper around certificate_t.issued_by. + * + * @param subject certificate to verify + * @param issuer issuing certificate to verify subject + * @return TRUE if subject issued by issuer + */ + bool (*issued_by)(cert_cache_t *this, + certificate_t *subject, certificate_t *issuer); + + /** + * Flush the certificate cache. + * + * @param type type of certificate to flush, or CERT_ANY + */ + void (*flush)(cert_cache_t *this, certificate_type_t type); + + /** + * Destroy a cert_cache instance. + */ + void (*destroy)(cert_cache_t *this); +}; + +/** + * Create a cert_cache instance. + */ +cert_cache_t *cert_cache_create(); + +#endif /** CERT_CACHE_H_ @}*/ diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c new file mode 100644 index 000000000..4786495da --- /dev/null +++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "ocsp_response_wrapper.h" + +typedef struct private_ocsp_response_wrapper_t private_ocsp_response_wrapper_t; + +/** + * private data of ocsp_response_wrapper + */ +struct private_ocsp_response_wrapper_t { + + /** + * public functions + */ + ocsp_response_wrapper_t public; + + /** + * wrapped OCSP response + */ + ocsp_response_t *response; +}; + +/** + * enumerator for ocsp_response_wrapper_t.create_cert_enumerator() + */ +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** enumerator over ocsp response */ + enumerator_t *inner; + /** type of cert */ + certificate_type_t cert; + /** type of key */ + key_type_t key; + /** filtering identity */ + identification_t *id; +} wrapper_enumerator_t; + +/** + * enumerate function wrapper_enumerator_t + */ +static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) +{ + certificate_t *current; + public_key_t *public; + + while (this->inner->enumerate(this->inner, ¤t)) + { + if (this->cert != CERT_ANY && this->cert != current->get_type(current)) + { /* CERT type requested, but does not match */ + continue; + } + public = current->get_public_key(current); + if (this->key != KEY_ANY && !public) + { /* key type requested, but no public key */ + DESTROY_IF(public); + continue; + } + if (this->key != KEY_ANY && public && this->key != public->get_type(public)) + { /* key type requested, but public key has another type */ + DESTROY_IF(public); + continue; + } + DESTROY_IF(public); + if (this->id && !current->has_subject(current, this->id)) + { /* subject requested, but does not match */ + continue; + } + *cert = current; + return TRUE; + } + return FALSE; +} + +/** + * destroy function for wrapper_enumerator_t + */ +static void enumerator_destroy(wrapper_enumerator_t *this) +{ + this->inner->destroy(this->inner); + free(this); +} + +/** + * implementation of ocsp_response_wrapper_t.set.create_cert_enumerator + */ +static enumerator_t *create_enumerator(private_ocsp_response_wrapper_t *this, + certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) +{ + wrapper_enumerator_t *enumerator; + + if (trusted) + { + return NULL; + } + + enumerator = malloc_thing(wrapper_enumerator_t); + enumerator->cert = cert; + enumerator->key = key; + enumerator->id = id; + enumerator->inner = this->response->create_cert_enumerator(this->response); + enumerator->public.enumerate = (void*)enumerate; + enumerator->public.destroy = (void*)enumerator_destroy; + return &enumerator->public; +} + +/** + * Implementation of ocsp_response_wrapper_t.destroy + */ +static void destroy(private_ocsp_response_wrapper_t *this) +{ + free(this); +} + +/* + * see header file + */ +ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response) +{ + private_ocsp_response_wrapper_t *this = malloc_thing(private_ocsp_response_wrapper_t); + + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)create_enumerator; + this->public.set.create_shared_enumerator = (void*)return_null; + this->public.set.create_cdp_enumerator = (void*)return_null; + this->public.set.cache_cert = (void*)nop; + this->public.destroy = (void(*)(ocsp_response_wrapper_t*))destroy; + + this->response = response; + + return &this->public; +} diff --git a/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h new file mode 100644 index 000000000..dc4b451df --- /dev/null +++ b/src/libstrongswan/credentials/sets/ocsp_response_wrapper.h @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2008 Martin Willi + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup ocsp_response_wrapper ocsp_response_wrapper + * @{ @ingroup sets + */ + +#ifndef OCSP_RESPONSE_WRAPPER_H_ +#define OCSP_RESPONSE_WRAPPER_H_ + +#include +#include + +typedef struct ocsp_response_wrapper_t ocsp_response_wrapper_t; + +/** + * A wrapper around ocsp_response_t to handle it like a credential set. + */ +struct ocsp_response_wrapper_t { + + /** + * implements credential_set_t + */ + credential_set_t set; + + /** + * Destroy a ocsp_response_wrapper instance. + */ + void (*destroy)(ocsp_response_wrapper_t *this); +}; + +/** + * Create a ocsp_response_wrapper instance. + * + * @param response the wrapped OCSP response + * @return wrapper around response + */ +ocsp_response_wrapper_t *ocsp_response_wrapper_create(ocsp_response_t *response); + +#endif /** OCSP_RESPONSE_WRAPPER_H_ @}*/ diff --git a/src/libstrongswan/library.c b/src/libstrongswan/library.c index 108ac2ca0..b61bdf7a0 100644 --- a/src/libstrongswan/library.c +++ b/src/libstrongswan/library.c @@ -18,12 +18,13 @@ #include -#include "debug.h" -#include "threading/thread.h" -#include "utils/identification.h" -#include "utils/host.h" +#include +#include +#include +#include +#include #ifdef LEAK_DETECTIVE -#include "utils/leak_detective.h" +#include #endif #define CHECKSUM_LIBRARY IPSEC_DIR"/libchecksum.so" @@ -59,9 +60,14 @@ library_t *lib; void library_deinit() { private_library_t *this = (private_library_t*)lib; + bool detailed; + + detailed = lib->settings->get_bool(lib->settings, + "libstrongswan.leak_detective.detailed", TRUE); this->public.plugins->destroy(this->public.plugins); this->public.settings->destroy(this->public.settings); + this->public.credmgr->destroy(this->public.credmgr); this->public.creds->destroy(this->public.creds); this->public.encoding->destroy(this->public.encoding); this->public.crypto->destroy(this->public.crypto); @@ -76,6 +82,7 @@ void library_deinit() #ifdef LEAK_DETECTIVE if (this->detective) { + this->detective->report(this->detective, detailed); this->detective->destroy(this->detective); } #endif /* LEAK_DETECTIVE */ @@ -124,11 +131,14 @@ bool library_init(char *settings) PRINTF_HOOK_ARGTYPE_END); pfh->add_handler(pfh, 'Y', identification_printf_hook, PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); + pfh->add_handler(pfh, 'R', traffic_selector_printf_hook, + PRINTF_HOOK_ARGTYPE_POINTER, PRINTF_HOOK_ARGTYPE_END); this->public.settings = settings_create(settings); this->public.crypto = crypto_factory_create(); this->public.creds = credential_factory_create(); - this->public.encoding = key_encoding_create(); + this->public.credmgr = credential_manager_create(); + this->public.encoding = cred_encoding_create(); this->public.fetcher = fetcher_manager_create(); this->public.db = database_factory_create(); this->public.plugins = plugin_loader_create(); diff --git a/src/libstrongswan/library.h b/src/libstrongswan/library.h index 241084155..cd5dfb479 100644 --- a/src/libstrongswan/library.h +++ b/src/libstrongswan/library.h @@ -28,6 +28,9 @@ * @defgroup certificates certificates * @ingroup credentials * + * @defgroup sets sets + * @ingroup credentials + * * @defgroup crypto crypto * @ingroup libstrongswan * @@ -65,7 +68,8 @@ #include "fetcher/fetcher_manager.h" #include "database/database_factory.h" #include "credentials/credential_factory.h" -#include "credentials/keys/key_encoding.h" +#include "credentials/credential_manager.h" +#include "credentials/cred_encoding.h" typedef struct library_t library_t; @@ -90,9 +94,14 @@ struct library_t { credential_factory_t *creds; /** - * key encoding registry and factory + * Manager for the credential set backends + */ + credential_manager_t *credmgr; + + /** + * Credential encoding registry and factory */ - key_encoding_t *encoding; + cred_encoding_t *encoding; /** * URL fetching facility diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 391d23049..9859b75cf 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index bd6465374..c95e7b778 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/agent/agent_private_key.c b/src/libstrongswan/plugins/agent/agent_private_key.c index 4247f849e..51ddbecc6 100644 --- a/src/libstrongswan/plugins/agent/agent_private_key.c +++ b/src/libstrongswan/plugins/agent/agent_private_key.c @@ -340,7 +340,7 @@ static public_key_t* get_public_key(private_agent_private_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_agent_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { return FALSE; } @@ -349,7 +349,7 @@ static bool get_encoding(private_agent_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_agent_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e, key; @@ -363,7 +363,7 @@ static bool get_fingerprint(private_agent_private_key_t *this, n = read_string(&key); return lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); } /** @@ -429,9 +429,9 @@ agent_private_key_t *agent_private_key_open(key_type_t type, va_list args) this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.belongs_to = private_key_belongs_to; this->public.interface.equals = private_key_equals; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index f95a4abe5..6a82ce94a 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 1952b22e7..fc3b0ab1a 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index af351cfe3..319baa04c 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 1f1f90127..73f81f4db 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 70553fbd8..4ed8276c4 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.am b/src/libstrongswan/plugins/gcrypt/Makefile.am index 48bf916ab..57f3f5016 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.am +++ b/src/libstrongswan/plugins/gcrypt/Makefile.am @@ -19,4 +19,4 @@ libstrongswan_gcrypt_la_SOURCES = \ gcrypt_hasher.h gcrypt_hasher.c libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version -libstrongswan_gcrypt_la_LIBADD = -lgcrypt +libstrongswan_gcrypt_la_LIBADD = -lgcrypt -lgpg-error diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 35829c950..09131c4be 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -272,7 +272,7 @@ libstrongswan_gcrypt_la_SOURCES = \ gcrypt_hasher.h gcrypt_hasher.c libstrongswan_gcrypt_la_LDFLAGS = -module -avoid-version -libstrongswan_gcrypt_la_LIBADD = -lgcrypt +libstrongswan_gcrypt_la_LIBADD = -lgcrypt -lgpg-error all: all-am .SUFFIXES: diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c index 2cb13c5f3..b8e86aba0 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_private_key.c @@ -308,7 +308,7 @@ static public_key_t* get_public_key(private_gcrypt_rsa_private_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t cn, ce, cp, cq, cd, cu, cexp1 = chunk_empty, cexp2 = chunk_empty; gcry_mpi_t p = NULL, q = NULL, d = NULL, exp1, exp2; @@ -368,11 +368,11 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, cu = gcrypt_rsa_find_token(this->key, "u", NULL); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, cn, - KEY_PART_RSA_PUB_EXP, ce, KEY_PART_RSA_PRIV_EXP, cd, - KEY_PART_RSA_PRIME1, cp, KEY_PART_RSA_PRIME2, cq, - KEY_PART_RSA_EXP1, cexp1, KEY_PART_RSA_EXP2, cexp2, - KEY_PART_RSA_COEFF, cu, KEY_PART_END); + CRED_PART_RSA_MODULUS, cn, + CRED_PART_RSA_PUB_EXP, ce, CRED_PART_RSA_PRIV_EXP, cd, + CRED_PART_RSA_PRIME1, cp, CRED_PART_RSA_PRIME2, cq, + CRED_PART_RSA_EXP1, cexp1, CRED_PART_RSA_EXP2, cexp2, + CRED_PART_RSA_COEFF, cu, CRED_PART_END); chunk_free(&cn); chunk_free(&ce); chunk_clear(&cd); @@ -389,7 +389,7 @@ static bool get_encoding(private_gcrypt_rsa_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -402,8 +402,8 @@ static bool get_fingerprint(private_gcrypt_rsa_private_key_t *this, e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, - type, this, fp, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + type, this, fp, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); return success; @@ -445,9 +445,9 @@ static private_gcrypt_rsa_private_key_t *gcrypt_rsa_private_key_create_empty() this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c index 5fd15d9a3..80a91b976 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_rsa_public_key.c @@ -240,7 +240,7 @@ static size_t get_keysize(private_gcrypt_rsa_public_key_t *this) * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e; bool success; @@ -248,8 +248,8 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, n = gcrypt_rsa_find_token(this->key, "n", NULL); e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, - KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, + CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -260,7 +260,7 @@ static bool get_encoding(private_gcrypt_rsa_public_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -273,8 +273,8 @@ static bool get_fingerprint(private_gcrypt_rsa_public_key_t *this, e = gcrypt_rsa_find_token(this->key, "e", NULL); success = lib->encoding->encode(lib->encoding, - type, this, fp, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + type, this, fp, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); return success; @@ -338,9 +338,9 @@ gcrypt_rsa_public_key_t *gcrypt_rsa_public_key_load(key_type_t type, this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.equals = public_key_equals; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index 5c1a1fcd9..bd7100b27 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c index f70b0b545..cc9985320 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_private_key.c @@ -403,7 +403,7 @@ static bool belongs_to(private_gmp_rsa_private_key_t *this, public_key_t *public * Implementation of private_key_t.get_encoding */ static bool get_encoding(private_gmp_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e, d, p, q, exp1, exp2, coeff; bool success; @@ -418,11 +418,11 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this, coeff = gmp_mpz_to_chunk(this->coeff); success = lib->encoding->encode(lib->encoding, - type, NULL, encoding, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d, - KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q, - KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2, - KEY_PART_RSA_COEFF, coeff, KEY_PART_END); + type, NULL, encoding, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d, + CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q, + CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2, + CRED_PART_RSA_COEFF, coeff, CRED_PART_END); chunk_free(&n); chunk_free(&e); chunk_clear(&d); @@ -439,7 +439,7 @@ static bool get_encoding(private_gmp_rsa_private_key_t *this, * Implementation of private_key_t.get_fingerprint */ static bool get_fingerprint(private_gmp_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -452,7 +452,7 @@ static bool get_fingerprint(private_gmp_rsa_private_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -601,9 +601,9 @@ static private_gmp_rsa_private_key_t *gmp_rsa_private_key_create_empty(void) this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; this->public.interface.equals = (bool (*) (private_key_t*, private_key_t*))equals; this->public.interface.belongs_to = (bool (*) (private_key_t*, public_key_t*))belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; this->public.interface.destroy = (void (*) (private_key_t*))destroy; diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c index 98dbb1922..c114ae80d 100644 --- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c @@ -396,7 +396,7 @@ static size_t get_keysize(private_gmp_rsa_public_key_t *this) * Implementation of public_key_t.get_encoding */ static bool get_encoding(private_gmp_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { chunk_t n, e; bool success; @@ -405,7 +405,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, NULL, encoding, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -416,7 +416,7 @@ static bool get_encoding(private_gmp_rsa_public_key_t *this, * Implementation of public_key_t.get_fingerprint */ static bool get_fingerprint(private_gmp_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fp) + cred_encoding_type_t type, chunk_t *fp) { chunk_t n, e; bool success; @@ -429,7 +429,7 @@ static bool get_fingerprint(private_gmp_rsa_public_key_t *this, e = gmp_mpz_to_chunk(this->e); success = lib->encoding->encode(lib->encoding, type, this, fp, - KEY_PART_RSA_MODULUS, n, KEY_PART_RSA_PUB_EXP, e, KEY_PART_END); + CRED_PART_RSA_MODULUS, n, CRED_PART_RSA_PUB_EXP, e, CRED_PART_END); chunk_free(&n); chunk_free(&e); @@ -497,9 +497,9 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) this->public.interface.encrypt = (bool (*) (public_key_t*, chunk_t, chunk_t*))encrypt_; this->public.interface.equals = (bool (*) (public_key_t*, public_key_t*))equals; this->public.interface.get_keysize = (size_t (*) (public_key_t*))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*) (public_key_t *this))get_ref; this->public.interface.destroy = (void (*) (public_key_t *this))destroy; diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index c965f7392..b03ff44a6 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 3b69f082f..b96fd5abf 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index cb3307bbc..874ee07a2 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 8948ddcc5..cc32bca88 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 1a97c620e..83c1188b6 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/openssl/Makefile.am b/src/libstrongswan/plugins/openssl/Makefile.am index a50799798..5c845a19c 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.am +++ b/src/libstrongswan/plugins/openssl/Makefile.am @@ -20,7 +20,9 @@ libstrongswan_openssl_la_SOURCES = \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \ openssl_ec_private_key.c openssl_ec_private_key.h \ - openssl_ec_public_key.c openssl_ec_public_key.h + openssl_ec_public_key.c openssl_ec_public_key.h \ + openssl_x509.c openssl_x509.h \ + openssl_crl.c openssl_crl.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a2a931d42..de9df7271 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -79,7 +79,7 @@ am_libstrongswan_openssl_la_OBJECTS = openssl_plugin.lo \ openssl_sha1_prf.lo openssl_diffie_hellman.lo \ openssl_rsa_private_key.lo openssl_rsa_public_key.lo \ openssl_ec_diffie_hellman.lo openssl_ec_private_key.lo \ - openssl_ec_public_key.lo + openssl_ec_public_key.lo openssl_x509.lo openssl_crl.lo libstrongswan_openssl_la_OBJECTS = \ $(am_libstrongswan_openssl_la_OBJECTS) libstrongswan_openssl_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -276,7 +276,9 @@ libstrongswan_openssl_la_SOURCES = \ openssl_rsa_public_key.c openssl_rsa_public_key.h \ openssl_ec_diffie_hellman.c openssl_ec_diffie_hellman.h \ openssl_ec_private_key.c openssl_ec_private_key.h \ - openssl_ec_public_key.c openssl_ec_public_key.h + openssl_ec_public_key.c openssl_ec_public_key.h \ + openssl_x509.c openssl_x509.h \ + openssl_crl.c openssl_crl.h libstrongswan_openssl_la_LDFLAGS = -module -avoid-version libstrongswan_openssl_la_LIBADD = -lcrypto @@ -363,6 +365,7 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crl.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_crypter.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_diffie_hellman.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_ec_diffie_hellman.Plo@am__quote@ @@ -374,6 +377,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_rsa_public_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_sha1_prf.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_util.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/openssl_x509.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c new file mode 100644 index 000000000..5645d72d7 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -0,0 +1,530 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (C) 2010 secunet Security Networks AG + * Copyright (C) 2010 Thomas Egerer + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#include "openssl_crl.h" +#include "openssl_util.h" + +#include +#include + +#include +#include +#include + +typedef struct private_openssl_crl_t private_openssl_crl_t; + +/** + * Private data of an openssl_crl_t object. + */ +struct private_openssl_crl_t { + + /** + * Public openssl_crl_t interface. + */ + openssl_crl_t public; + + /** + * OpenSSL representation of a CRL + */ + X509_CRL *crl; + + /** + * DER encoding of the CRL + */ + chunk_t encoding; + + /** + * Serial Number (crlNumber) of the CRL) + */ + chunk_t serial; + + /** + * AuthorityKeyIdentifier of the issuing CA + */ + chunk_t authKeyIdentifier; + + /** + * Date of this CRL + */ + time_t thisUpdate; + + /** + * Date of next CRL expected + */ + time_t nextUpdate; + + /** + * Issuer of this CRL + */ + identification_t *issuer; + + /** + * Signature scheme used in this CRL + */ + signature_scheme_t scheme; + + /** + * References to this CRL + */ + refcount_t ref; +}; + +/** + * Enumerator over revoked certificates + */ +typedef struct { + /** + * Implements enumerator_t + */ + enumerator_t public; + + /** + * stack of revoked certificates + */ + STACK_OF(X509_REVOKED) *stack; + + /** + * Total number of revoked certificates + */ + int num; + + /** + * Current position of enumerator + */ + int i; +} crl_enumerator_t; + + +METHOD(enumerator_t, crl_enumerate, bool, + crl_enumerator_t *this, chunk_t *serial, time_t *date, crl_reason_t *reason) +{ + if (this->i < this->num) + { + X509_REVOKED *revoked; + ASN1_ENUMERATED *crlrsn; + + revoked = sk_X509_REVOKED_value(this->stack, this->i); + if (serial) + { + *serial = openssl_asn1_str2chunk(revoked->serialNumber); + } + if (date) + { + *date = openssl_asn1_to_time(revoked->revocationDate); + } + if (reason) + { + *reason = CRL_REASON_UNSPECIFIED; + crlrsn = X509_REVOKED_get_ext_d2i(revoked, NID_crl_reason, + NULL, NULL); + if (crlrsn) + { + if (ASN1_STRING_type(crlrsn) == V_ASN1_ENUMERATED && + ASN1_STRING_length(crlrsn) == 1) + { + *reason = *ASN1_STRING_data(crlrsn); + } + ASN1_STRING_free(crlrsn); + } + } + this->i++; + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_enumerator, enumerator_t*, + private_openssl_crl_t *this) +{ + crl_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_crl_enumerate, + .destroy = (void*)free, + }, + .stack = X509_CRL_get_REVOKED(this->crl), + ); + if (!enumerator->stack) + { + free(enumerator); + return enumerator_create_empty(); + } + enumerator->num = sk_X509_EXTENSION_num(enumerator->stack); + return &enumerator->public; +} + +METHOD(crl_t, get_serial, chunk_t, + private_openssl_crl_t *this) +{ + return this->serial; +} + +METHOD(crl_t, get_authKeyIdentifier, chunk_t, + private_openssl_crl_t *this) +{ + return this->authKeyIdentifier; +} + +METHOD(certificate_t, get_type, certificate_type_t, + private_openssl_crl_t *this) +{ + return CERT_X509_CRL; +} + +METHOD(certificate_t, get_subject_or_issuer, identification_t*, + private_openssl_crl_t *this) +{ + return this->issuer; +} + +METHOD(certificate_t, has_subject_or_issuer, id_match_t, + private_openssl_crl_t *this, identification_t *id) +{ + if (id->get_type(id) == ID_KEY_ID && + chunk_equals(this->authKeyIdentifier, id->get_encoding(id))) + { + return ID_MATCH_PERFECT; + } + return this->issuer->matches(this->issuer, id); +} + +METHOD(certificate_t, issued_by, bool, + private_openssl_crl_t *this, certificate_t *issuer) +{ + chunk_t fingerprint, tbs; + public_key_t *key; + x509_t *x509; + bool valid; + + if (issuer->get_type(issuer) != CERT_X509) + { + return FALSE; + } + x509 = (x509_t*)issuer; + if (!(x509->get_flags(x509) & X509_CA)) + { + return FALSE; + } + key = issuer->get_public_key(issuer); + if (!key) + { + return FALSE; + } + if (this->authKeyIdentifier.ptr && key) + { + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || + !chunk_equals(fingerprint, this->authKeyIdentifier)) + { + return FALSE; + } + } + else + { + if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) + { + return FALSE; + } + } + if (this->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + tbs = openssl_i2chunk(X509_CRL_INFO, this->crl->crl); + valid = key->verify(key, this->scheme, tbs, + openssl_asn1_str2chunk(this->crl->signature)); + free(tbs.ptr); + key->destroy(key); + return valid; +} + +METHOD(certificate_t, get_public_key, public_key_t*, + private_openssl_crl_t *this) +{ + return NULL; +} + +METHOD(certificate_t, get_validity, bool, + private_openssl_crl_t *this, + time_t *when, time_t *not_before, time_t *not_after) +{ + time_t t = when ? *when : time(NULL); + + if (not_before) + { + *not_before = this->thisUpdate; + } + if (not_after) + { + *not_after = this->nextUpdate; + } + return t <= this->nextUpdate; +} + +METHOD(certificate_t, get_encoding, bool, + private_openssl_crl_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END); +} + +METHOD(certificate_t, equals, bool, + private_openssl_crl_t *this, certificate_t *other) +{ + chunk_t encoding; + bool equal; + + if (&this->public.crl.certificate == other) + { + return TRUE; + } + if (other->equals == (void*)equals) + { /* skip allocation if we have the same implementation */ + return chunk_equals(this->encoding, + ((private_openssl_crl_t*)other)->encoding); + } + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } + equal = chunk_equals(this->encoding, encoding); + free(encoding.ptr); + return equal; +} + +METHOD(certificate_t, get_ref, certificate_t*, + private_openssl_crl_t *this) +{ + ref_get(&this->ref); + return &this->public.crl.certificate; +} + +METHOD(certificate_t, destroy, void, + private_openssl_crl_t *this) +{ + if (ref_put(&this->ref)) + { + if (this->crl) + { + X509_CRL_free(this->crl); + } + DESTROY_IF(this->issuer); + free(this->authKeyIdentifier.ptr); + free(this->serial.ptr); + free(this->encoding.ptr); + free(this); + } +} + +/** + * Create an empty CRL. + */ +static private_openssl_crl_t *create_empty() +{ + private_openssl_crl_t *this; + + INIT(this, + .public = { + .crl = { + .certificate = { + .get_type = _get_type, + .get_subject = _get_subject_or_issuer, + .get_issuer = _get_subject_or_issuer, + .has_subject = _has_subject_or_issuer, + .has_issuer = _has_subject_or_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_serial = _get_serial, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .create_enumerator = _create_enumerator, + }, + }, + .ref = 1, + ); + return this; +} + +/** + * Parse the authKeyIdentifier extension + */ +static bool parse_authKeyIdentifier_ext(private_openssl_crl_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_KEYID *keyid; + + keyid = (AUTHORITY_KEYID *)X509V3_EXT_d2i(ext); + if (keyid) + { + free(this->authKeyIdentifier.ptr); + this->authKeyIdentifier = chunk_clone( + openssl_asn1_str2chunk(keyid->keyid)); + AUTHORITY_KEYID_free(keyid); + return TRUE; + } + return FALSE; +} + +/** + * Parse the crlNumber extension + */ +static bool parse_crlNumber_ext(private_openssl_crl_t *this, + X509_EXTENSION *ext) +{ + free(this->serial.ptr); + this->serial = chunk_clone( + openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext))); + return this->serial.len != 0; +} + +/** + * Parse X509 CRL extensions + */ +static bool parse_extensions(private_openssl_crl_t *this) +{ + bool ok; + int i, num; + X509_EXTENSION *ext; + STACK_OF(X509_EXTENSION) *extensions; + + extensions = this->crl->crl->extensions; + if (extensions) + { + num = sk_X509_EXTENSION_num(extensions); + for (i = 0; i < num; ++i) + { + ext = sk_X509_EXTENSION_value(extensions, i); + + switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext))) + { + case NID_authority_key_identifier: + ok = parse_authKeyIdentifier_ext(this, ext); + break; + case NID_crl_number: + ok = parse_crlNumber_ext(this, ext); + break; + default: + ok = TRUE; + break; + } + if (!ok) + { + return FALSE; + } + } + } + return TRUE; +} + +/** + * Parse a X509 CRL + */ +static bool parse_crl(private_openssl_crl_t *this) +{ + const unsigned char *ptr = this->encoding.ptr; + + this->crl = d2i_X509_CRL(NULL, &ptr, this->encoding.len); + if (!this->crl) + { + return FALSE; + } + + if (!chunk_equals( + openssl_asn1_obj2chunk(this->crl->crl->sig_alg->algorithm), + openssl_asn1_obj2chunk(this->crl->sig_alg->algorithm))) + { + return FALSE; + } + this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid( + this->crl->sig_alg->algorithm)); + + this->issuer = openssl_x509_name2id(X509_CRL_get_issuer(this->crl)); + if (!this->issuer) + { + return FALSE; + } + this->thisUpdate = openssl_asn1_to_time(X509_CRL_get_lastUpdate(this->crl)); + this->nextUpdate = openssl_asn1_to_time(X509_CRL_get_nextUpdate(this->crl)); + + return parse_extensions(this); +} + +/** + * Load the CRL. + */ +openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args) +{ + chunk_t blob = chunk_empty; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + if (blob.ptr) + { + private_openssl_crl_t *this = create_empty(); + + this->encoding = chunk_clone(blob); + if (parse_crl(this)) + { + return &this->public; + } + destroy(this); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.h b/src/libstrongswan/plugins/openssl/openssl_crl.h new file mode 100644 index 000000000..a0837cf50 --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_crl.h @@ -0,0 +1,48 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_crl openssl_crl + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_CRL_H_ +#define OPENSSL_CRL_H_ + +typedef struct openssl_crl_t openssl_crl_t; + +#include + +/** + * X.509 Certificate Revocation list implemented with OpenSSL. + */ +struct openssl_crl_t { + + /** + * Implements the crl_t interface. + */ + crl_t crl; +}; + +/** + * Load a X.509 CRL using OpenSSL. + * + * @param type certificate type, CERT_X509_CRL only + * @param args builder_part_t argument list + * @return X.509 CRL, NULL on failure + */ +openssl_crl_t *openssl_crl_load(certificate_type_t type, va_list args); + +#endif /** OPENSSL_CRL_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c index faec411cd..a53e8aea0 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_diffie_hellman.c @@ -13,6 +13,10 @@ * for more details. */ +#include + +#ifndef OPENSSL_NO_EC + #include #include @@ -331,3 +335,5 @@ openssl_ec_diffie_hellman_t *openssl_ec_diffie_hellman_create(diffie_hellman_gro return &this->public; } +#endif /* OPENSSL_NO_EC */ + diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c index bdcfda974..281155913 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_private_key.c @@ -14,6 +14,10 @@ * for more details. */ +#include + +#ifndef OPENSSL_NO_EC + #include "openssl_ec_private_key.h" #include "openssl_ec_public_key.h" #include "openssl_util.h" @@ -47,7 +51,7 @@ struct private_openssl_ec_private_key_t { }; /* from ec public key */ -bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp); +bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp); /** * Build a signature as in RFC 4754 @@ -217,7 +221,7 @@ static public_key_t* get_public_key(private_openssl_ec_private_key_t *this) * Implementation of private_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_ec_private_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } @@ -226,14 +230,14 @@ static bool get_fingerprint(private_openssl_ec_private_key_t *this, * Implementation of private_key_t.get_encoding. */ static bool get_encoding(private_openssl_ec_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PRIV_ASN1_DER: - case KEY_PRIV_PEM: + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: { bool success = TRUE; @@ -241,13 +245,13 @@ static bool get_encoding(private_openssl_ec_private_key_t *this, p = encoding->ptr; i2d_ECPrivateKey(this->ec, &p); - if (type == KEY_PRIV_PEM) + if (type == PRIVKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, - NULL, encoding, KEY_PART_ECDSA_PRIV_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_ECDSA_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -296,9 +300,9 @@ static private_openssl_ec_private_key_t *create_empty(void) this->public.interface.get_public_key = (public_key_t* (*)(private_key_t *this))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*)(private_key_t *this))get_ref; this->public.interface.destroy = (void (*)(private_key_t *this))destroy; @@ -402,4 +406,5 @@ openssl_ec_private_key_t *openssl_ec_private_key_load(key_type_t type, } return &this->public; } +#endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c index 790a8487d..def36c92f 100644 --- a/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_ec_public_key.c @@ -14,6 +14,10 @@ * for more details. */ +#include + +#ifndef OPENSSL_NO_EC + #include "openssl_ec_public_key.h" #include "openssl_util.h" @@ -189,7 +193,7 @@ static size_t get_keysize(private_openssl_ec_public_key_t *this) /** * Calculate fingerprint from a EC_KEY, also used in ec private key. */ -bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) +bool openssl_ec_fingerprint(EC_KEY *ec, cred_encoding_type_t type, chunk_t *fp) { hasher_t *hasher; chunk_t key; @@ -201,12 +205,12 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) } switch (type) { - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: key = chunk_alloc(i2o_ECPublicKey(ec, NULL)); p = key.ptr; i2o_ECPublicKey(ec, &p); break; - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: key = chunk_alloc(i2d_EC_PUBKEY(ec, NULL)); p = key.ptr; i2d_EC_PUBKEY(ec, &p); @@ -232,7 +236,7 @@ bool openssl_ec_fingerprint(EC_KEY *ec, key_encoding_type_t type, chunk_t *fp) * Implementation of private_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_ec_public_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_ec_fingerprint(this->ec, type, fingerprint); } @@ -241,14 +245,14 @@ static bool get_fingerprint(private_openssl_ec_public_key_t *this, * Implementation of private_key_t.get_encoding. */ static bool get_encoding(private_openssl_ec_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PUB_SPKI_ASN1_DER: - case KEY_PUB_PEM: + case PUBKEY_SPKI_ASN1_DER: + case PUBKEY_PEM: { bool success = TRUE; @@ -256,13 +260,13 @@ static bool get_encoding(private_openssl_ec_public_key_t *this, p = encoding->ptr; i2d_EC_PUBKEY(this->ec, &p); - if (type == KEY_PUB_PEM) + if (type == PUBKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, - NULL, encoding, KEY_PART_ECDSA_PUB_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PUBKEY_PEM, + NULL, encoding, CRED_PART_ECDSA_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -309,9 +313,9 @@ static private_openssl_ec_public_key_t *create_empty() this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; this->public.interface.equals = public_key_equals; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; @@ -358,4 +362,5 @@ openssl_ec_public_key_t *openssl_ec_public_key_load(key_type_t type, } return &this->public; } +#endif /* OPENSSL_NO_EC */ diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index c1545ffb8..31697dcb8 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -14,10 +14,12 @@ * for more details. */ -#include #include -#include +#include #include +#ifndef OPENSSL_NO_ENGINE +#include +#endif #include "openssl_plugin.h" @@ -34,6 +36,8 @@ #include "openssl_rsa_public_key.h" #include "openssl_ec_private_key.h" #include "openssl_ec_public_key.h" +#include "openssl_x509.h" +#include "openssl_crl.h" typedef struct private_openssl_plugin_t private_openssl_plugin_t; @@ -175,8 +179,6 @@ static void destroy(private_openssl_plugin_t *this) (prf_constructor_t)openssl_sha1_prf_create); lib->crypto->remove_dh(lib->crypto, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->remove_dh(lib->crypto, - (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_rsa_private_key_load); lib->creds->remove_builder(lib->creds, @@ -185,14 +187,24 @@ static void destroy(private_openssl_plugin_t *this) (builder_function_t)openssl_rsa_private_key_connect); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_rsa_public_key_load); +#ifndef OPENSSL_NO_EC + lib->crypto->remove_dh(lib->crypto, + (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_private_key_load); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_private_key_gen); lib->creds->remove_builder(lib->creds, (builder_function_t)openssl_ec_public_key_load); +#endif /* OPENSSL_NO_EC */ + lib->creds->remove_builder(lib->creds, + (builder_function_t)openssl_x509_load); + lib->creds->remove_builder(lib->creds, + (builder_function_t)openssl_crl_load); +#ifndef OPENSSL_NO_ENGINE ENGINE_cleanup(); +#endif /* OPENSSL_NO_ENGINE */ EVP_cleanup(); CONF_modules_free(); @@ -215,9 +227,11 @@ plugin_t *openssl_plugin_create() OPENSSL_config(NULL); OpenSSL_add_all_algorithms(); +#ifndef OPENSSL_NO_ENGINE /* activate support for hardware accelerators */ ENGINE_load_builtin_engines(); ENGINE_register_all_complete(); +#endif /* OPENSSL_NO_ENGINE */ /* crypter */ lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, @@ -272,6 +286,7 @@ plugin_t *openssl_plugin_create() (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, (dh_constructor_t)openssl_diffie_hellman_create); +#ifndef OPENSSL_NO_EC lib->crypto->add_dh(lib->crypto, ECP_256_BIT, (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, ECP_384_BIT, @@ -282,6 +297,7 @@ plugin_t *openssl_plugin_create() (dh_constructor_t)openssl_ec_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, ECP_192_BIT, (dh_constructor_t)openssl_ec_diffie_hellman_create); +#endif /* OPENSSL_NO_EC */ lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, (dh_constructor_t)openssl_diffie_hellman_create); lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, @@ -306,14 +322,24 @@ plugin_t *openssl_plugin_create() (builder_function_t)openssl_rsa_private_key_connect); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, (builder_function_t)openssl_rsa_public_key_load); + lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, + (builder_function_t)openssl_rsa_public_key_load); - /* ec */ +#ifndef OPENSSL_NO_EC + /* ecdsa */ lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_private_key_load); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_private_key_gen); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ECDSA, (builder_function_t)openssl_ec_public_key_load); +#endif /* OPENSSL_NO_EC */ + + /* X509 certificates */ + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, + (builder_function_t)openssl_x509_load); + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + (builder_function_t)openssl_crl_load); return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c index de751fe89..5817ade9e 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_private_key.c @@ -21,7 +21,9 @@ #include #include +#ifndef OPENSSL_NO_ENGINE #include +#endif /* OPENSSL_NO_ENGINE */ /** * Public exponent to use for key generation. @@ -56,7 +58,7 @@ struct private_openssl_rsa_private_key_t { }; /* implemented in rsa public key */ -bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp); +bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp); /** * Build an EMPSA PKCS1 signature described in PKCS#1 @@ -206,7 +208,7 @@ static public_key_t* get_public_key(private_openssl_rsa_private_key_t *this) * Implementation of public_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } @@ -215,7 +217,7 @@ static bool get_fingerprint(private_openssl_rsa_private_key_t *this, * Implementation of public_key_t.get_encoding. */ static bool get_encoding(private_openssl_rsa_private_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; @@ -225,8 +227,8 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, } switch (type) { - case KEY_PRIV_ASN1_DER: - case KEY_PRIV_PEM: + case PRIVKEY_ASN1_DER: + case PRIVKEY_PEM: { bool success = TRUE; @@ -234,13 +236,13 @@ static bool get_encoding(private_openssl_rsa_private_key_t *this, p = encoding->ptr; i2d_RSAPrivateKey(this->rsa, &p); - if (type == KEY_PRIV_PEM) + if (type == PRIVKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PRIV_PEM, - NULL, encoding, KEY_PART_RSA_PRIV_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PRIVKEY_PEM, + NULL, encoding, CRED_PART_RSA_PRIV_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; @@ -289,9 +291,9 @@ static private_openssl_rsa_private_key_t *create_empty(void) this->public.interface.get_public_key = (public_key_t* (*) (private_key_t*))get_public_key; this->public.interface.equals = private_key_equals; this->public.interface.belongs_to = private_key_belongs_to; - this->public.interface.get_fingerprint = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(private_key_t*, chunk_t fp))private_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(private_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(private_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (private_key_t* (*) (private_key_t*))get_ref; this->public.interface.destroy = (void (*) (private_key_t*))destroy; @@ -447,6 +449,7 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_load(key_type_t type, openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, va_list args) { +#ifndef OPENSSL_NO_ENGINE private_openssl_rsa_private_key_t *this; char *keyid = NULL, *pin = NULL; EVP_PKEY *key; @@ -511,5 +514,8 @@ openssl_rsa_private_key_t *openssl_rsa_private_key_connect(key_type_t type, this->engine = TRUE; return &this->public; +#else /* OPENSSL_NO_ENGINE */ + return NULL; +#endif /* OPENSSL_NO_ENGINE */ } diff --git a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c index ffa575a97..6ac61a65c 100644 --- a/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c +++ b/src/libstrongswan/plugins/openssl/openssl_rsa_public_key.c @@ -172,7 +172,7 @@ static size_t get_keysize(private_openssl_rsa_public_key_t *this) /** * Calculate fingerprint from a RSA key, also used in rsa private key. */ -bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) +bool openssl_rsa_fingerprint(RSA *rsa, cred_encoding_type_t type, chunk_t *fp) { hasher_t *hasher; chunk_t key; @@ -184,12 +184,12 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) } switch (type) { - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: key = chunk_alloc(i2d_RSAPublicKey(rsa, NULL)); p = key.ptr; i2d_RSAPublicKey(rsa, &p); break; - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: key = chunk_alloc(i2d_RSA_PUBKEY(rsa, NULL)); p = key.ptr; i2d_RSA_PUBKEY(rsa, &p); @@ -215,7 +215,7 @@ bool openssl_rsa_fingerprint(RSA *rsa, key_encoding_type_t type, chunk_t *fp) * Implementation of public_key_t.get_fingerprint. */ static bool get_fingerprint(private_openssl_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *fingerprint) + cred_encoding_type_t type, chunk_t *fingerprint) { return openssl_rsa_fingerprint(this->rsa, type, fingerprint); } @@ -224,14 +224,14 @@ static bool get_fingerprint(private_openssl_rsa_public_key_t *this, * Implementation of public_key_t.get_encoding. */ static bool get_encoding(private_openssl_rsa_public_key_t *this, - key_encoding_type_t type, chunk_t *encoding) + cred_encoding_type_t type, chunk_t *encoding) { u_char *p; switch (type) { - case KEY_PUB_SPKI_ASN1_DER: - case KEY_PUB_PEM: + case PUBKEY_SPKI_ASN1_DER: + case PUBKEY_PEM: { bool success = TRUE; @@ -239,18 +239,18 @@ static bool get_encoding(private_openssl_rsa_public_key_t *this, p = encoding->ptr; i2d_RSA_PUBKEY(this->rsa, &p); - if (type == KEY_PUB_PEM) + if (type == PUBKEY_PEM) { chunk_t asn1_encoding = *encoding; - success = lib->encoding->encode(lib->encoding, KEY_PUB_PEM, - NULL, encoding, KEY_PART_RSA_PUB_ASN1_DER, - asn1_encoding, KEY_PART_END); + success = lib->encoding->encode(lib->encoding, PUBKEY_PEM, + NULL, encoding, CRED_PART_RSA_PUB_ASN1_DER, + asn1_encoding, CRED_PART_END); chunk_clear(&asn1_encoding); } return success; } - case KEY_PUB_ASN1_DER: + case PUBKEY_ASN1_DER: { *encoding = chunk_alloc(i2d_RSAPublicKey(this->rsa, NULL)); p = encoding->ptr; @@ -299,9 +299,9 @@ static private_openssl_rsa_public_key_t *create_empty() this->public.interface.encrypt = (bool (*)(public_key_t *this, chunk_t crypto, chunk_t *plain))encrypt_; this->public.interface.equals = public_key_equals; this->public.interface.get_keysize = (size_t (*) (public_key_t *this))get_keysize; - this->public.interface.get_fingerprint = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *fp))get_fingerprint; + this->public.interface.get_fingerprint = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *fp))get_fingerprint; this->public.interface.has_fingerprint = (bool(*)(public_key_t*, chunk_t fp))public_key_has_fingerprint; - this->public.interface.get_encoding = (bool(*)(public_key_t*, key_encoding_type_t type, chunk_t *encoding))get_encoding; + this->public.interface.get_encoding = (bool(*)(public_key_t*, cred_encoding_type_t type, chunk_t *encoding))get_encoding; this->public.interface.get_ref = (public_key_t* (*)(public_key_t *this))get_ref; this->public.interface.destroy = (void (*)(public_key_t *this))destroy; @@ -345,13 +345,25 @@ openssl_rsa_public_key_t *openssl_rsa_public_key_load(key_type_t type, this = create_empty(); if (blob.ptr) { - this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, blob.len); + switch (type) + { + case KEY_ANY: + this->rsa = d2i_RSA_PUBKEY(NULL, (const u_char**)&blob.ptr, + blob.len); + break; + case KEY_RSA: + this->rsa = d2i_RSAPublicKey(NULL, (const u_char**)&blob.ptr, + blob.len); + break; + default: + break; + } if (this->rsa) { return &this->public; } } - else if (n.ptr && e.ptr) + else if (n.ptr && e.ptr && type == KEY_RSA) { this->rsa = RSA_new(); this->rsa->n = BN_bin2bn((const u_char*)n.ptr, n.len, NULL); diff --git a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h index 9a24e7ee1..384e328e2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h +++ b/src/libstrongswan/plugins/openssl/openssl_sha1_prf.h @@ -15,7 +15,7 @@ /** * @defgroup openssl_sha1_prf openssl_sha1_prf - * @{ @ingroup sha1_p + * @{ @ingroup openssl_p */ #ifndef OPENSSL_SHA1_PRF_H_ diff --git a/src/libstrongswan/plugins/openssl/openssl_util.c b/src/libstrongswan/plugins/openssl/openssl_util.c index 55b18a524..99dca3631 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.c +++ b/src/libstrongswan/plugins/openssl/openssl_util.c @@ -100,7 +100,6 @@ error: return FALSE; } - /** * Described in header. */ @@ -124,3 +123,85 @@ bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b) return TRUE; } +/** + * Described in header. + */ +chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1) +{ + if (asn1) + { + return chunk_create(asn1->data, asn1->length); + } + return chunk_empty; +} + +/** + * Described in header. + */ +chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1) +{ + if (asn1) + { + return chunk_create(ASN1_STRING_data(asn1), ASN1_STRING_length(asn1)); + } + return chunk_empty; +} + +/** + * Convert a X509 name to a ID_DER_ASN1_DN identification_t + */ +identification_t *openssl_x509_name2id(X509_NAME *name) +{ + if (name) + { + identification_t *id; + chunk_t chunk; + + chunk = openssl_i2chunk(X509_NAME, name); + if (chunk.len) + { + id = identification_create_from_encoding(ID_DER_ASN1_DN, chunk); + free(chunk.ptr); + return id; + } + } + return NULL; +} + +/** + * We can't include , as the ASN1_ definitions would clash + * with OpenSSL. Redeclare what we need. + */ +int asn1_known_oid(chunk_t); +time_t asn1_to_time(chunk_t *,int); + +/** + * Described in header. + */ +int openssl_asn1_known_oid(ASN1_OBJECT *obj) +{ + return asn1_known_oid(openssl_asn1_obj2chunk(obj)); +} + +/** + * Described in header. + */ +time_t openssl_asn1_to_time(ASN1_TIME *time) +{ + chunk_t chunk; + + if (time) + { + chunk = openssl_asn1_str2chunk(time); + switch (time->type) + { + case V_ASN1_UTCTIME: + case V_ASN1_GENERALIZEDTIME: + return asn1_to_time(&chunk, time->type); + default: + break; + } + } + DBG1(DBG_LIB, "invalid ASN1 time"); + return 0; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_util.h b/src/libstrongswan/plugins/openssl/openssl_util.h index 538008f2c..25c692a1a 100644 --- a/src/libstrongswan/plugins/openssl/openssl_util.h +++ b/src/libstrongswan/plugins/openssl/openssl_util.h @@ -23,6 +23,7 @@ #include #include +#include /** * Returns the length in bytes of a field element @@ -37,7 +38,7 @@ * @param hash_type NID of the hash * @param data the chunk of data to hash * @param hash chunk that contains the hash - * @return TRUE on success, FALSE otherwise + * @return TRUE on success, FALSE otherwise */ bool openssl_hash_chunk(int hash_type, chunk_t data, chunk_t *hash); @@ -65,4 +66,57 @@ bool openssl_bn_cat(int len, BIGNUM *a, BIGNUM *b, chunk_t *chunk); */ bool openssl_bn_split(chunk_t chunk, BIGNUM *a, BIGNUM *b); + +/** + * Allocate a chunk using the i2d function of a given object + * + * @param type type of the object + * @param obj object to convert to DER + * @returns allocated chunk of the object, or chunk_empty + */ +#define openssl_i2chunk(type, obj) ({ \ + unsigned char *ptr = NULL; \ + int len = i2d_##type(obj, &ptr); \ + len < 0 ? chunk_empty : chunk_create(ptr, len);}) + +/** + * Convert an OpenSSL ASN1_OBJECT to a chunk. + * + * @param asn1 asn1 object to convert + * @return chunk, pointing into asn1 object + */ +chunk_t openssl_asn1_obj2chunk(ASN1_OBJECT *asn1); + +/** + * Convert an OpenSSL ASN1_STRING to a chunk. + * + * @param asn1 asn1 string to convert + * @return chunk, pointing into asn1 string + */ +chunk_t openssl_asn1_str2chunk(ASN1_STRING *asn1); + +/** + * Convert an openssl X509_NAME to a identification_t of type ID_DER_ASN1_DN. + * + * @param name name to convert + * @return identification_t, NULL on error + */ +identification_t *openssl_x509_name2id(X509_NAME *name); + +/** + * Check if an ASN1 oid is a an OID known by libstrongswan. + * + * @param obj openssl ASN1 object + * @returns OID, as defined in + */ +int openssl_asn1_known_oid(ASN1_OBJECT *obj); + +/** + * Convert an OpenSSL ASN1_TIME to a time_t. + * + * @param time openssl ASN1_TIME + * @returns time_t, 0 on error + */ +time_t openssl_asn1_to_time(ASN1_TIME *time); + #endif /** OPENSSL_UTIL_H_ @}*/ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c new file mode 100644 index 000000000..1c9bb699e --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -0,0 +1,871 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/* + * Copyright (C) 2010 secunet Security Networks AG + * Copyright (C) 2010 Thomas Egerer + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#define _GNU_SOURCE +#include +#include +#include + +#include "openssl_x509.h" +#include "openssl_util.h" + +#include +#include +#include + + +typedef struct private_openssl_x509_t private_openssl_x509_t; + +/** + * Private data of an openssl_x509_t object. + */ +struct private_openssl_x509_t { + + /** + * Public openssl_x509_t interface. + */ + openssl_x509_t public; + + /** + * OpenSSL certificate representation + */ + X509 *x509; + + /** + * DER encoded certificate + */ + chunk_t encoding; + + /** + * SHA1 hash of the certificate + */ + chunk_t hash; + + /** + * X509 flags + */ + x509_flag_t flags; + + /** + * Pathlen constraint + */ + int pathlen; + + /** + * certificate subject + */ + identification_t *subject; + + /** + * certificate issuer + */ + identification_t *issuer; + + /** + * Certificates public key + */ + public_key_t *pubkey; + + /** + * subjectKeyIdentifier as read from cert + */ + chunk_t subjectKeyIdentifier; + + /** + * authorityKeyIdentifier as read from cert + */ + chunk_t authKeyIdentifier; + + /** + * Start time of certificate validity + */ + time_t notBefore; + + /** + * End time of certificate validity + */ + time_t notAfter; + + /** + * Signature scheme of the certificate + */ + signature_scheme_t scheme; + + /** + * subjectAltNames + */ + linked_list_t *subjectAltNames; + + /** + * issuerAltNames + */ + linked_list_t *issuerAltNames; + + /** + * List of CRL URIs + */ + linked_list_t *crl_uris; + + /** + * List of OCSP URIs + */ + linked_list_t *ocsp_uris; + + /** + * References to this cert + */ + refcount_t ref; +}; + +/** + * Convert a GeneralName to an identification_t. + */ +static identification_t *general_name2id(GENERAL_NAME *name) +{ + if (!name) + { + return NULL; + } + switch (name->type) + { + case GEN_EMAIL: + return identification_create_from_encoding(ID_RFC822_ADDR, + openssl_asn1_str2chunk(name->d.rfc822Name)); + case GEN_DNS: + return identification_create_from_encoding(ID_FQDN, + openssl_asn1_str2chunk(name->d.dNSName)); + case GEN_URI: + return identification_create_from_encoding(ID_DER_ASN1_GN_URI, + openssl_asn1_str2chunk(name->d.uniformResourceIdentifier)); + case GEN_IPADD: + { + chunk_t chunk = openssl_asn1_str2chunk(name->d.iPAddress); + if (chunk.len == 4) + { + return identification_create_from_encoding(ID_IPV4_ADDR, chunk); + } + if (chunk.len == 16) + { + return identification_create_from_encoding(ID_IPV6_ADDR, chunk); + } + return NULL; + } + case GEN_DIRNAME : + return openssl_x509_name2id(name->d.directoryName); + default: + return NULL; + } +} + +METHOD(x509_t, get_flags, x509_flag_t, + private_openssl_x509_t *this) +{ + return this->flags; +} + +METHOD(x509_t, get_serial, chunk_t, + private_openssl_x509_t *this) +{ + return openssl_asn1_str2chunk(X509_get_serialNumber(this->x509)); +} + +METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, + private_openssl_x509_t *this) +{ + chunk_t fingerprint; + + if (this->subjectKeyIdentifier.len) + { + return this->subjectKeyIdentifier; + } + if (this->pubkey->get_fingerprint(this->pubkey, KEYID_PUBKEY_SHA1, + &fingerprint)) + { + return fingerprint; + } + return chunk_empty; +} + +METHOD(x509_t, get_authKeyIdentifier, chunk_t, + private_openssl_x509_t *this) +{ + if (this->authKeyIdentifier.len) + { + return this->authKeyIdentifier; + } + return chunk_empty; +} + +METHOD(x509_t, get_pathLenConstraint, int, + private_openssl_x509_t *this) +{ + return this->pathlen; +} + +METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->subjectAltNames->create_enumerator(this->subjectAltNames); +} + +METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + +METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + return this->ocsp_uris->create_enumerator(this->ocsp_uris); +} + +METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, + private_openssl_x509_t *this) +{ + /* TODO */ + return enumerator_create_empty(); +} + +METHOD(certificate_t, get_type, certificate_type_t, + private_openssl_x509_t *this) +{ + return CERT_X509; +} + +METHOD(certificate_t, get_subject, identification_t*, + private_openssl_x509_t *this) +{ + return this->subject; +} + +METHOD(certificate_t, get_issuer, identification_t*, + private_openssl_x509_t *this) +{ + return this->issuer; +} + +METHOD(certificate_t, has_subject, id_match_t, + private_openssl_x509_t *this, identification_t *subject) +{ + identification_t *current; + enumerator_t *enumerator; + id_match_t match, best; + + if (subject->get_type(subject) == ID_KEY_ID) + { + if (chunk_equals(this->hash, subject->get_encoding(subject))) + { + return ID_MATCH_PERFECT; + } + } + best = this->subject->matches(this->subject, subject); + enumerator = create_subjectAltName_enumerator(this); + while (enumerator->enumerate(enumerator, ¤t)) + { + match = current->matches(current, subject); + if (match > best) + { + best = match; + } + } + enumerator->destroy(enumerator); + return best; +} + +METHOD(certificate_t, has_issuer, id_match_t, + private_openssl_x509_t *this, identification_t *issuer) +{ + /* issuerAltNames currently not supported */ + return this->issuer->matches(this->issuer, issuer); +} + +METHOD(certificate_t, issued_by, bool, + private_openssl_x509_t *this, certificate_t *issuer) +{ + public_key_t *key; + bool valid; + x509_t *x509 = (x509_t*)issuer; + chunk_t tbs; + + if (&this->public.x509.interface == issuer) + { + if (this->flags & X509_SELF_SIGNED) + { + return TRUE; + } + } + else + { + if (issuer->get_type(issuer) != CERT_X509) + { + return FALSE; + } + if (!(x509->get_flags(x509) & X509_CA)) + { + return FALSE; + } + if (!this->issuer->equals(this->issuer, issuer->get_subject(issuer))) + { + return FALSE; + } + } + if (this->scheme == SIGN_UNKNOWN) + { + return FALSE; + } + key = issuer->get_public_key(issuer); + if (!key) + { + return FALSE; + } + tbs = openssl_i2chunk(X509_CINF, this->x509->cert_info); + valid = key->verify(key, this->scheme, tbs, + openssl_asn1_str2chunk(this->x509->signature)); + free(tbs.ptr); + key->destroy(key); + return valid; +} + +METHOD(certificate_t, get_public_key, public_key_t*, + private_openssl_x509_t *this) +{ + return this->pubkey->get_ref(this->pubkey); +} + +METHOD(certificate_t, get_validity, bool, + private_openssl_x509_t *this, + time_t *when, time_t *not_before, time_t *not_after) +{ + time_t t; + + if (when) + { + t = *when; + } + else + { + t = time(NULL); + } + if (not_before) + { + *not_before = this->notBefore; + } + if (not_after) + { + *not_after = this->notAfter; + } + return (t >= this->notBefore && t <= this->notAfter); +} + +METHOD(certificate_t, get_encoding, bool, + private_openssl_x509_t *this, cred_encoding_type_t type, chunk_t *encoding) +{ + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); +} + + +METHOD(certificate_t, equals, bool, + private_openssl_x509_t *this, certificate_t *other) +{ + chunk_t encoding; + bool equal; + + if (this == (private_openssl_x509_t*)other) + { + return TRUE; + } + if (other->get_type(other) != CERT_X509) + { + return FALSE; + } + if (other->equals == (void*)equals) + { /* skip allocation if we have the same implementation */ + encoding = ((private_openssl_x509_t*)other)->encoding; + return chunk_equals(this->encoding, encoding); + } + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } + equal = chunk_equals(this->encoding, encoding); + free(encoding.ptr); + return equal; +} + +METHOD(certificate_t, get_ref, certificate_t*, + private_openssl_x509_t *this) +{ + ref_get(&this->ref); + return &this->public.x509.interface; +} + +METHOD(certificate_t, destroy, void, + private_openssl_x509_t *this) +{ + if (ref_put(&this->ref)) + { + if (this->x509) + { + X509_free(this->x509); + } + DESTROY_IF(this->subject); + DESTROY_IF(this->issuer); + DESTROY_IF(this->pubkey); + free(this->subjectKeyIdentifier.ptr); + free(this->authKeyIdentifier.ptr); + free(this->encoding.ptr); + free(this->hash.ptr); + this->subjectAltNames->destroy_offset(this->subjectAltNames, + offsetof(identification_t, destroy)); + this->issuerAltNames->destroy_offset(this->issuerAltNames, + offsetof(identification_t, destroy)); + this->crl_uris->destroy_function(this->crl_uris, free); + this->ocsp_uris->destroy_function(this->ocsp_uris, free); + free(this); + } +} + +/** + * Create an empty certificate + */ +static private_openssl_x509_t *create_empty() +{ + private_openssl_x509_t *this; + + INIT(this, + .public = { + .x509 = { + .interface = { + .get_type = _get_type, + .get_subject = _get_subject, + .get_issuer = _get_issuer, + .has_subject = _has_subject, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_flags = _get_flags, + .get_serial = _get_serial, + .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .get_pathLenConstraint = _get_pathLenConstraint, + .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, + .create_crl_uri_enumerator = _create_crl_uri_enumerator, + .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, + .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + }, + }, + .subjectAltNames = linked_list_create(), + .issuerAltNames = linked_list_create(), + .crl_uris = linked_list_create(), + .ocsp_uris = linked_list_create(), + .pathlen = X509_NO_PATH_LEN_CONSTRAINT, + .ref = 1, + ); + + return this; +} + +/** + * parse an extionsion containing GENERAL_NAMES into a list + */ +static bool parse_generalNames_ext(linked_list_t *list, + X509_EXTENSION *ext) +{ + GENERAL_NAMES *names; + GENERAL_NAME *name; + identification_t *id; + int i, num; + + names = X509V3_EXT_d2i(ext); + if (!names) + { + return FALSE; + } + + num = sk_GENERAL_NAME_num(names); + for (i = 0; i < num; i++) + { + name = sk_GENERAL_NAME_value(names, i); + id = general_name2id(name); + if (id) + { + list->insert_last(list, id); + } + GENERAL_NAME_free(name); + } + sk_GENERAL_NAME_free(names); + return TRUE; +} + +/** + * parse basic constraints + */ +static bool parse_basicConstraints_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + BASIC_CONSTRAINTS *constraints; + + constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); + if (constraints) + { + if (constraints->ca) + { + this->flags |= X509_CA; + } + if (constraints->pathlen) + { + this->pathlen = ASN1_INTEGER_get(constraints->pathlen); + } + BASIC_CONSTRAINTS_free(constraints); + return TRUE; + } + return FALSE; +} + +/** + * Parse CRL distribution points + */ +static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + CRL_DIST_POINTS *cdps; + DIST_POINT *cdp; + identification_t *id; + char *uri; + int i, j, point_num, name_num; + + cdps = X509V3_EXT_d2i(ext); + if (!cdps) + { + return FALSE; + } + point_num = sk_DIST_POINT_num(cdps); + for (i = 0; i < point_num; i++) + { + cdp = sk_DIST_POINT_value(cdps, i); + if (cdp) + { + if (cdp->distpoint && cdp->distpoint->type == 0 && + cdp->distpoint->name.fullname) + { + name_num = sk_GENERAL_NAME_num(cdp->distpoint->name.fullname); + for (j = 0; j < name_num; j++) + { + id = general_name2id(sk_GENERAL_NAME_value( + cdp->distpoint->name.fullname, j)); + if (id) + { + if (asprintf(&uri, "%Y", id) > 0) + { + this->crl_uris->insert_first(this->crl_uris, uri); + } + id->destroy(id); + } + } + } + DIST_POINT_free(cdp); + } + } + sk_DIST_POINT_free(cdps); + return TRUE; +} + +/** + * Parse authorityInfoAccess with OCSP URIs + */ +static bool parse_authorityInfoAccess_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_INFO_ACCESS *infos; + ACCESS_DESCRIPTION *desc; + identification_t *id; + int i, num; + char *uri; + + infos = X509V3_EXT_d2i(ext); + if (!infos) + { + return FALSE; + } + num = sk_ACCESS_DESCRIPTION_num(infos); + for (i = 0; i < num; i++) + { + desc = sk_ACCESS_DESCRIPTION_value(infos, i); + if (desc) + { + if (openssl_asn1_known_oid(desc->method) == OID_OCSP) + { + id = general_name2id(desc->location); + if (id) + { + if (asprintf(&uri, "%Y", id) > 0) + { + this->ocsp_uris->insert_first(this->ocsp_uris, uri); + } + id->destroy(id); + } + } + ACCESS_DESCRIPTION_free(desc); + } + } + sk_ACCESS_DESCRIPTION_free(infos); + return TRUE; +} + +/** + * Parse authorityKeyIdentifier extension + */ +static bool parse_authKeyIdentifier_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + AUTHORITY_KEYID *keyid; + + keyid = (AUTHORITY_KEYID*)X509V3_EXT_d2i(ext); + if (keyid) + { + free(this->authKeyIdentifier.ptr); + this->authKeyIdentifier = chunk_clone( + openssl_asn1_str2chunk(keyid->keyid)); + AUTHORITY_KEYID_free(keyid); + return TRUE; + } + return FALSE; +} + +/** + * Parse subjectKeyIdentifier extension + */ +static bool parse_subjectKeyIdentifier_ext(private_openssl_x509_t *this, + X509_EXTENSION *ext) +{ + chunk_t ostr; + + ostr = openssl_asn1_str2chunk(X509_EXTENSION_get_data(ext)); + /* quick and dirty unwrap of octet string */ + if (ostr.len > 2 && + ostr.ptr[0] == V_ASN1_OCTET_STRING && ostr.ptr[1] == ostr.len - 2) + { + free(this->subjectKeyIdentifier.ptr); + this->subjectKeyIdentifier = chunk_clone(chunk_skip(ostr, 2)); + return TRUE; + } + return FALSE; +} + +/** + * Parse X509 extensions we are interested in + */ +static bool parse_extensions(private_openssl_x509_t *this) +{ + STACK_OF(X509_EXTENSION) *extensions; + int i, num; + + extensions = this->x509->cert_info->extensions; + if (extensions) + { + num = sk_X509_EXTENSION_num(extensions); + + for (i = 0; i < num; i++) + { + X509_EXTENSION *ext; + bool ok; + + ext = sk_X509_EXTENSION_value(extensions, i); + switch (OBJ_obj2nid(X509_EXTENSION_get_object(ext))) + { + case NID_info_access: + ok = parse_authorityInfoAccess_ext(this, ext); + break; + case NID_authority_key_identifier: + ok = parse_authKeyIdentifier_ext(this, ext); + break; + case NID_subject_key_identifier: + ok = parse_subjectKeyIdentifier_ext(this, ext); + break; + case NID_subject_alt_name: + ok = parse_generalNames_ext(this->subjectAltNames, ext); + break; + case NID_issuer_alt_name: + ok = parse_generalNames_ext(this->issuerAltNames, ext); + break; + case NID_basic_constraints: + ok = parse_basicConstraints_ext(this, ext); + break; + case NID_crl_distribution_points: + ok = parse_crlDistributionPoints_ext(this, ext); + break; + default: + ok = TRUE; + break; + } + if (!ok) + { + return FALSE; + } + } + } + return TRUE; +} + +/** + * Parse a DER encoded x509 certificate + */ +static bool parse_certificate(private_openssl_x509_t *this) +{ + const unsigned char *ptr = this->encoding.ptr; + hasher_t *hasher; + chunk_t chunk; + + this->x509 = d2i_X509(NULL, &ptr, this->encoding.len); + if (!this->x509) + { + return FALSE; + } + this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); + this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); + + switch (openssl_asn1_known_oid(this->x509->cert_info->key->algor->algorithm)) + { + case OID_RSA_ENCRYPTION: + this->pubkey = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_RSA, BUILD_BLOB_ASN1_DER, + openssl_asn1_str2chunk(X509_get0_pubkey_bitstr(this->x509)), + BUILD_END); + break; + case OID_EC_PUBLICKEY: + /* for ECDSA, we need the full subjectPublicKeyInfo, as it contains + * the curve parameters. */ + chunk = openssl_i2chunk(X509_PUBKEY, X509_get_X509_PUBKEY(this->x509)); + this->pubkey = lib->creds->create(lib->creds, + CRED_PUBLIC_KEY, KEY_ECDSA, BUILD_BLOB_ASN1_DER, + chunk, BUILD_END); + free(chunk.ptr); + break; + default: + DBG1(DBG_LIB, "unsupported public key algorithm"); + break; + } + if (!this->subject || !this->issuer || !this->pubkey) + { + return FALSE; + } + + this->notBefore = openssl_asn1_to_time(X509_get_notBefore(this->x509)); + this->notAfter = openssl_asn1_to_time(X509_get_notAfter(this->x509)); + + if (!chunk_equals( + openssl_asn1_obj2chunk(this->x509->cert_info->signature->algorithm), + openssl_asn1_obj2chunk(this->x509->sig_alg->algorithm))) + { + return FALSE; + } + this->scheme = signature_scheme_from_oid(openssl_asn1_known_oid( + this->x509->sig_alg->algorithm)); + + if (!parse_extensions(this)) + { + return TRUE; + } + + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (!hasher) + { + return FALSE; + } + hasher->allocate_hash(hasher, this->encoding, &this->hash); + hasher->destroy(hasher); + + if (issued_by(this, &this->public.x509.interface)) + { + this->flags |= X509_SELF_SIGNED; + } + return TRUE; +} + +openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args) +{ + chunk_t blob = chunk_empty; + x509_flag_t flags = 0; + + while (TRUE) + { + switch (va_arg(args, builder_part_t)) + { + case BUILD_BLOB_ASN1_DER: + blob = va_arg(args, chunk_t); + continue; + case BUILD_X509_FLAG: + flags |= va_arg(args, x509_flag_t); + continue; + case BUILD_END: + break; + default: + return NULL; + } + break; + } + + if (blob.ptr) + { + private_openssl_x509_t *this; + + this = create_empty(); + this->encoding = chunk_clone(blob); + this->flags |= flags; + if (parse_certificate(this)) + { + return &this->public; + } + DBG1(DBG_LIB, "OpenSSL X.509 parsing failed"); + destroy(this); + } + return NULL; +} diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.h b/src/libstrongswan/plugins/openssl/openssl_x509.h new file mode 100644 index 000000000..52555925a --- /dev/null +++ b/src/libstrongswan/plugins/openssl/openssl_x509.h @@ -0,0 +1,50 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup openssl_x509 openssl_x509 + * @{ @ingroup openssl_p + */ + +#ifndef OPENSSL_X509_H_ +#define OPENSSL_X509_H_ + +#include + +typedef struct openssl_x509_t openssl_x509_t; + +/** + * X.509 certificate implementation using OpenSSL. + */ +struct openssl_x509_t { + + /** + * Implements x509_t interface. + */ + x509_t x509; +}; + +/** + * Load a X.509 certificate. + * + * This function takes a BUILD_BLOB_ASN1_DER. + * + * @param type certificate type, CERT_X509 only + * @param args builder_part_t argument list + * @return X.509 certificate, NULL on failure + */ +openssl_x509_t *openssl_x509_load(certificate_type_t type, va_list args); + +#endif /** OPENSSL_X509_H_ @}*/ diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 84c2ef2fb..adb8f08d1 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index 4e39c8f7b..e19a66fa5 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pem/pem_builder.c b/src/libstrongswan/plugins/pem/pem_builder.c index 65be9501b..a15c3f258 100644 --- a/src/libstrongswan/plugins/pem/pem_builder.c +++ b/src/libstrongswan/plugins/pem/pem_builder.c @@ -528,7 +528,7 @@ static void *pem_load(credential_type_t type, int subtype, va_list args) break; } - if (pem.ptr) + if (pem.len) { return load_from_blob(pem, type, subtype, cb, cb_data, flags); } diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index 13c99a958..e255d6fd0 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -20,7 +20,7 @@ /** * See header. */ -bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args) { chunk_t asn1; @@ -31,62 +31,81 @@ bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, switch (type) { - case KEY_PUB_PEM: + case PUBKEY_PEM: label ="PUBLIC KEY"; /* direct PKCS#1 PEM encoding */ - if (key_encoding_args(args, KEY_PART_RSA_PUB_ASN1_DER, - &asn1, KEY_PART_END) || - key_encoding_args(args, KEY_PART_ECDSA_PUB_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_PUB_ASN1_DER, + &asn1, CRED_PART_END) || + cred_encoding_args(args, CRED_PART_ECDSA_PUB_ASN1_DER, + &asn1, CRED_PART_END)) { break; } /* indirect PEM encoding from components */ - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { - if (lib->encoding->encode(lib->encoding, KEY_PUB_SPKI_ASN1_DER, - NULL, &asn1, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_END)) + if (lib->encoding->encode(lib->encoding, PUBKEY_SPKI_ASN1_DER, + NULL, &asn1, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_END)) { to_free = asn1; break; } } return FALSE; - case KEY_PRIV_PEM: + case PRIVKEY_PEM: label ="RSA PRIVATE KEY"; /* direct PKCS#1 PEM encoding */ - if (key_encoding_args(args, KEY_PART_RSA_PRIV_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_PRIV_ASN1_DER, + &asn1, CRED_PART_END)) { break; } /* indirect PEM encoding from components */ - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d, - KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q, - KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2, - KEY_PART_RSA_COEFF, &coeff, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d, + CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q, + CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2, + CRED_PART_RSA_COEFF, &coeff, CRED_PART_END)) { - if (lib->encoding->encode(lib->encoding, KEY_PRIV_ASN1_DER, NULL, - &asn1, KEY_PART_RSA_MODULUS, n, - KEY_PART_RSA_PUB_EXP, e, KEY_PART_RSA_PRIV_EXP, d, - KEY_PART_RSA_PRIME1, p, KEY_PART_RSA_PRIME2, q, - KEY_PART_RSA_EXP1, exp1, KEY_PART_RSA_EXP2, exp2, - KEY_PART_RSA_COEFF, coeff, KEY_PART_END)) + if (lib->encoding->encode(lib->encoding, PRIVKEY_ASN1_DER, NULL, + &asn1, CRED_PART_RSA_MODULUS, n, + CRED_PART_RSA_PUB_EXP, e, CRED_PART_RSA_PRIV_EXP, d, + CRED_PART_RSA_PRIME1, p, CRED_PART_RSA_PRIME2, q, + CRED_PART_RSA_EXP1, exp1, CRED_PART_RSA_EXP2, exp2, + CRED_PART_RSA_COEFF, coeff, CRED_PART_END)) { to_free = asn1; break; } } - if (key_encoding_args(args, KEY_PART_ECDSA_PRIV_ASN1_DER, - &asn1, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_ECDSA_PRIV_ASN1_DER, + &asn1, CRED_PART_END)) { label ="EC PRIVATE KEY"; break; } return FALSE; + case CERT_PEM: + if (cred_encoding_args(args, CRED_PART_X509_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode x509 certificate */ + label = "CERTIFICATE"; + break; + } + if (cred_encoding_args(args, CRED_PART_X509_CRL_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode CRL */ + label = "X509 CRL"; + break; + } + if (cred_encoding_args(args, CRED_PART_PKCS10_ASN1_DER, + &asn1, CRED_PART_END)) + { /* PEM encode PKCS10 certificate reqeuest */ + label = "CERTIFICATE REQUEST"; + break; + } default: return FALSE; } diff --git a/src/libstrongswan/plugins/pem/pem_encoder.h b/src/libstrongswan/plugins/pem/pem_encoder.h index a181133b7..d8f05dd73 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.h +++ b/src/libstrongswan/plugins/pem/pem_encoder.h @@ -21,12 +21,12 @@ #ifndef PEM_ENCODER_H_ #define PEM_ENCODER_H_ -#include +#include /** * Encoding from ASN.1 to PEM format. */ -bool pem_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PEM_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 5d487364f..a5bc5eb39 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pgp/pgp_cert.c b/src/libstrongswan/plugins/pgp/pgp_cert.c index cd04f3d1a..5b21b46d4 100644 --- a/src/libstrongswan/plugins/pgp/pgp_cert.c +++ b/src/libstrongswan/plugins/pgp/pgp_cert.c @@ -187,29 +187,19 @@ static bool get_validity(private_pgp_cert_t *this, time_t *when, return (t >= this->valid && t <= until); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " certificate from %T is %s - existing certificate" - " from %T %s", &this_update, FALSE, new ? "newer" : "not newer", - &that_update, FALSE, new ? "replaced" : "retained"); - return new; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_pgp_cert_t *this) +static bool get_encoding(private_pgp_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_PGP_PKT) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_PGP_CERT, this->encoding, CRED_PART_END); } /** @@ -232,7 +222,10 @@ static bool equals(private_pgp_cert_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_pgp_cert_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_PGP_PKT, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -276,8 +269,7 @@ private_pgp_cert_t *create_empty() this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -365,7 +357,7 @@ static bool parse_public_key(private_pgp_cert_t *this, chunk_t packet) else { /* V3 fingerprint is computed by public_key_t class */ - if (!this->key->get_fingerprint(this->key, KEY_ID_PGPV3, + if (!this->key->get_fingerprint(this->key, KEYID_PGPV3, &this->fingerprint)) { return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.c b/src/libstrongswan/plugins/pgp/pgp_encoder.c index d5c3df590..9043cdb9f 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.c +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.c @@ -25,8 +25,8 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args) hasher_t *hasher; chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); if (!hasher) @@ -55,12 +55,12 @@ static bool build_v3_fingerprint(chunk_t *encoding, va_list args) /** * See header. */ -bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding, - va_list args) +bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, + va_list args) { switch (type) { - case KEY_ID_PGPV3: + case KEYID_PGPV3: return build_v3_fingerprint(encoding, args); default: return FALSE; diff --git a/src/libstrongswan/plugins/pgp/pgp_encoder.h b/src/libstrongswan/plugins/pgp/pgp_encoder.h index 9df143399..b5bc2af44 100644 --- a/src/libstrongswan/plugins/pgp/pgp_encoder.h +++ b/src/libstrongswan/plugins/pgp/pgp_encoder.h @@ -21,12 +21,12 @@ #ifndef PGP_ENCODER_H_ #define PGP_ENCODER_H_ -#include +#include /** * Encoding function for PGP fingerprints. */ -bool pgp_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pgp_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PGP_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 3fdcd0590..947f52d82 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c index e46062d97..6957b2ad1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.c @@ -26,8 +26,8 @@ bool build_pub(chunk_t *encoding, va_list args) { chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_wrap(ASN1_INTEGER, "c", n), @@ -44,8 +44,8 @@ bool build_pub_info(chunk_t *encoding, va_list args) { chunk_t n, e; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), @@ -65,11 +65,11 @@ bool build_priv(chunk_t *encoding, va_list args) { chunk_t n, e, d, p, q, exp1, exp2, coeff; - if (key_encoding_args(args, KEY_PART_RSA_MODULUS, &n, - KEY_PART_RSA_PUB_EXP, &e, KEY_PART_RSA_PRIV_EXP, &d, - KEY_PART_RSA_PRIME1, &p, KEY_PART_RSA_PRIME2, &q, - KEY_PART_RSA_EXP1, &exp1, KEY_PART_RSA_EXP2, &exp2, - KEY_PART_RSA_COEFF, &coeff, KEY_PART_END)) + if (cred_encoding_args(args, CRED_PART_RSA_MODULUS, &n, + CRED_PART_RSA_PUB_EXP, &e, CRED_PART_RSA_PRIV_EXP, &d, + CRED_PART_RSA_PRIME1, &p, CRED_PART_RSA_PRIME2, &q, + CRED_PART_RSA_EXP1, &exp1, CRED_PART_RSA_EXP2, &exp2, + CRED_PART_RSA_COEFF, &coeff, CRED_PART_END)) { *encoding = asn1_wrap(ASN1_SEQUENCE, "cmmssssss", ASN1_INTEGER_0, @@ -138,20 +138,20 @@ static bool build_sha1(chunk_t *encoding, va_list args) /** * See header. */ -bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args) { switch (type) { - case KEY_ID_PUBKEY_INFO_SHA1: + case KEYID_PUBKEY_INFO_SHA1: return build_info_sha1(encoding, args); - case KEY_ID_PUBKEY_SHA1: + case KEYID_PUBKEY_SHA1: return build_sha1(encoding, args); - case KEY_PUB_ASN1_DER: + case PUBKEY_ASN1_DER: return build_pub(encoding, args); - case KEY_PUB_SPKI_ASN1_DER: + case PUBKEY_SPKI_ASN1_DER: return build_pub_info(encoding, args); - case KEY_PRIV_ASN1_DER: + case PRIVKEY_ASN1_DER: return build_priv(encoding, args); default: return FALSE; diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h index 11d9f27f2..2eec736f1 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_encoder.h @@ -21,12 +21,12 @@ #ifndef PKCS1_ENCODER_H_ #define PKCS1_ENCODER_H_ -#include +#include /** * Encoding function for PKCS#1/ASN.1 fingerprints/key formats. */ -bool pkcs1_encoder_encode(key_encoding_type_t type, chunk_t *encoding, +bool pkcs1_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, va_list args); #endif /** PKCS1_ENCODER_H_ @}*/ diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index cad279a9d..336d0bc02 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -118,8 +118,7 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, handle = dlopen(file, RTLD_LAZY); if (handle == NULL) { - DBG1(DBG_LIB, "plugin '%s': failed to load '%s' - %s", name, file, - dlerror()); + DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); return NULL; } constructor = dlsym(handle, create); diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 5fe3d58f1..4dc5985cd 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/pubkey/pubkey_cert.c b/src/libstrongswan/plugins/pubkey/pubkey_cert.c index f149f6379..c50189a8b 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_cert.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_cert.c @@ -82,10 +82,10 @@ static id_match_t has_subject(private_pubkey_cert_t *this, { if (subject->get_type(subject) == ID_KEY_ID) { - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t fingerprint; - for (type = 0; type < KEY_ENCODING_MAX; type++) + for (type = 0; type < CRED_ENCODING_MAX; type++) { if (this->key->get_fingerprint(this->key, type, &fingerprint) && chunk_equals(fingerprint, subject->get_encoding(subject))) @@ -160,26 +160,13 @@ static bool get_validity(private_pubkey_cert_t *this, time_t *when, return TRUE; } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - return FALSE; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_pubkey_cert_t *this) +static bool get_encoding(private_pubkey_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - chunk_t encoding; - - if (this->key->get_encoding(this->key, KEY_PUB_ASN1_DER, &encoding)) - { - return encoding; - } - return chunk_empty; + return this->key->get_encoding(this->key, PUBKEY_ASN1_DER, encoding); } /** @@ -221,8 +208,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key) this->public.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.get_encoding = (chunk_t (*)(certificate_t*))get_encoding; + this->public.interface.get_encoding = (bool (*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.equals = (bool (*)(certificate_t*, certificate_t *other))equals; this->public.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.destroy = (void (*)(certificate_t *this))destroy; @@ -230,7 +216,7 @@ static pubkey_cert_t *pubkey_cert_create(public_key_t *key) this->ref = 1; this->key = key; this->issuer = identification_create_from_encoding(ID_ANY, chunk_empty); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &fingerprint)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &fingerprint)) { this->subject = identification_create_from_encoding(ID_KEY_ID, fingerprint); } diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index 27360aa8c..af929080d 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/revocation/Makefile.am b/src/libstrongswan/plugins/revocation/Makefile.am new file mode 100644 index 000000000..fb6d01926 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-revocation.la +else +plugin_LTLIBRARIES = libstrongswan-revocation.la +endif + +libstrongswan_revocation_la_SOURCES = \ + revocation_plugin.h revocation_plugin.c \ + revocation_validator.h revocation_validator.c + +libstrongswan_revocation_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in new file mode 100644 index 000000000..871566e65 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -0,0 +1,588 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/revocation +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_revocation_la_LIBADD = +am_libstrongswan_revocation_la_OBJECTS = revocation_plugin.lo \ + revocation_validator.lo +libstrongswan_revocation_la_OBJECTS = \ + $(am_libstrongswan_revocation_la_OBJECTS) +libstrongswan_revocation_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_revocation_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_revocation_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_revocation_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_revocation_la_SOURCES) +DIST_SOURCES = $(libstrongswan_revocation_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-revocation.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-revocation.la +libstrongswan_revocation_la_SOURCES = \ + revocation_plugin.h revocation_plugin.c \ + revocation_validator.h revocation_validator.c + +libstrongswan_revocation_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/revocation/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-revocation.la: $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_DEPENDENCIES) + $(libstrongswan_revocation_la_LINK) $(am_libstrongswan_revocation_la_rpath) $(libstrongswan_revocation_la_OBJECTS) $(libstrongswan_revocation_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/revocation_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c new file mode 100644 index 000000000..d352a9583 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "revocation_plugin.h" + +#include +#include "revocation_validator.h" + +typedef struct private_revocation_plugin_t private_revocation_plugin_t; + +/** + * private data of revocation_plugin + */ +struct private_revocation_plugin_t { + + /** + * public functions + */ + revocation_plugin_t public; + + /** + * Validator implementation instance. + */ + revocation_validator_t *validator; +}; + +METHOD(plugin_t, destroy, void, + private_revocation_plugin_t *this) +{ + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *revocation_plugin_create() +{ + private_revocation_plugin_t *this; + + INIT(this, + .public.plugin.destroy = _destroy, + .validator = revocation_validator_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.h b/src/libstrongswan/plugins/revocation/revocation_plugin.h new file mode 100644 index 000000000..fb886d53c --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup revocation revocation + * @ingroup plugins + * + * @defgroup revocation_plugin revocation_plugin + * @{ @ingroup revocation + */ + +#ifndef REVOCATION_PLUGIN_H_ +#define REVOCATION_PLUGIN_H_ + +#include + +typedef struct revocation_plugin_t revocation_plugin_t; + +/** + * X509 certificate revocation support using CRL and OCSP. + */ +struct revocation_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** REVOCATION_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c new file mode 100644 index 000000000..29d2bc128 --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -0,0 +1,587 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * Copyright (C) 2009 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "revocation_validator.h" + +#include +#include +#include +#include +#include +#include +#include + +typedef struct private_revocation_validator_t private_revocation_validator_t; + +/** + * Private data of an revocation_validator_t object. + */ +struct private_revocation_validator_t { + + /** + * Public revocation_validator_t interface. + */ + revocation_validator_t public; +}; + +/** + * Do an OCSP request + */ +static certificate_t *fetch_ocsp(char *url, certificate_t *subject, + certificate_t *issuer) +{ + certificate_t *request, *response; + chunk_t send, receive; + + /* TODO: requestor name, signature */ + request = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, + BUILD_CA_CERT, issuer, + BUILD_CERT, subject, BUILD_END); + if (!request) + { + DBG1(DBG_CFG, "generating ocsp request failed"); + return NULL; + } + + if (!request->get_encoding(request, CERT_ASN1_DER, &send)) + { + DBG1(DBG_CFG, "encoding ocsp request failed"); + request->destroy(request); + return NULL; + } + request->destroy(request); + + DBG1(DBG_CFG, " requesting ocsp status from '%s' ...", url); + if (lib->fetcher->fetch(lib->fetcher, url, &receive, + FETCH_REQUEST_DATA, send, + FETCH_REQUEST_TYPE, "application/ocsp-request", + FETCH_END) != SUCCESS) + { + DBG1(DBG_CFG, "ocsp request to %s failed", url); + chunk_free(&send); + return NULL; + } + chunk_free(&send); + + response = lib->creds->create(lib->creds, + CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, + BUILD_BLOB_ASN1_DER, receive, BUILD_END); + chunk_free(&receive); + if (!response) + { + DBG1(DBG_CFG, "parsing ocsp response failed"); + return NULL; + } + return response; +} + +/** + * check the signature of an OCSP response + */ +static bool verify_ocsp(ocsp_response_t *response) +{ + certificate_t *issuer, *subject; + identification_t *responder; + ocsp_response_wrapper_t *wrapper; + enumerator_t *enumerator; + bool verified = FALSE; + + wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); + lib->credmgr->add_local_set(lib->credmgr, &wrapper->set); + + subject = &response->certificate; + responder = subject->get_issuer(subject); + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + KEY_ANY, responder, FALSE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) + { + if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) + { + DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + verified = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + lib->credmgr->remove_local_set(lib->credmgr, &wrapper->set); + wrapper->destroy(wrapper); + return verified; +} + +/** + * Get the better of two OCSP responses, and check for usable OCSP info + */ +static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +{ + ocsp_response_t *response; + time_t revocation, this_update, next_update, valid_until; + crl_reason_t reason; + bool revoked = FALSE; + + response = (ocsp_response_t*)cand; + + /* check ocsp signature */ + if (!verify_ocsp(response)) + { + DBG1(DBG_CFG, "ocsp response verification failed"); + cand->destroy(cand); + return best; + } + /* check if response contains our certificate */ + switch (response->get_status(response, subject, issuer, &revocation, &reason, + &this_update, &next_update)) + { + case VALIDATION_REVOKED: + /* subject has been revoked by a valid OCSP response */ + DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", + &revocation, TRUE, crl_reason_names, reason); + revoked = TRUE; + break; + case VALIDATION_GOOD: + /* results in either good or stale */ + break; + default: + case VALIDATION_FAILED: + /* candidate unusable, does not contain our cert */ + DBG1(DBG_CFG, " ocsp response contains no status on our certificate"); + cand->destroy(cand); + return best; + } + + /* select the better of the two responses */ + if (best == NULL || certificate_is_newer(cand, best)) + { + DESTROY_IF(best); + best = cand; + if (best->get_validity(best, NULL, NULL, &valid_until)) + { + DBG1(DBG_CFG, " ocsp response is valid: until %T", + &valid_until, FALSE); + *valid = VALIDATION_GOOD; + if (cache) + { /* cache non-stale only, stale certs get refetched */ + lib->credmgr->cache_cert(lib->credmgr, best); + } + } + else + { + DBG1(DBG_CFG, " ocsp response is stale: since %T", + &valid_until, FALSE); + *valid = VALIDATION_STALE; + } + } + else + { + *valid = VALIDATION_STALE; + cand->destroy(cand); + } + if (revoked) + { /* revoked always counts, even if stale */ + *valid = VALIDATION_REVOKED; + } + return best; +} + +/** + * validate a x509 certificate using OCSP + */ +static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + enumerator_t *enumerator; + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL, *current; + identification_t *keyid = NULL; + public_key_t *public; + chunk_t chunk; + char *uri = NULL; + + /** lookup cache for valid OCSP responses */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_OCSP_RESPONSE, KEY_ANY, NULL, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + if (best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached ocsp response"); + break; + } + } + enumerator->destroy(enumerator); + + /* derive the authorityKeyIdentifier from the issuer's public key */ + current = &issuer->interface; + public = current->get_public_key(current); + if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + } + /** fetch from configured OCSP responder URLs */ + if (keyid && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_OCSP_RESPONSE, keyid); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_ocsp(uri, &subject->interface, &issuer->interface); + if (current) + { + best = get_better_ocsp(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + DESTROY_IF(public); + DESTROY_IF(keyid); + + /* fallback to URL fetching from subject certificate's URIs */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = subject->create_ocsp_uri_enumerator(subject); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_ocsp(uri, &subject->interface, &issuer->interface); + if (current) + { + best = get_better_ocsp(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + /* an uri was found, but no result. switch validation state to failed */ + if (valid == VALIDATION_SKIPPED && uri) + { + valid = VALIDATION_FAILED; + } + if (auth) + { + auth->add(auth, AUTH_RULE_OCSP_VALIDATION, valid); + if (valid == VALIDATION_GOOD) + { /* successful OCSP check fulfills also CRL constraint */ + auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); + } + } + DESTROY_IF(best); + return valid; +} + +/** + * fetch a CRL from an URL + */ +static certificate_t* fetch_crl(char *url) +{ + certificate_t *crl; + chunk_t chunk; + + DBG1(DBG_CFG, " fetching crl from '%s' ...", url); + if (lib->fetcher->fetch(lib->fetcher, url, &chunk, FETCH_END) != SUCCESS) + { + DBG1(DBG_CFG, "crl fetching failed"); + return NULL; + } + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_BLOB_ASN1_DER, chunk, BUILD_END); + chunk_free(&chunk); + if (!crl) + { + DBG1(DBG_CFG, "crl fetched successfully but parsing failed"); + return NULL; + } + return crl; +} + +/** + * check the signature of an CRL + */ +static bool verify_crl(certificate_t *crl) +{ + certificate_t *issuer; + enumerator_t *enumerator; + bool verified = FALSE; + + enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, + KEY_ANY, crl->get_issuer(crl), FALSE); + while (enumerator->enumerate(enumerator, &issuer, NULL)) + { + if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) + { + DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", + issuer->get_subject(issuer)); + verified = TRUE; + break; + } + } + enumerator->destroy(enumerator); + + return verified; +} + +/** + * Get the better of two CRLs, and check for usable CRL info + */ +static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, + x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) +{ + enumerator_t *enumerator; + time_t revocation, valid_until; + crl_reason_t reason; + chunk_t serial; + crl_t *crl; + + /* check CRL signature */ + if (!verify_crl(cand)) + { + DBG1(DBG_CFG, "crl response verification failed"); + cand->destroy(cand); + return best; + } + + crl = (crl_t*)cand; + enumerator = crl->create_enumerator(crl); + while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) + { + if (chunk_equals(serial, subject->get_serial(subject))) + { + DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", + &revocation, TRUE, crl_reason_names, reason); + *valid = VALIDATION_REVOKED; + enumerator->destroy(enumerator); + DESTROY_IF(best); + return cand; + } + } + enumerator->destroy(enumerator); + + /* select the better of the two CRLs */ + if (best == NULL || crl_is_newer(crl, (crl_t*)best)) + { + DESTROY_IF(best); + best = cand; + if (best->get_validity(best, NULL, NULL, &valid_until)) + { + DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE); + *valid = VALIDATION_GOOD; + if (cache) + { /* we cache non-stale crls only, as a stale crls are refetched */ + lib->credmgr->cache_cert(lib->credmgr, best); + } + } + else + { + DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE); + *valid = VALIDATION_STALE; + } + } + else + { + *valid = VALIDATION_STALE; + cand->destroy(cand); + } + return best; +} + +/** + * validate a x509 certificate using CRL + */ +static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + identification_t *keyid = NULL; + certificate_t *best = NULL; + certificate_t *current; + public_key_t *public; + enumerator_t *enumerator; + chunk_t chunk; + char *uri = NULL; + + /* derive the authorityKeyIdentifier from the issuer's public key */ + current = &issuer->interface; + public = current->get_public_key(current); + if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + { + keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + + /* find a cached crl by authorityKeyIdentifier */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_CRL, KEY_ANY, keyid, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + best = get_better_crl(current, best, subject, issuer, + &valid, FALSE); + if (best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached crl"); + break; + } + } + enumerator->destroy(enumerator); + + /* fallback to fetching crls from credential sets cdps */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_CRL, keyid); + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + keyid->destroy(keyid); + } + DESTROY_IF(public); + + /* fallback to fetching crls from cdps from subject's certificate */ + if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = subject->create_crl_uri_enumerator(subject); + + while (enumerator->enumerate(enumerator, &uri)) + { + current = fetch_crl(uri); + if (current) + { + best = get_better_crl(current, best, subject, issuer, + &valid, TRUE); + if (best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + + /* an uri was found, but no result. switch validation state to failed */ + if (valid == VALIDATION_SKIPPED && uri) + { + valid = VALIDATION_FAILED; + } + if (auth) + { + if (valid == VALIDATION_SKIPPED) + { /* if we skipped CRL validation, we use the result of OCSP for + * constraint checking */ + auth->add(auth, AUTH_RULE_CRL_VALIDATION, + auth->get(auth, AUTH_RULE_OCSP_VALIDATION)); + } + else + { + auth->add(auth, AUTH_RULE_CRL_VALIDATION, valid); + } + } + DESTROY_IF(best); + return valid; +} + +METHOD(cert_validator_t, validate, bool, + private_revocation_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) +{ + if (subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509 && + online) + { + DBG1(DBG_CFG, "checking certificate status of \"%Y\"", + subject->get_subject(subject)); + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + /* has already been logged */ + return FALSE; + case VALIDATION_SKIPPED: + DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); + break; + case VALIDATION_FAILED: + DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); + break; + } + switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + /* has already been logged */ + return FALSE; + case VALIDATION_FAILED: + case VALIDATION_SKIPPED: + DBG1(DBG_CFG, "certificate status is not available"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); + break; + } + } + return TRUE; +} + +METHOD(revocation_validator_t, destroy, void, + private_revocation_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +revocation_validator_t *revocation_validator_create() +{ + private_revocation_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.h b/src/libstrongswan/plugins/revocation/revocation_validator.h new file mode 100644 index 000000000..82cbde26b --- /dev/null +++ b/src/libstrongswan/plugins/revocation/revocation_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup revocation_validator revocation_validator + * @{ @ingroup revocation + */ + +#ifndef REVOCATION_VALIDATOR_H_ +#define REVOCATION_VALIDATOR_H_ + +#include + +typedef struct revocation_validator_t revocation_validator_t; + +/** + * Certificate validator doing CRL/OCSP checking of X509 certificates. + */ +struct revocation_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a revocation_validator_t. + */ + void (*destroy)(revocation_validator_t *this); +}; + +/** + * Create a revocation_validator instance. + */ +revocation_validator_t *revocation_validator_create(); + +#endif /** REVOCATION_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index dacb5be4b..703764e5e 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 6db4374c8..5e490f2e5 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index cb466ad03..6d81d0d81 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index dbe62c056..20a6db81e 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index 2bee453cd..f40427f3f 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/plugins/x509/x509_ac.c b/src/libstrongswan/plugins/x509/x509_ac.c index 95e72789e..ba0357cc4 100644 --- a/src/libstrongswan/plugins/x509/x509_ac.c +++ b/src/libstrongswan/plugins/x509/x509_ac.c @@ -568,7 +568,7 @@ static chunk_t build_authorityKeyIdentifier(private_x509_ac_t *this) public = this->signerCert->get_public_key(this->signerCert); if (public) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &keyIdentifier)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &keyIdentifier)) { this->authKeyIdentifier = chunk_clone(keyIdentifier); } @@ -749,7 +749,7 @@ static bool issued_by(private_x509_ac_t *this, certificate_t *issuer) { chunk_t fingerprint; - if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; @@ -812,31 +812,19 @@ static bool get_validity(private_x509_ac_t *this, time_t *when, return (t >= this->notBefore && t <= this->notAfter); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(private_x509_ac_t *this, ac_t *that) -{ - certificate_t *this_cert = &this->public.interface.certificate; - certificate_t *that_cert = &that->certificate; - time_t this_update, that_update, now = time(NULL); - bool new; - - this_cert->get_validity(this_cert, &now, &this_update, NULL); - that_cert->get_validity(that_cert, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " attr cert from %T is %s - existing attr cert from %T %s", - &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); - return new; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ac_t *this) +static bool get_encoding(private_x509_ac_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_AC_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -855,7 +843,10 @@ static bool equals(private_x509_ac_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ac_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -904,8 +895,7 @@ static private_x509_ac_t *create_empty(void) this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index bdbaa8d4a..92b576aa5 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -366,7 +366,17 @@ static identification_t *parse_generalName(chunk_t blob, int level0) id_type = ID_DER_ASN1_DN; break; case GN_OBJ_IP_ADDRESS: - id_type = ID_IPV4_ADDR; + switch (object.len) + { + case 4: + id_type = ID_IPV4_ADDR; + break; + case 16: + id_type = ID_IPV6_ADDR; + break; + default: + break; + } break; case GN_OBJ_OTHER_NAME: if (!parse_otherName(object, parser->get_level(parser)+1)) @@ -1208,29 +1218,19 @@ static bool get_validity(private_x509_cert_t *this, time_t *when, return (t >= this->notBefore && t <= this->notAfter); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " certificate from %T is %s - existing certificate " - "from %T %s", &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); - return new; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_cert_t *this) +static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -1253,7 +1253,10 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_cert_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -1281,7 +1284,7 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) chunk_t fingerprint; if (this->public_key->get_fingerprint(this->public_key, - KEY_ID_PUBKEY_SHA1, &fingerprint)) + KEYID_PUBKEY_SHA1, &fingerprint)) { return fingerprint; } @@ -1383,8 +1386,7 @@ static private_x509_cert_t* create_empty(void) this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -1536,7 +1538,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, - KEY_PUB_SPKI_ASN1_DER, &key_info)) + PUBKEY_SPKI_ASN1_DER, &key_info)) { return FALSE; } @@ -1650,7 +1652,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, chunk_t keyid; if (cert->public_key->get_fingerprint(cert->public_key, - KEY_ID_PUBKEY_SHA1, &keyid)) + KEYID_PUBKEY_SHA1, &keyid)) { subjectKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_SUBJECT_KEY_ID), @@ -1664,7 +1666,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t keyid; - if (sign_key->get_fingerprint(sign_key, KEY_ID_PUBKEY_SHA1, &keyid)) + if (sign_key->get_fingerprint(sign_key, KEYID_PUBKEY_SHA1, &keyid)) { authKeyIdentifier = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index c755d7f63..4bd0470d3 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -26,6 +26,7 @@ typedef struct revoked_t revoked_t; #include #include #include +#include #include /** @@ -118,6 +119,11 @@ struct private_x509_crl_t { */ chunk_t signature; + /** + * has this CRL been generated + */ + bool generated; + /** * reference counter */ @@ -236,7 +242,7 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_REVOCATION_DATE: revoked = malloc_thing(revoked_t); - revoked->serial = userCertificate; + revoked->serial = chunk_clone(userCertificate); revoked->date = asn1_parse_time(object, level); revoked->reason = CRL_REASON_UNSPECIFIED; this->revoked->insert_last(this->revoked, (void *)revoked); @@ -267,7 +273,6 @@ static bool parse(private_x509_crl_t *this) } else if (extn_oid == OID_AUTHORITY_KEY_ID) { - this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, level, &this->authKeySerialNumber); } @@ -327,52 +332,40 @@ static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2, return TRUE; } -/** - * Implementation of crl_t.get_serial. - */ -static chunk_t get_serial(private_x509_crl_t *this) +METHOD(crl_t, get_serial, chunk_t, + private_x509_crl_t *this) { return this->crlNumber; } -/** - * Implementation of crl_t.get_authKeyIdentifier. - */ -static chunk_t get_authKeyIdentifier(private_x509_crl_t *this) +METHOD(crl_t, get_authKeyIdentifier, chunk_t, + private_x509_crl_t *this) { return this->authKeyIdentifier; } -/** - * Implementation of crl_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_x509_crl_t *this) +METHOD(crl_t, create_enumerator, enumerator_t*, + private_x509_crl_t *this) { return enumerator_create_filter( this->revoked->create_enumerator(this->revoked), (void*)filter, NULL, NULL); } -/** - * Implementation of certificate_t.get_type - */ -static certificate_type_t get_type(private_x509_crl_t *this) +METHOD(certificate_t, get_type, certificate_type_t, + private_x509_crl_t *this) { return CERT_X509_CRL; } -/** - * Implementation of certificate_t.get_issuer and get_subject - */ -static identification_t* get_issuer(private_x509_crl_t *this) +METHOD(certificate_t, get_issuer, identification_t*, + private_x509_crl_t *this) { return this->issuer; } -/** - * Implementation of certificate_t.has_subject and has_issuer. - */ -static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer) +METHOD(certificate_t, has_issuer, id_match_t, + private_x509_crl_t *this, identification_t *issuer) { if (issuer->get_type(issuer) == ID_KEY_ID && this->authKeyIdentifier.ptr && chunk_equals(this->authKeyIdentifier, issuer->get_encoding(issuer))) @@ -382,10 +375,8 @@ static id_match_t has_issuer(private_x509_crl_t *this, identification_t *issuer) return this->issuer->matches(this->issuer, issuer); } -/** - * Implementation of certificate_t.issued_by - */ -static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) +METHOD(certificate_t, issued_by, bool, + private_x509_crl_t *this, certificate_t *issuer) { public_key_t *key; signature_scheme_t scheme; @@ -410,7 +401,7 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) { chunk_t fingerprint; - if (!key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + if (!key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->authKeyIdentifier)) { return FALSE; @@ -436,28 +427,22 @@ static bool issued_by(private_x509_crl_t *this, certificate_t *issuer) return valid; } -/** - * Implementation of certificate_t.get_public_key - */ -static public_key_t* get_public_key(private_x509_crl_t *this) +METHOD(certificate_t, get_public_key, public_key_t*, + private_x509_crl_t *this) { return NULL; } -/** - * Implementation of certificate_t.asdf - */ -static private_x509_crl_t* get_ref(private_x509_crl_t *this) +METHOD(certificate_t, get_ref, certificate_t*, + private_x509_crl_t *this) { ref_get(&this->ref); - return this; + return &this->public.crl.certificate; } -/** - * Implementation of certificate_t.get_validity. - */ -static bool get_validity(private_x509_crl_t *this, time_t *when, - time_t *not_before, time_t *not_after) +METHOD(certificate_t, get_validity, bool, + private_x509_crl_t *this, time_t *when, + time_t *not_before, time_t *not_after) { time_t t = when ? *when : time(NULL); @@ -472,51 +457,20 @@ static bool get_validity(private_x509_crl_t *this, time_t *when, return (t <= this->nextUpdate); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(private_x509_crl_t *this, crl_t *that) +METHOD(certificate_t, get_encoding, bool, + private_x509_crl_t *this, cred_encoding_type_t type, chunk_t *encoding) { - chunk_t that_crlNumber = that->get_serial(that); - bool new; - - /* compare crlNumbers if available - otherwise use thisUpdate */ - if (this->crlNumber.ptr != NULL && that_crlNumber.ptr != NULL) + if (type == CERT_ASN1_DER) { - new = chunk_compare(this->crlNumber, that_crlNumber) > 0; - DBG1(DBG_LIB, " crl #%#B is %s - existing crl #%#B %s", - &this->crlNumber, new ? "newer":"not newer", - &that_crlNumber, new ? "replaced":"retained"); - } - else - { - certificate_t *this_cert = &this->public.crl.certificate; - certificate_t *that_cert = &that->certificate; - - time_t this_update, that_update, now = time(NULL); - - this_cert->get_validity(this_cert, &now, &this_update, NULL); - that_cert->get_validity(that_cert, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " crl from %T is %s - existing crl from %T %s", - &this_update, FALSE, new ? "newer":"not newer", - &that_update, FALSE, new ? "replaced":"retained"); + *encoding = chunk_clone(this->encoding); + return TRUE; } - return new; -} - -/** - * Implementation of certificate_t.get_encoding. - */ -static chunk_t get_encoding(private_x509_crl_t *this) -{ - return chunk_clone(this->encoding); + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_CRL_ASN1_DER, this->encoding, CRED_PART_END); } -/** - * Implementation of certificate_t.equals. - */ -static bool equals(private_x509_crl_t *this, certificate_t *other) +METHOD(certificate_t, equals, bool, + private_x509_crl_t *this, certificate_t *other) { chunk_t encoding; bool equal; @@ -529,23 +483,39 @@ static bool equals(private_x509_crl_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_crl_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; } /** - * Implementation of certificate_t.destroy + * Destroy a revoked_t entry */ -static void destroy(private_x509_crl_t *this) +static void revoked_destroy(revoked_t *revoked) +{ + free(revoked->serial.ptr); + free(revoked); +} + +METHOD(certificate_t, destroy, void, + private_x509_crl_t *this) { if (ref_put(&this->ref)) { - this->revoked->destroy_function(this->revoked, free); + this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); + if (this->generated) + { + free(this->crlNumber.ptr); + free(this->signature.ptr); + free(this->tbsCertList.ptr); + } free(this); } } @@ -555,34 +525,33 @@ static void destroy(private_x509_crl_t *this) */ static private_x509_crl_t* create_empty(void) { - private_x509_crl_t *this = malloc_thing(private_x509_crl_t); - - this->public.crl.get_serial = (chunk_t (*)(crl_t*))get_serial; - this->public.crl.get_authKeyIdentifier = (chunk_t (*)(crl_t*))get_authKeyIdentifier; - this->public.crl.create_enumerator = (enumerator_t* (*)(crl_t*))create_enumerator; - this->public.crl.certificate.get_type = (certificate_type_t (*)(certificate_t *this))get_type; - this->public.crl.certificate.get_subject = (identification_t* (*)(certificate_t *this))get_issuer; - this->public.crl.certificate.get_issuer = (identification_t* (*)(certificate_t *this))get_issuer; - this->public.crl.certificate.has_subject = (id_match_t (*)(certificate_t*, identification_t *subject))has_issuer; - this->public.crl.certificate.has_issuer = (id_match_t (*)(certificate_t*, identification_t *issuer))has_issuer; - this->public.crl.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; - this->public.crl.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; - this->public.crl.certificate.get_validity = (bool (*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.crl.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.crl.certificate.get_encoding = (chunk_t (*)(certificate_t*))get_encoding; - this->public.crl.certificate.equals = (bool (*)(certificate_t*, certificate_t *other))equals; - this->public.crl.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; - this->public.crl.certificate.destroy = (void (*)(certificate_t *this))destroy; - - this->encoding = chunk_empty; - this->tbsCertList = chunk_empty; - this->issuer = NULL; - this->crlNumber = chunk_empty; - this->revoked = linked_list_create(); - this->authKeyIdentifier = chunk_empty; - this->authKeySerialNumber = chunk_empty; - this->ref = 1; - + private_x509_crl_t *this; + + INIT(this, + .public = { + .crl = { + .certificate = { + .get_type = _get_type, + .get_subject = _get_issuer, + .get_issuer = _get_issuer, + .has_subject = _has_issuer, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_serial = _get_serial, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .create_enumerator = _create_enumerator, + }, + }, + .revoked = linked_list_create(), + .ref = 1, + ); return this; } @@ -621,3 +590,166 @@ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args) return NULL; }; +/** + * Read certificate status from enumerator, copy to crl + */ +static void read_revoked(private_x509_crl_t *crl, enumerator_t *enumerator) +{ + revoked_t *revoked; + chunk_t serial; + time_t date; + crl_reason_t reason; + + while (enumerator->enumerate(enumerator, &serial, &date, &reason)) + { + INIT(revoked, + .serial = chunk_clone(serial), + .date = date, + .reason = reason, + ); + crl->revoked->insert_last(crl->revoked, revoked); + } +} + +/** + * Generate CRL encoding, sign CRL + */ +static bool generate(private_x509_crl_t *this, certificate_t *cert, + private_key_t *key, hash_algorithm_t digest_alg) +{ + chunk_t extensions = chunk_empty, certList = chunk_empty, serial; + enumerator_t *enumerator; + crl_reason_t reason; + time_t date; + x509_t *x509; + + x509 = (x509_t*)cert; + + this->issuer = cert->get_issuer(cert); + this->issuer = this->issuer->clone(this->issuer); + + this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); + + /* select signature scheme */ + this->algorithm = hasher_signature_algorithm_to_oid(digest_alg, + key->get_type(key)); + if (this->algorithm == OID_UNKNOWN) + { + return FALSE; + } + + enumerator = create_enumerator(this); + while (enumerator->enumerate(enumerator, &serial, &date, &reason)) + { + chunk_t revoked, entry_ext = chunk_empty; + + if (reason != CRL_REASON_UNSPECIFIED) + { + entry_ext = asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_REASON_CODE), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_ENUMERATED, "c", + chunk_from_chars(reason))))); + } + revoked = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_integer("c", serial), + asn1_from_time(&date, ASN1_UTCTIME), + entry_ext); + certList = chunk_cat("mm", certList, revoked); + } + enumerator->destroy(enumerator); + + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_AUTHORITY_KEY_ID), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_CONTEXT_S_0, "c", + this->authKeyIdentifier)))), + asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CRL_NUMBER), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", this->crlNumber)) + ) + )); + + this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", + ASN1_INTEGER_1, + asn1_algorithmIdentifier(this->algorithm), + this->issuer->get_encoding(this->issuer), + asn1_from_time(&this->thisUpdate, ASN1_UTCTIME), + asn1_from_time(&this->nextUpdate, ASN1_UTCTIME), + asn1_wrap(ASN1_SEQUENCE, "m", certList), + extensions); + + if (!key->sign(key, signature_scheme_from_oid(this->algorithm), + this->tbsCertList, &this->signature)) + { + return FALSE; + } + this->encoding = asn1_wrap(ASN1_SEQUENCE, "cmm", + this->tbsCertList, + asn1_algorithmIdentifier(this->algorithm), + asn1_bitstring("c", this->signature)); + return TRUE; +} + +/** + * See header. + */ +x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) +{ + hash_algorithm_t digest_alg = HASH_SHA1; + private_x509_crl_t *crl; + certificate_t *cert = NULL; + private_key_t *key = NULL; + + crl = create_empty(); + crl->generated = TRUE; + while (TRUE) + { + builder_part_t part = va_arg(args, builder_part_t); + + switch (part) + { + case BUILD_SIGNING_KEY: + key = va_arg(args, private_key_t*); + continue; + case BUILD_SIGNING_CERT: + cert = va_arg(args, certificate_t*); + continue; + case BUILD_NOT_BEFORE_TIME: + crl->thisUpdate = va_arg(args, time_t); + continue; + case BUILD_NOT_AFTER_TIME: + crl->nextUpdate = va_arg(args, time_t); + continue; + case BUILD_SERIAL: + crl->crlNumber = va_arg(args, chunk_t); + crl->crlNumber = chunk_clone(crl->crlNumber); + continue; + case BUILD_DIGEST_ALG: + digest_alg = va_arg(args, int); + continue; + case BUILD_REVOKED_ENUMERATOR: + read_revoked(crl, va_arg(args, enumerator_t*)); + continue; + case BUILD_END: + break; + default: + destroy(crl); + return NULL; + } + break; + } + + if (key && cert && cert->get_type(cert) == CERT_X509 && + generate(crl, cert, key, digest_alg)) + { + return &crl->public; + } + destroy(crl); + return NULL; +} diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h index 890650162..e8fe74e81 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.h +++ b/src/libstrongswan/plugins/x509/x509_crl.h @@ -46,4 +46,13 @@ struct x509_crl_t { */ x509_crl_t *x509_crl_load(certificate_type_t type, va_list args); +/** + * Generate a X.509 CRL. + * + * @param type certificate type, CERT_X509_CRL only + * @param args builder_part_t argument list + * @return X.509 CRL, NULL on failure + */ +x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args); + #endif /** X509_CRL_H_ @}*/ diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c index c835d5dc8..ea02cbab5 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c @@ -153,7 +153,7 @@ static chunk_t build_requestList(private_x509_ocsp_request_t *this) hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); if (hasher) { - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &issuerKeyHash)) { enumerator_t *enumerator; @@ -250,7 +250,7 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, { int oid; signature_scheme_t scheme; - chunk_t certs, signature; + chunk_t certs, signature, encoding; switch (this->key->get_type(this->key)) { @@ -274,11 +274,11 @@ static chunk_t build_optionalSignature(private_x509_ocsp_request_t *this, DBG1(DBG_LIB, "creating OCSP signature failed, skipped"); return chunk_empty; } - if (this->cert) + if (this->cert && + this->cert->get_encoding(this->cert, CERT_ASN1_DER, &encoding)) { certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "m", - this->cert->get_encoding(this->cert))); + asn1_wrap(ASN1_SEQUENCE, "m", encoding)); } return asn1_wrap(ASN1_CONTEXT_C_0, "m", asn1_wrap(ASN1_SEQUENCE, "cmm", @@ -413,9 +413,16 @@ static bool get_validity(private_x509_ocsp_request_t *this, time_t *when, /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ocsp_request_t *this) +static bool get_encoding(private_x509_ocsp_request_t *this, + cred_encoding_type_t type, chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_OCSP_REQ_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -438,7 +445,10 @@ static bool equals(private_x509_ocsp_request_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ocsp_request_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -486,7 +496,7 @@ static private_x509_ocsp_request_t *create_empty() this->public.interface.interface.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.interface.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.interface.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.c b/src/libstrongswan/plugins/x509/x509_ocsp_response.c index c70d461df..829f47f81 100644 --- a/src/libstrongswan/plugins/x509/x509_ocsp_response.c +++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.c @@ -167,7 +167,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, { hasher_t *hasher; identification_t *id; - key_encoding_type_t type; + cred_encoding_type_t type; chunk_t hash, fingerprint; /* check serial first, is cheaper */ @@ -188,7 +188,7 @@ static cert_validation_t get_status(private_x509_ocsp_response_t *this, switch (response->hashAlgorithm) { case OID_SHA1: - type = KEY_ID_PUBKEY_SHA1; + type = KEYID_PUBKEY_SHA1; break; default: public->destroy(public); @@ -698,7 +698,7 @@ static bool issued_by(private_x509_ocsp_response_t *this, certificate_t *issuer) key = issuer->get_public_key(issuer); if (!key || - !key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &fingerprint) || + !key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &fingerprint) || !chunk_equals(fingerprint, this->responderId->get_encoding(this->responderId))) { @@ -763,29 +763,19 @@ static bool get_validity(private_x509_ocsp_response_t *this, time_t *when, return (t < this->usableUntil); } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - time_t this_update, that_update, now = time(NULL); - bool new; - - this->get_validity(this, &now, &this_update, NULL); - that->get_validity(that, &now, &that_update, NULL); - new = this_update > that_update; - DBG1(DBG_LIB, " ocsp response from %T is %s - existing ocsp response " - "from %T %s", &this_update, FALSE, new ? "newer" : "not newer", - &that_update, FALSE, new ? "replaced" : "retained"); - return new; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_ocsp_response_t *this) +static bool get_encoding(private_x509_ocsp_response_t *this, + cred_encoding_type_t type, chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_X509_OCSP_RES_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -808,7 +798,10 @@ static bool equals(private_x509_ocsp_response_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_ocsp_response_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -855,8 +848,7 @@ static x509_ocsp_response_t *load(chunk_t blob) this->public.interface.certificate.issued_by = (bool (*)(certificate_t *this, certificate_t *issuer))issued_by; this->public.interface.certificate.get_public_key = (public_key_t* (*)(certificate_t *this))get_public_key; this->public.interface.certificate.get_validity = (bool(*)(certificate_t*, time_t *when, time_t *, time_t*))get_validity; - this->public.interface.certificate.is_newer = (bool (*)(certificate_t*,certificate_t*))is_newer; - this->public.interface.certificate.get_encoding = (chunk_t(*)(certificate_t*))get_encoding; + this->public.interface.certificate.get_encoding = (bool(*)(certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.certificate.equals = (bool(*)(certificate_t*, certificate_t *other))equals; this->public.interface.certificate.get_ref = (certificate_t* (*)(certificate_t *this))get_ref; this->public.interface.certificate.destroy = (void (*)(certificate_t *this))destroy; diff --git a/src/libstrongswan/plugins/x509/x509_pkcs10.c b/src/libstrongswan/plugins/x509/x509_pkcs10.c index 1009ec931..bfb0ca621 100644 --- a/src/libstrongswan/plugins/x509/x509_pkcs10.c +++ b/src/libstrongswan/plugins/x509/x509_pkcs10.c @@ -188,20 +188,19 @@ static bool get_validity(private_x509_pkcs10_t *this, time_t *when, return TRUE; } -/** - * Implementation of certificate_t.is_newer. - */ -static bool is_newer(certificate_t *this, certificate_t *that) -{ - return FALSE; -} - /** * Implementation of certificate_t.get_encoding. */ -static chunk_t get_encoding(private_x509_pkcs10_t *this) +static bool get_encoding(private_x509_pkcs10_t *this, cred_encoding_type_t type, + chunk_t *encoding) { - return chunk_clone(this->encoding); + if (type == CERT_ASN1_DER) + { + *encoding = chunk_clone(this->encoding); + return TRUE; + } + return lib->encoding->encode(lib->encoding, type, NULL, encoding, + CRED_PART_PKCS10_ASN1_DER, this->encoding, CRED_PART_END); } /** @@ -224,7 +223,10 @@ static bool equals(private_x509_pkcs10_t *this, certificate_t *other) { /* skip allocation if we have the same implementation */ return chunk_equals(this->encoding, ((private_x509_pkcs10_t*)other)->encoding); } - encoding = other->get_encoding(other); + if (!other->get_encoding(other, CERT_ASN1_DER, &encoding)) + { + return FALSE; + } equal = chunk_equals(this->encoding, encoding); free(encoding.ptr); return equal; @@ -357,7 +359,7 @@ static bool parse_challengePassword(private_x509_pkcs10_t *this, chunk_t blob, i */ static const asn1Object_t certificationRequestObjects[] = { { 0, "certificationRequest", ASN1_SEQUENCE, ASN1_OBJ }, /* 0 */ - { 1, "certificationRequestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ + { 1, "certificationRequestInfo", ASN1_SEQUENCE, ASN1_OBJ }, /* 1 */ { 2, "version", ASN1_INTEGER, ASN1_BODY }, /* 2 */ { 2, "subject", ASN1_SEQUENCE, ASN1_OBJ }, /* 3 */ { 2, "subjectPublicKeyInfo", ASN1_SEQUENCE, ASN1_RAW }, /* 4 */ @@ -369,7 +371,7 @@ static const asn1Object_t certificationRequestObjects[] = { { 4, "end loop", ASN1_EOC, ASN1_END }, /* 10 */ { 2, "end loop", ASN1_EOC, ASN1_END }, /* 11 */ { 1, "signatureAlgorithm", ASN1_EOC, ASN1_RAW }, /* 12 */ - { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 13 */ + { 1, "signature", ASN1_BIT_STRING, ASN1_BODY }, /* 13 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; #define PKCS10_CERT_REQUEST_INFO 1 @@ -512,8 +514,7 @@ static private_x509_pkcs10_t* create_empty(void) this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.is_newer = (bool (*) (certificate_t*,certificate_t*))is_newer; - this->public.interface.interface.get_encoding = (chunk_t (*) (certificate_t*))get_encoding; + this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; @@ -559,7 +560,7 @@ static bool generate(private_x509_pkcs10_t *cert, private_key_t *sign_key, scheme = signature_scheme_from_oid(cert->algorithm); if (!cert->public_key->get_encoding(cert->public_key, - KEY_PUB_SPKI_ASN1_DER, &key_info)) + PUBKEY_SPKI_ASN1_DER, &key_info)) { return FALSE; } diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index e71c55efc..8391781e2 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -51,6 +51,8 @@ static void destroy(private_x509_plugin_t *this) (builder_function_t)x509_ac_load); lib->creds->remove_builder(lib->creds, (builder_function_t)x509_crl_load); + lib->creds->remove_builder(lib->creds, + (builder_function_t)x509_crl_gen); lib->creds->remove_builder(lib->creds, (builder_function_t)x509_ocsp_request_gen); lib->creds->remove_builder(lib->creds, @@ -81,6 +83,8 @@ plugin_t *x509_plugin_create() (builder_function_t)x509_ac_load); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, (builder_function_t)x509_crl_load); + lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + (builder_function_t)x509_crl_gen); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_REQUEST, (builder_function_t)x509_ocsp_request_gen); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509_OCSP_RESPONSE, diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index c49e2b76a..69bba8d6f 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/libstrongswan/threading/lock_profiler.h b/src/libstrongswan/threading/lock_profiler.h index b64453ba1..1ae496455 100644 --- a/src/libstrongswan/threading/lock_profiler.h +++ b/src/libstrongswan/threading/lock_profiler.h @@ -63,7 +63,7 @@ static inline void profiler_cleanup(lock_profile_t *profile) { fprintf(stderr, "%d.%03ds / %d times in lock created at:", profile->waited.tv_sec, profile->waited.tv_usec, profile->locked); - profile->backtrace->log(profile->backtrace, stderr); + profile->backtrace->log(profile->backtrace, stderr, TRUE); } profile->backtrace->destroy(profile->backtrace); } diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index 5bba8ec21..a67245194 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -53,7 +53,7 @@ struct private_backtrace_t { /** * Implementation of backtrace_t.log */ -static void log_(private_backtrace_t *this, FILE *file) +static void log_(private_backtrace_t *this, FILE *file, bool detailed) { #ifdef HAVE_BACKTRACE size_t i; @@ -78,7 +78,6 @@ static void log_(private_backtrace_t *this, FILE *file) { ptr = (void*)(this->frames[i] - info.dli_fbase); } - snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", info.dli_fname, ptr); if (info.dli_sname) { fprintf(file, " \e[33m%s\e[0m @ %p (\e[31m%s\e[0m+0x%x) [%p]\n", @@ -90,28 +89,33 @@ static void log_(private_backtrace_t *this, FILE *file) fprintf(file, " \e[33m%s\e[0m @ %p [%p]\n", info.dli_fname, info.dli_fbase, this->frames[i]); } - fprintf(file, " -> \e[32m"); - output = popen(cmd, "r"); - if (output) + if (detailed) { - while (TRUE) + fprintf(file, " -> \e[32m"); + snprintf(cmd, sizeof(cmd), "addr2line -e %s %p", + info.dli_fname, ptr); + output = popen(cmd, "r"); + if (output) { - c = getc(output); - if (c == '\n' || c == EOF) + while (TRUE) { - break; + c = getc(output); + if (c == '\n' || c == EOF) + { + break; + } + fputc(c, file); } - fputc(c, file); + pclose(output); } - pclose(output); - } - else - { -#endif /* HAVE_DLADDR */ - fprintf(file, " %s\n", strings[i]); -#ifdef HAVE_DLADDR + else + { + #endif /* HAVE_DLADDR */ + fprintf(file, " %s\n", strings[i]); + #ifdef HAVE_DLADDR + } + fprintf(file, "\n\e[0m"); } - fprintf(file, "\n\e[0m"); } else { @@ -174,7 +178,7 @@ backtrace_t *backtrace_create(int skip) memcpy(this->frames, frames + skip, frame_count * sizeof(void*)); this->frame_count = frame_count; - this->public.log = (void(*)(backtrace_t*,FILE*))log_; + this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_; this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function; this->public.destroy = (void(*)(backtrace_t*))destroy; diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index c4d4284d1..c6b0ec78f 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -34,8 +34,11 @@ struct backtrace_t { /** * Log the backtrace to a FILE stream. + * + * @param file FILE to log backtrace to + * @param detailed TRUE to resolve line/file using addr2line (slow) */ - void (*log)(backtrace_t *this, FILE *file); + void (*log)(backtrace_t *this, FILE *file, bool detailed); /** * Check if the backtrace contains a frame in a specific function. diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index 02c225833..dde57dc65 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -47,11 +47,13 @@ struct pair_t { */ pair_t *pair_create(void *key, void *value, u_int hash) { - pair_t *this = malloc_thing(pair_t); + pair_t *this; - this->key = key; - this->value = value; - this->hash = hash; + INIT(this, + .key = key, + .value = value, + .hash = hash, + ); return this; } @@ -126,6 +128,11 @@ struct private_enumerator_t { */ u_int row; + /** + * current pair + */ + pair_t *pair; + /** * enumerator for the current row */ @@ -219,10 +226,8 @@ static void rehash(private_hashtable_t *this) free(old_table); } -/** - * Implementation of hashtable_t.put - */ -static void *put(private_hashtable_t *this, void *key, void *value) +METHOD(hashtable_t, put, void*, + private_hashtable_t *this, void *key, void *value) { void *old_value = NULL; linked_list_t *list; @@ -265,10 +270,8 @@ static void *put(private_hashtable_t *this, void *key, void *value) return old_value; } -/** - * Implementation of hashtable_t.get - */ -static void *get(private_hashtable_t *this, void *key) +METHOD(hashtable_t, get, void*, + private_hashtable_t *this, void *key) { void *value = NULL; linked_list_t *list; @@ -286,10 +289,8 @@ static void *get(private_hashtable_t *this, void *key) return value; } -/** - * Implementation of hashtable_t.remove - */ -static void *remove_(private_hashtable_t *this, void *key) +METHOD(hashtable_t, remove_, void*, + private_hashtable_t *this, void *key) { void *value = NULL; linked_list_t *list; @@ -317,34 +318,44 @@ static void *remove_(private_hashtable_t *this, void *key) return value; } -/** - * Implementation of hashtable_t.get_count - */ -static u_int get_count(private_hashtable_t *this) +METHOD(hashtable_t, remove_at, void, + private_hashtable_t *this, private_enumerator_t *enumerator) +{ + if (enumerator->table == this && enumerator->current) + { + linked_list_t *list; + list = this->table[enumerator->row]; + if (list) + { + list->remove_at(list, enumerator->current); + free(enumerator->pair); + this->count--; + } + } +} + +METHOD(hashtable_t, get_count, u_int, + private_hashtable_t *this) { return this->count; } -/** - * Implementation of private_enumerator_t.enumerator.enumerate. - */ -static bool enumerate(private_enumerator_t *this, void **key, void **value) +METHOD(enumerator_t, enumerate, bool, + private_enumerator_t *this, void **key, void **value) { while (this->row < this->table->capacity) { if (this->current) { - pair_t *pair; - - if (this->current->enumerate(this->current, &pair)) + if (this->current->enumerate(this->current, &this->pair)) { if (key) { - *key = pair->key; + *key = this->pair->key; } if (value) { - *value = pair->value; + *value = this->pair->value; } return TRUE; } @@ -354,7 +365,6 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value) else { linked_list_t *list; - list = this->table->table[this->row]; if (list) { @@ -367,10 +377,8 @@ static bool enumerate(private_enumerator_t *this, void **key, void **value) return FALSE; } -/** - * Implementation of private_enumerator_t.enumerator.destroy. - */ -static void enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, enumerator_destroy, void, + private_enumerator_t *this) { if (this->current) { @@ -379,26 +387,24 @@ static void enumerator_destroy(private_enumerator_t *this) free(this); } -/** - * Implementation of hashtable_t.create_enumerator. - */ -static enumerator_t* create_enumerator(private_hashtable_t *this) +METHOD(hashtable_t, create_enumerator, enumerator_t*, + private_hashtable_t *this) { - private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); + private_enumerator_t *enumerator; - enumerator->enumerator.enumerate = (void*)enumerate; - enumerator->enumerator.destroy = (void*)enumerator_destroy; - enumerator->table = this; - enumerator->row = 0; - enumerator->current = NULL; + INIT(enumerator, + .enumerator = { + .enumerate = (void*)_enumerate, + .destroy = (void*)_enumerator_destroy, + }, + .table = this, + ); return &enumerator->enumerator; } -/** - * Implementation of hashtable_t.destroy - */ -static void destroy(private_hashtable_t *this) +METHOD(hashtable_t, destroy, void, + private_hashtable_t *this) { linked_list_t *list; u_int row; @@ -421,22 +427,21 @@ static void destroy(private_hashtable_t *this) hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals, u_int capacity) { - private_hashtable_t *this = malloc_thing(private_hashtable_t); - - this->public.put = (void*(*)(hashtable_t*,void*,void*))put; - this->public.get = (void*(*)(hashtable_t*,void*))get; - this->public.remove = (void*(*)(hashtable_t*,void*))remove_; - this->public.get_count = (u_int(*)(hashtable_t*))get_count; - this->public.create_enumerator = (enumerator_t*(*)(hashtable_t*))create_enumerator; - this->public.destroy = (void(*)(hashtable_t*))destroy; - - this->count = 0; - this->capacity = 0; - this->mask = 0; - this->load_factor = 0; - this->table = NULL; - this->hash = hash; - this->equals = equals; + private_hashtable_t *this; + + INIT(this, + .public = { + .put = _put, + .get = _get, + .remove = _remove_, + .remove_at = (void*)_remove_at, + .get_count = _get_count, + .create_enumerator = _create_enumerator, + .destroy = _destroy, + }, + .hash = hash, + .equals = equals, + ); init_hashtable(this, capacity); diff --git a/src/libstrongswan/utils/hashtable.h b/src/libstrongswan/utils/hashtable.h index 142ea6329..27aca9b68 100644 --- a/src/libstrongswan/utils/hashtable.h +++ b/src/libstrongswan/utils/hashtable.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -86,10 +86,18 @@ struct hashtable_t { */ void *(*remove) (hashtable_t *this, void *key); + /** + * Removes the key and value pair from the hash table at which the given + * enumerator currently points. + * + * @param enumerator enumerator, from create_enumerator + */ + void (*remove_at) (hashtable_t *this, enumerator_t *enumerator); + /** * Gets the number of items in the hash table. * - * @return number of items + * @return number of items */ u_int (*get_count) (hashtable_t *this); @@ -106,7 +114,7 @@ struct hashtable_t { * @param hash hash function * @param equals equals function * @param capacity initial capacity - * @return hashtable_t object. + * @return hashtable_t object. */ hashtable_t *hashtable_create(hashtable_hash_t hash, hashtable_equals_t equals, u_int capacity); diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 6a3c3936c..3caeb8f0e 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -50,8 +50,7 @@ ENUM_BEGIN(id_type_names, ID_ANY, ID_KEY_ID, "ID_DER_ASN1_GN", "ID_KEY_ID"); ENUM_NEXT(id_type_names, ID_DER_ASN1_GN_URI, ID_MYID, ID_KEY_ID, - "ID_DER_ASN1_GN_URI" - "ID_IETF_ATTR_STRING" + "ID_DER_ASN1_GN_URI", "ID_MYID"); ENUM_END(id_type_names, ID_MYID); @@ -297,18 +296,30 @@ static void dntoa(chunk_t dn, char *buf, size_t len) { written = snprintf(buf, len,"%s=", oid_names[oid].name); } + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; chunk_printable(data, &printable, '?'); written = snprintf(buf, len, "%.*s", printable.len, printable.ptr); chunk_free(&printable); + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; if (data.ptr + data.len != dn.ptr + dn.len) { written = snprintf(buf, len, ", "); + if (written < 0 || written >= len) + { + break; + } buf += written; len -= written; } @@ -761,7 +772,6 @@ int identification_printf_hook(char *dst, size_t len, printf_hook_spec_t *spec, case ID_FQDN: case ID_RFC822_ADDR: case ID_DER_ASN1_GN_URI: - case ID_IETF_ATTR_STRING: chunk_printable(this->encoded, &proper, '?'); snprintf(buf, sizeof(buf), "%.*s", proper.len, proper.ptr); chunk_free(&proper); diff --git a/src/libstrongswan/utils/identification.h b/src/libstrongswan/utils/identification.h index fe5c7d0fd..c463b0274 100644 --- a/src/libstrongswan/utils/identification.h +++ b/src/libstrongswan/utils/identification.h @@ -130,11 +130,6 @@ enum id_type_t { */ ID_DER_ASN1_GN_URI = 201, - /** - * IETF Attribute Syntax String (RFC 3281) - */ - ID_IETF_ATTR_STRING = 202, - /** * Private ID used by the pluto daemon for opportunistic encryption */ diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 2f8a7187c..0673878a5 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -207,6 +207,7 @@ char *whitelist[] = { "ENGINE_load_builtin_engines", "OPENSSL_config", "ecdsa_check", + "ERR_put_error", /* libgcrypt */ "gcry_control", "gcry_check_version", @@ -233,39 +234,45 @@ static bool is_whitelisted(backtrace_t *backtrace) /** * Report leaks at library destruction */ -void report_leaks() +static void report(private_leak_detective_t *this, bool detailed) { - memory_header_t *hdr; - int leaks = 0, whitelisted = 0; - - for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) + if (lib->leak_detective) { - if (is_whitelisted(hdr->backtrace)) + memory_header_t *hdr; + int leaks = 0, whitelisted = 0; + + for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { - whitelisted++; + if (is_whitelisted(hdr->backtrace)) + { + whitelisted++; + } + else + { + fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1); + /* skip the first frame, contains leak detective logic */ + hdr->backtrace->log(hdr->backtrace, stderr, detailed); + leaks++; + } } - else + switch (leaks) { - fprintf(stderr, "Leak (%d bytes at %p):\n", hdr->bytes, hdr + 1); - /* skip the first frame, contains leak detective logic */ - hdr->backtrace->log(hdr->backtrace, stderr); - leaks++; + case 0: + fprintf(stderr, "No leaks detected"); + break; + case 1: + fprintf(stderr, "One leak detected"); + break; + default: + fprintf(stderr, "%d leaks detected", leaks); + break; } + fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted); } - - switch (leaks) + else { - case 0: - fprintf(stderr, "No leaks detected"); - break; - case 1: - fprintf(stderr, "One leak detected"); - break; - default: - fprintf(stderr, "%d leaks detected", leaks); - break; + fprintf(stderr, "Leak detective disabled\n"); } - fprintf(stderr, ", %d suppressed by whitelist\n", whitelisted); } /** @@ -395,7 +402,7 @@ void free_hook(void *ptr, const void *caller) fprintf(stderr, "freeing invalid memory (%p)", ptr); } backtrace = backtrace_create(3); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } else @@ -454,7 +461,7 @@ void *realloc_hook(void *old, size_t bytes, const void *caller) "header magic 0x%x, tail magic 0x%x:\n", old, hdr->magic, tail->magic); backtrace = backtrace_create(3); - backtrace->log(backtrace, stderr); + backtrace->log(backtrace, stderr, TRUE); backtrace->destroy(backtrace); } /* clear tail magic, allocate, set tail magic */ @@ -487,7 +494,6 @@ static void destroy(private_leak_detective_t *this) if (installed) { uninstall_hooks(); - report_leaks(); } free(this); } @@ -499,6 +505,7 @@ leak_detective_t *leak_detective_create() { private_leak_detective_t *this = malloc_thing(private_leak_detective_t); + this->public.report = (void(*)(leak_detective_t*,bool))report; this->public.destroy = (void(*)(leak_detective_t*))destroy; if (getenv("LEAK_DETECTIVE_DISABLE") == NULL) diff --git a/src/libstrongswan/utils/leak_detective.h b/src/libstrongswan/utils/leak_detective.h index 181f8f3db..fa45a6076 100644 --- a/src/libstrongswan/utils/leak_detective.h +++ b/src/libstrongswan/utils/leak_detective.h @@ -23,6 +23,8 @@ typedef struct leak_detective_t leak_detective_t; +#include + /** * Leak detective finds leaks and bad frees using malloc hooks. * @@ -33,6 +35,13 @@ typedef struct leak_detective_t leak_detective_t; */ struct leak_detective_t { + /** + * Report leaks to stderr. + * + * @param detailed TRUE to resolve line/filename of leak (slow) + */ + void (*report)(leak_detective_t *this, bool detailed); + /** * Destroy a leak_detective instance. */ diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 54e2cc11c..63a892ee7 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 2f79ca4d4..415c35e79 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/medsrv/controller/peer_controller.c b/src/medsrv/controller/peer_controller.c index e1e4661e0..5948fcfb7 100755 --- a/src/medsrv/controller/peer_controller.c +++ b/src/medsrv/controller/peer_controller.c @@ -139,8 +139,8 @@ static bool parse_public_key(private_peer_controller_t *this, return FALSE; } /* TODO: use get_encoding() with an encoding type */ - if (!public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id) || - !public->get_encoding(public, KEY_PUB_SPKI_ASN1_DER, encoding)) + if (!public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id) || + !public->get_encoding(public, PUBKEY_SPKI_ASN1_DER, encoding)) { request->setf(request, "error=Encoding public key failed."); return FALSE; diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index 9f0f96561..578ab7d39 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/openac/openac.c b/src/openac/openac.c index a280192c2..3f28b0ac4 100755 --- a/src/openac/openac.c +++ b/src/openac/openac.c @@ -501,11 +501,13 @@ int main(int argc, char **argv) } /* write the attribute certificate to file */ - attr_chunk = attr_cert->get_encoding(attr_cert); - if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE)) + if (attr_cert->get_encoding(attr_cert, CERT_ASN1_DER, &attr_chunk)) { - write_serial(serial); - status = 0; + if (chunk_write(attr_chunk, outfile, "attribute cert", 0022, TRUE)) + { + write_serial(serial); + status = 0; + } } } else diff --git a/src/pki/Makefile.am b/src/pki/Makefile.am index 8eac07afc..99e9bc581 100644 --- a/src/pki/Makefile.am +++ b/src/pki/Makefile.am @@ -7,6 +7,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 522b9e887..8f08777bb 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -55,7 +55,8 @@ am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_pki_OBJECTS = pki.$(OBJEXT) command.$(OBJEXT) gen.$(OBJEXT) \ issue.$(OBJEXT) keyid.$(OBJEXT) pub.$(OBJEXT) req.$(OBJEXT) \ - self.$(OBJEXT) verify.$(OBJEXT) + self.$(OBJEXT) print.$(OBJEXT) signcrl.$(OBJEXT) \ + verify.$(OBJEXT) pki_OBJECTS = $(am_pki_OBJECTS) pki_DEPENDENCIES = $(top_builddir)/src/libstrongswan/libstrongswan.la DEFAULT_INCLUDES = -I.@am__isrc@ @@ -238,6 +239,8 @@ pki_SOURCES = pki.c pki.h command.c command.h \ commands/pub.c \ commands/req.c \ commands/self.c \ + commands/print.c \ + commands/signcrl.c \ commands/verify.c pki_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la @@ -337,9 +340,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/issue.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pki.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/print.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/req.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/self.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/signcrl.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/verify.Po@am__quote@ .c.o: @@ -447,6 +452,34 @@ self.obj: commands/self.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o self.obj `if test -f 'commands/self.c'; then $(CYGPATH_W) 'commands/self.c'; else $(CYGPATH_W) '$(srcdir)/commands/self.c'; fi` +print.o: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.o -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.o `test -f 'commands/print.c' || echo '$(srcdir)/'`commands/print.c + +print.obj: commands/print.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT print.obj -MD -MP -MF $(DEPDIR)/print.Tpo -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/print.Tpo $(DEPDIR)/print.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/print.c' object='print.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o print.obj `if test -f 'commands/print.c'; then $(CYGPATH_W) 'commands/print.c'; else $(CYGPATH_W) '$(srcdir)/commands/print.c'; fi` + +signcrl.o: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.o -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.o `test -f 'commands/signcrl.c' || echo '$(srcdir)/'`commands/signcrl.c + +signcrl.obj: commands/signcrl.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT signcrl.obj -MD -MP -MF $(DEPDIR)/signcrl.Tpo -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/signcrl.Tpo $(DEPDIR)/signcrl.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='commands/signcrl.c' object='signcrl.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o signcrl.obj `if test -f 'commands/signcrl.c'; then $(CYGPATH_W) 'commands/signcrl.c'; else $(CYGPATH_W) '$(srcdir)/commands/signcrl.c'; fi` + verify.o: commands/verify.c @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT verify.o -MD -MP -MF $(DEPDIR)/verify.Tpo -c -o verify.o `test -f 'commands/verify.c' || echo '$(srcdir)/'`commands/verify.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/verify.Tpo $(DEPDIR)/verify.Po diff --git a/src/pki/command.c b/src/pki/command.c index 8f53817f0..b9c35d99b 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -181,7 +181,7 @@ int command_usage(char *error) { for (i = 0; cmds[i].cmd; i++) { - fprintf(out, " pki --%-6s (-%c) %s\n", + fprintf(out, " pki --%-7s (-%c) %s\n", cmds[i].cmd, cmds[i].op, cmds[i].description); } } diff --git a/src/pki/commands/gen.c b/src/pki/commands/gen.c index b2769da54..33d9cf35d 100644 --- a/src/pki/commands/gen.c +++ b/src/pki/commands/gen.c @@ -20,7 +20,7 @@ */ static int gen() { - key_encoding_type_t form = KEY_PRIV_ASN1_DER; + cred_encoding_type_t form = PRIVKEY_ASN1_DER; key_type_t type = KEY_RSA; u_int size = 0; private_key_t *key; @@ -48,7 +48,7 @@ static int gen() } continue; case 'f': - if (!get_form(arg, &form, FALSE)) + if (!get_form(arg, &form, CRED_PRIVATE_KEY)) { return command_usage("invalid key output format"); } diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index fcd758f87..2002cd555 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -28,6 +28,7 @@ */ static int issue() { + cred_encoding_type_t form = CERT_ASN1_DER; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert_req = NULL, *cert = NULL, *ca =NULL; private_key_t *private = NULL; @@ -37,7 +38,7 @@ static int issue() char *error = NULL; identification_t *id = NULL; linked_list_t *san, *cdps, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -107,7 +108,7 @@ static int issue() case 'p': pathlen = atoi(arg); continue; - case 'f': + case 'e': if (streq(arg, "serverAuth")) { flags |= X509_SERVER_AUTH; @@ -121,6 +122,12 @@ static int issue() flags |= X509_OCSP_SIGNER; } continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'u': cdps->insert_last(cdps, arg); continue; @@ -301,8 +308,7 @@ static int issue() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -352,7 +358,7 @@ static void __attribute__ ((constructor))reg() " --cacert file --cakey file --dn subject-dn [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "public key/request file to issue, default: stdin"}, @@ -361,14 +367,15 @@ static void __attribute__ ((constructor))reg() {"cakey", 'k', 1, "CA private key file"}, {"dn", 'd', 1, "distinguished name to include as subject"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'f', 1, "include extendedKeyUsage flag"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"crl", 'u', 1, "CRL distribution point URI to include"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/keyid.c b/src/pki/commands/keyid.c index c15c1193e..6d2f7b915 100644 --- a/src/pki/commands/keyid.c +++ b/src/pki/commands/keyid.c @@ -99,11 +99,11 @@ static int keyid() if (type == CRED_PRIVATE_KEY) { private = cred; - if (private->get_fingerprint(private, KEY_ID_PUBKEY_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (private->get_fingerprint(private, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (private->get_fingerprint(private, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -112,11 +112,11 @@ static int keyid() else if (type == CRED_PUBLIC_KEY) { public = cred; - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } @@ -131,11 +131,11 @@ static int keyid() fprintf(stderr, "extracting public key from certificate failed"); return 1; } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &id)) { printf("subjectKeyIdentifier: %#B\n", &id); } - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &id)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &id)) { printf("subjectPublicKeyInfo hash: %#B\n", &id); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c new file mode 100644 index 000000000..6d5462783 --- /dev/null +++ b/src/pki/commands/print.c @@ -0,0 +1,368 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pki.h" + +#include +#include +#include + +#include + +/** + * Print public key information + */ +static void print_pubkey(public_key_t *key) +{ + chunk_t chunk; + + printf("pubkey: %N %d bits\n", key_type_names, key->get_type(key), + key->get_keysize(key) * 8); + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &chunk)) + { + printf("keyid: %#B\n", &chunk); + } + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &chunk)) + { + printf("subjkey: %#B\n", &chunk); + } +} + +/** + * Print private key information + */ +static void print_key(private_key_t *key) +{ + public_key_t *public; + + public = key->get_public_key(key); + if (public) + { + printf("private key with:\n"); + print_pubkey(public); + public->destroy(public); + } + else + { + printf("extracting public from private key failed\n"); + } +} + +/** + * Print X509 specific certificate information + */ +static void print_x509(x509_t *x509) +{ + enumerator_t *enumerator; + identification_t *id; + traffic_selector_t *block; + chunk_t chunk; + bool first; + char *uri; + int len; + x509_flag_t flags; + + chunk = x509->get_serial(x509); + printf("serial: %#B\n", &chunk); + + first = TRUE; + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("altNames: "); + first = FALSE; + } + else + { + printf(", "); + } + printf("%Y", id); + } + if (!first) + { + printf("\n"); + } + enumerator->destroy(enumerator); + + flags = x509->get_flags(x509); + printf("flags: "); + if (flags & X509_CA) + { + printf("CA "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_OCSP_SIGNER) + { + printf("OCSP "); + } + if (flags & X509_AA) + { + printf("AA "); + } + if (flags & X509_SERVER_AUTH) + { + printf("serverAuth "); + } + if (flags & X509_CLIENT_AUTH) + { + printf("clientAuth "); + } + if (flags & X509_SELF_SIGNED) + { + printf("self-signed "); + } + printf("\n"); + + first = TRUE; + enumerator = x509->create_crl_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("CRL URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_ocsp_uri_enumerator(x509); + while (enumerator->enumerate(enumerator, &uri)) + { + if (first) + { + printf("OCSP URIs: %s\n", uri); + first = FALSE; + } + else + { + printf(" %s\n", uri); + } + } + enumerator->destroy(enumerator); + + len = x509->get_pathLenConstraint(x509); + if (len != X509_NO_PATH_LEN_CONSTRAINT) + { + printf("pathlen: %d\n", len); + } + + chunk = x509->get_authKeyIdentifier(x509); + if (chunk.ptr) + { + printf("authkeyId: %#B\n", &chunk); + } + + chunk = x509->get_subjectKeyIdentifier(x509); + if (chunk.ptr) + { + printf("subjkeyId: %#B\n", &chunk); + } + if (x509->get_flags(x509) & X509_IP_ADDR_BLOCKS) + { + first = TRUE; + printf("addresses: "); + enumerator = x509->create_ipAddrBlock_enumerator(x509); + while (enumerator->enumerate(enumerator, &block)) + { + if (first) + { + first = FALSE; + } + else + { + printf(", "); + } + printf("%R", block); + } + enumerator->destroy(enumerator); + printf("\n"); + } +} + +/** + * Print certificate information + */ +static void print_cert(certificate_t *cert) +{ + time_t now, notAfter, notBefore; + public_key_t *key; + + now = time(NULL); + + printf("cert: %N\n", certificate_type_names, cert->get_type(cert)); + printf("subject: \"%Y\"\n", cert->get_subject(cert)); + printf("issuer: \"%Y\"\n", cert->get_issuer(cert)); + + cert->get_validity(cert, &now, ¬Before, ¬After); + printf("validity: not before %T, ", ¬Before, FALSE); + if (now < notBefore) + { + printf("not valid yet (valid in %V)\n", &now, ¬Before); + } + else + { + printf("ok\n"); + } + printf(" not after %T, ", ¬After, FALSE); + if (now > notAfter) + { + printf("expired (%V ago)\n", &now, ¬After); + } + else + { + printf("ok (expires in %V)\n", &now, ¬After); + } + + switch (cert->get_type(cert)) + { + case CERT_X509: + print_x509((x509_t*)cert); + break; + default: + printf("parsing certificate subtype %N not implemented\n", + certificate_type_names, cert->get_type(cert)); + break; + } + + key = cert->get_public_key(cert); + if (key) + { + print_pubkey(key); + key->destroy(key); + } + else + { + printf("unable to extract public key\n"); + } +} + +/** + * Print a credential in a human readable form + */ +static int print() +{ + credential_type_t type = CRED_CERTIFICATE; + int subtype = CERT_X509; + void *cred; + char *arg, *file = NULL; + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + return command_usage(NULL); + case 't': + if (streq(arg, "x509")) + { + type = CRED_CERTIFICATE; + subtype = CERT_X509; + } + else if (streq(arg, "pub")) + { + type = CRED_PUBLIC_KEY; + subtype = KEY_ANY; + } + else if (streq(arg, "rsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_RSA; + } + else if (streq(arg, "ecdsa-priv")) + { + type = CRED_PRIVATE_KEY; + subtype = KEY_ECDSA; + } + else + { + return command_usage( "invalid input type"); + } + continue; + case 'i': + file = arg; + continue; + case EOF: + break; + default: + return command_usage("invalid --print option"); + } + break; + } + if (file) + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FILE, file, BUILD_END); + } + else + { + cred = lib->creds->create(lib->creds, type, subtype, + BUILD_FROM_FD, 0, BUILD_END); + } + if (!cred) + { + fprintf(stderr, "parsing input failed\n"); + return 1; + } + + if (type == CRED_CERTIFICATE) + { + certificate_t *cert = (certificate_t*)cred; + + print_cert(cert); + cert->destroy(cert); + } + if (type == CRED_PUBLIC_KEY) + { + public_key_t *key = (public_key_t*)cred; + + print_pubkey(key); + key->destroy(key); + } + if (type == CRED_PRIVATE_KEY) + { + private_key_t *key = (private_key_t*)cred; + + print_key(key); + key->destroy(key); + } + return 0; +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) + { print, 'a', "print", + "print a credential in a human readable form", + {"[--in file] [--type rsa-priv|ecdsa-priv|pub|x509]"}, + { + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "input file, default: stdin"}, + {"type", 't', 1, "type of credential, default: x509"}, + } + }); +} diff --git a/src/pki/commands/pub.c b/src/pki/commands/pub.c index de0444c1a..fc2614c7d 100644 --- a/src/pki/commands/pub.c +++ b/src/pki/commands/pub.c @@ -23,7 +23,7 @@ */ static int pub() { - key_encoding_type_t form = KEY_PUB_SPKI_ASN1_DER; + cred_encoding_type_t form = PUBKEY_SPKI_ASN1_DER; credential_type_t type = CRED_PRIVATE_KEY; int subtype = KEY_RSA; certificate_t *cert; @@ -67,7 +67,7 @@ static int pub() } continue; case 'f': - if (!get_form(arg, &form, TRUE)) + if (!get_form(arg, &form, CRED_PUBLIC_KEY)) { return command_usage("invalid output format"); } diff --git a/src/pki/commands/req.c b/src/pki/commands/req.c index 8335f2595..a1ae2f515 100644 --- a/src/pki/commands/req.c +++ b/src/pki/commands/req.c @@ -27,6 +27,7 @@ */ static int req() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -81,6 +82,12 @@ static int req() case 'p': challenge_password = chunk_create(arg, strlen(arg)); continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case EOF: break; default: @@ -128,8 +135,7 @@ static int req() error = "generating certificate request failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate request failed"; goto end; @@ -170,7 +176,7 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--password challengePassword]", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, @@ -179,6 +185,7 @@ static void __attribute__ ((constructor))reg() {"san", 'a', 1, "subjectAltName to include in cert request"}, {"password",'p', 1, "challengePassword to include in cert request"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated request, default: der"}, } }); } diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index d283daa6a..71776c745 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -26,6 +26,7 @@ */ static int self() { + cred_encoding_type_t form = CERT_ASN1_DER; key_type_t type = KEY_RSA; hash_algorithm_t digest = HASH_SHA1; certificate_t *cert = NULL; @@ -34,7 +35,7 @@ static int self() char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL; identification_t *id = NULL; linked_list_t *san, *ocsp; - int lifetime = 1080; + int lifetime = 1095; int pathlen = X509_NO_PATH_LEN_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; @@ -100,6 +101,26 @@ static int self() case 'p': pathlen = atoi(arg); continue; + case 'e': + if (streq(arg, "serverAuth")) + { + flags |= X509_SERVER_AUTH; + } + else if (streq(arg, "clientAuth")) + { + flags |= X509_CLIENT_AUTH; + } + else if (streq(arg, "ocspSigning")) + { + flags |= X509_OCSP_SIGNER; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; case 'o': ocsp->insert_last(ocsp, arg); continue; @@ -179,8 +200,7 @@ static int self() error = "generating certificate failed"; goto end; } - encoding = cert->get_encoding(cert); - if (!encoding.ptr) + if (!cert->get_encoding(cert, form, &encoding)) { error = "encoding certificate failed"; goto end; @@ -225,19 +245,22 @@ static void __attribute__ ((constructor))reg() {"[--in file] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--digest md5|sha1|sha224|sha256|sha384|sha512]"}, + "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { {"help", 'h', 0, "show usage information"}, {"in", 'i', 1, "private key input file, default: stdin"}, {"type", 't', 1, "type of input key, default: rsa"}, {"dn", 'd', 1, "subject and issuer distinguished name"}, {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1080"}, + {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, {"serial", 's', 1, "serial number in hex, default: random"}, {"ca", 'b', 0, "include CA basicConstraint, default: no"}, {"pathlen", 'p', 1, "set path length constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c new file mode 100644 index 000000000..b7163a153 --- /dev/null +++ b/src/pki/commands/signcrl.c @@ -0,0 +1,382 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "pki.h" + +#include +#include +#include +#include +#include + + +/** + * Entry for a revoked certificate + */ +typedef struct { + chunk_t serial; + crl_reason_t reason; + time_t date; +} revoked_t; + +/** + * Add a revocation to the list + */ +static void add_revoked(linked_list_t *list, + chunk_t serial, crl_reason_t reason, time_t date) +{ + revoked_t *revoked; + + INIT(revoked, + .serial = chunk_clone(serial), + .reason = reason, + .date = date, + ); + list->insert_last(list, revoked); +} + +/** + * Destroy a reason entry + */ +static void revoked_destroy(revoked_t *revoked) +{ + free(revoked->serial.ptr); + free(revoked); +} + +/** + * Filter for revoked enumerator + */ +static bool filter(void *data, revoked_t **revoked, chunk_t *serial, void *p2, + time_t *date, void *p3, crl_reason_t *reason) +{ + *serial = (*revoked)->serial; + *date = (*revoked)->date; + *reason = (*revoked)->reason; + return TRUE; +} + +/** + * Extract the serial of a certificate, write it into buf + */ +static int read_serial(char *file, char *buf, int buflen) +{ + certificate_t *cert; + x509_t *x509; + chunk_t serial; + + x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, file, BUILD_END); + cert = &x509->interface; + if (!cert) + { + return -1; + } + serial = x509->get_serial(x509); + if (serial.len == 0 || serial.len > buflen) + { + cert->destroy(cert); + return -2; + } + memcpy(buf, serial.ptr, serial.len); + cert->destroy(cert); + return serial.len; +} + +/** + * Sign a CRL + */ +static int sign_crl() +{ + cred_encoding_type_t form = CERT_ASN1_DER; + private_key_t *private = NULL; + public_key_t *public = NULL; + certificate_t *ca = NULL, *crl = NULL; + crl_t *lastcrl = NULL; + x509_t *x509; + hash_algorithm_t digest = HASH_SHA1; + char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; + char serial[512], crl_serial[8]; + int serial_len = 0; + crl_reason_t reason = CRL_REASON_UNSPECIFIED; + time_t thisUpdate, nextUpdate, date = time(NULL); + int lifetime = 15; + linked_list_t *list; + enumerator_t *enumerator, *lastenum = NULL; + chunk_t encoding = chunk_empty; + + list = linked_list_create(); + + memset(crl_serial, 0, sizeof(crl_serial)); + + while (TRUE) + { + switch (command_getopt(&arg)) + { + case 'h': + goto usage; + case 'g': + digest = get_digest(arg); + if (digest == HASH_UNKNOWN) + { + error = "invalid --digest type"; + goto usage; + } + continue; + case 'c': + cacert = arg; + continue; + case 'k': + cakey = arg; + continue; + case 'a': + lastupdate = arg; + continue; + case 'l': + lifetime = atoi(arg); + if (!lifetime) + { + error = "invalid lifetime"; + goto usage; + } + continue; + case 'z': + serial_len = read_serial(arg, serial, sizeof(serial)); + if (serial_len < 0) + { + snprintf(serial, sizeof(serial), + "parsing certificate '%s' failed", arg); + error = serial; + goto error; + } + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + case 's': + { + chunk_t chunk; + int hex_len; + + hex_len = strlen(arg); + if ((hex_len / 2) + (hex_len % 2) > sizeof(serial)) + { + error = "invalid serial"; + goto usage; + } + chunk = chunk_from_hex(chunk_create(arg, hex_len), serial); + serial_len = chunk.len; + add_revoked(list, chunk_create(serial, serial_len), reason, date); + date = time(NULL); + serial_len = 0; + reason = CRL_REASON_UNSPECIFIED; + continue; + } + case 'r': + if (streq(arg, "key-compromise")) + { + reason = CRL_REASON_KEY_COMPROMISE; + } + else if (streq(arg, "ca-compromise")) + { + reason = CRL_REASON_CA_COMPROMISE; + } + else if (streq(arg, "affiliation-changed")) + { + reason = CRL_REASON_AFFILIATION_CHANGED; + } + else if (streq(arg, "superseded")) + { + reason = CRL_REASON_SUPERSEDED; + } + else if (streq(arg, "cessation-of-operation")) + { + reason = CRL_REASON_CESSATION_OF_OPERATON; + } + else if (streq(arg, "certificate-hold")) + { + reason = CRL_REASON_CERTIFICATE_HOLD; + } + else + { + return command_usage( "invalid revocation reason"); + } + continue; + case 'd': + date = atol(arg); + if (!date) + { + error = "invalid date"; + goto usage; + } + continue; + case 'f': + if (!get_form(arg, &form, CRED_CERTIFICATE)) + { + return command_usage("invalid output format"); + } + continue; + case EOF: + break; + default: + error = "invalid --signcrl option"; + goto usage; + } + break; + } + + if (!cacert) + { + error = "--cacert is required"; + goto usage; + } + if (!cakey) + { + error = "--cakey is required"; + goto usage; + } + + ca = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, + BUILD_FROM_FILE, cacert, BUILD_END); + if (!ca) + { + error = "parsing CA certificate failed"; + goto error; + } + x509 = (x509_t*)ca; + if (!(x509->get_flags(x509) & X509_CA)) + { + error = "CA certificate misses CA basicConstraint"; + goto error; + } + public = ca->get_public_key(ca); + if (!public) + { + error = "extracting CA certificate public key failed"; + goto error; + } + private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, + public->get_type(public), + BUILD_FROM_FILE, cakey, BUILD_END); + if (!private) + { + error = "parsing CA private key failed"; + goto error; + } + if (!private->belongs_to(private, public)) + { + error = "CA private key does not match CA certificate"; + goto error; + } + + thisUpdate = time(NULL); + nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; + + if (lastupdate) + { + lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, lastupdate, BUILD_END); + if (!lastcrl) + { + error = "loading lastUpdate CRL failed"; + goto error; + } + memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, + min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + lastenum = lastcrl->create_enumerator(lastcrl); + } + + chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); + + enumerator = enumerator_create_filter(list->create_enumerator(list), + (void*)filter, NULL, NULL); + crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, + BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), + BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, + BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, + lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_END); + enumerator->destroy(enumerator); + DESTROY_IF(lastenum); + DESTROY_IF((certificate_t*)lastcrl); + + if (!crl) + { + error = "generating CRL failed"; + goto error; + } + if (!crl->get_encoding(crl, form, &encoding)) + { + error = "encoding CRL failed"; + goto error; + } + if (fwrite(encoding.ptr, encoding.len, 1, stdout) != 1) + { + error = "writing CRL failed"; + goto error; + } + +error: + DESTROY_IF(public); + DESTROY_IF(private); + DESTROY_IF(ca); + DESTROY_IF(crl); + free(encoding.ptr); + list->destroy_function(list, (void*)revoked_destroy); + if (error) + { + fprintf(stderr, "%s\n", error); + return 1; + } + return 0; + +usage: + list->destroy_function(list, (void*)revoked_destroy); + return command_usage(error); +} + +/** + * Register the command. + */ +static void __attribute__ ((constructor))reg() +{ + command_register((command_t) { + sign_crl, 'c', "signcrl", + "issue a CRL using a CA certificate and key", + {"--cacert file --cakey file --lifetime days", + "[ [--reason key-compromise|ca-compromise|affiliation-changed|", + " superseded|cessation-of-operation|certificate-hold]", + " [--date timestamp]", + " --cert file | --serial hex ]*", + "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, + { + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, + } + }); +} diff --git a/src/pki/pki.c b/src/pki/pki.c index 0912d5051..d5dd03fa0 100644 --- a/src/pki/pki.c +++ b/src/pki/pki.c @@ -21,26 +21,59 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub) +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type) { if (streq(form, "der")) { - /* der encoded keys usually contain the complete SubjectPublicKeyInfo */ - *type = pub ? KEY_PUB_SPKI_ASN1_DER : KEY_PRIV_ASN1_DER; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_ASN1_DER; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_ASN1_DER; + return TRUE; + case CRED_PUBLIC_KEY: + /* der encoded keys usually contain the complete + * SubjectPublicKeyInfo */ + *enc = PUBKEY_SPKI_ASN1_DER; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pem")) { - *type = pub ? KEY_PUB_PEM : KEY_PRIV_PEM; + switch (type) + { + case CRED_CERTIFICATE: + *enc = CERT_PEM; + return TRUE; + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PEM; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PEM; + return TRUE; + default: + return FALSE; + } } else if (streq(form, "pgp")) { - *type = pub ? KEY_PUB_PGP : KEY_PRIV_PGP; + switch (type) + { + case CRED_PRIVATE_KEY: + *enc = PRIVKEY_PGP; + return TRUE; + case CRED_PUBLIC_KEY: + *enc = PUBKEY_PGP; + return TRUE; + default: + return FALSE; + } } - else - { - return FALSE; - } - return TRUE; + return FALSE; } /** diff --git a/src/pki/pki.h b/src/pki/pki.h index 01b103c8f..9c145cdc0 100644 --- a/src/pki/pki.h +++ b/src/pki/pki.h @@ -29,7 +29,7 @@ /** * Convert a form string to a encoding type */ -bool get_form(char *form, key_encoding_type_t *type, bool pub); +bool get_form(char *form, cred_encoding_type_t *enc, credential_type_t type); /** * Convert a digest string to a hash algorithm diff --git a/src/pluto/Makefile.am b/src/pluto/Makefile.am index a264e642e..9f631ca28 100644 --- a/src/pluto/Makefile.am +++ b/src/pluto/Makefile.am @@ -37,6 +37,7 @@ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ pkcs7.c pkcs7.h \ +pluto.c pluto.h \ plutomain.c \ rcv_whack.c rcv_whack.h \ server.c server.h \ @@ -47,7 +48,8 @@ timer.c timer.h \ vendor.c vendor.h \ virtual.c virtual.h \ whack_attribute.c whack_attribute.h \ -xauth.c xauth.h \ +xauth/xauth_manager.c xauth/xauth_manager.h \ +xauth/xauth_provider.h xauth/xauth_verifier.h \ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h @@ -67,12 +69,12 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/whack -AM_CFLAGS = \ +AM_CFLAGS = -rdynamic \ -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" \ -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ --DPLUGINS=\""${pluto_plugins}\"" \ +-DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" \ -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES \ -DPLUTO -DKLIPS -DDEBUG @@ -87,7 +89,12 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +CLEANFILES = ipsec.secrets.5 dist_man_MANS = pluto.8 ipsec.secrets.5 +EXTRA_DIST = ipsec.secrets.5.in + +# compile options +################# # This compile option activates the sending of a strongSwan VID if USE_VENDORID @@ -114,10 +121,25 @@ if USE_SMARTCARD AM_CFLAGS += -DSMARTCARD endif -if USE_CAPABILITIES +if USE_LIBCAP pluto_LDADD += -lcap endif if USE_THREADS AM_CFLAGS += -DTHREADS endif + +# build optional plugins +######################## + +SUBDIRS = . + +if USE_XAUTH + SUBDIRS += plugins/xauth +endif + +ipsec.secrets.5 : ipsec.secrets.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 47be9acf7..41fc4927e 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -40,6 +40,9 @@ build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) +# compile options +################# + # This compile option activates the sending of a strongSwan VID @USE_VENDORID_TRUE@am__append_1 = -DVENDORID @@ -54,8 +57,9 @@ ipsec_PROGRAMS = pluto$(EXEEXT) _pluto_adns$(EXEEXT) # This compile option activates smartcard support @USE_SMARTCARD_TRUE@am__append_5 = -DSMARTCARD -@USE_CAPABILITIES_TRUE@am__append_6 = -lcap +@USE_LIBCAP_TRUE@am__append_6 = -lcap @USE_THREADS_TRUE@am__append_7 = -DTHREADS +@USE_XAUTH_TRUE@am__append_8 = plugins/xauth subdir = src/pluto DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -91,11 +95,11 @@ am_pluto_OBJECTS = ac.$(OBJEXT) alg_info.$(OBJEXT) ca.$(OBJEXT) \ kernel_noklips.$(OBJEXT) kernel_pfkey.$(OBJEXT) keys.$(OBJEXT) \ lex.$(OBJEXT) log.$(OBJEXT) myid.$(OBJEXT) modecfg.$(OBJEXT) \ nat_traversal.$(OBJEXT) ocsp.$(OBJEXT) packet.$(OBJEXT) \ - pkcs7.$(OBJEXT) plutomain.$(OBJEXT) rcv_whack.$(OBJEXT) \ - server.$(OBJEXT) smartcard.$(OBJEXT) spdb.$(OBJEXT) \ - state.$(OBJEXT) timer.$(OBJEXT) vendor.$(OBJEXT) \ - virtual.$(OBJEXT) whack_attribute.$(OBJEXT) xauth.$(OBJEXT) \ - x509.$(OBJEXT) builder.$(OBJEXT) + pkcs7.$(OBJEXT) pluto.$(OBJEXT) plutomain.$(OBJEXT) \ + rcv_whack.$(OBJEXT) server.$(OBJEXT) smartcard.$(OBJEXT) \ + spdb.$(OBJEXT) state.$(OBJEXT) timer.$(OBJEXT) \ + vendor.$(OBJEXT) virtual.$(OBJEXT) whack_attribute.$(OBJEXT) \ + xauth_manager.$(OBJEXT) x509.$(OBJEXT) builder.$(OBJEXT) pluto_OBJECTS = $(am_pluto_OBJECTS) pluto_DEPENDENCIES = $(LIBSTRONGSWANDIR)/libstrongswan.la \ $(LIBFREESWANDIR)/libfreeswan.a $(LIBHYDRADIR)/libhydra.la \ @@ -116,6 +120,13 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) DIST_SOURCES = $(_pluto_adns_SOURCES) $(pluto_SOURCES) +RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ + html-recursive info-recursive install-data-recursive \ + install-dvi-recursive install-exec-recursive \ + install-html-recursive install-info-recursive \ + install-pdf-recursive install-ps-recursive install-recursive \ + installcheck-recursive installdirs-recursive pdf-recursive \ + ps-recursive uninstall-recursive am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ @@ -141,9 +152,40 @@ man5dir = $(mandir)/man5 man8dir = $(mandir)/man8 NROFF = nroff MANS = $(dist_man_MANS) +RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ + distclean-recursive maintainer-clean-recursive +AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ + $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ + distdir ETAGS = etags CTAGS = ctags +DIST_SUBDIRS = . plugins/xauth DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +am__relativize = \ + dir0=`pwd`; \ + sed_first='s,^\([^/]*\)/.*$$,\1,'; \ + sed_rest='s,^[^/]*/*,,'; \ + sed_last='s,^.*/\([^/]*\)$$,\1,'; \ + sed_butlast='s,/*[^/]*$$,,'; \ + while test -n "$$dir1"; do \ + first=`echo "$$dir1" | sed -e "$$sed_first"`; \ + if test "$$first" != "."; then \ + if test "$$first" = ".."; then \ + dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ + dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ + else \ + first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ + if test "$$first2" = "$$first"; then \ + dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ + else \ + dir2="../$$dir2"; \ + fi; \ + dir0="$$dir0"/"$$first"; \ + fi; \ + fi; \ + dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ + done; \ + reldir="$$dir2" ACLOCAL = @ACLOCAL@ ALLOCA = @ALLOCA@ AMTAR = @AMTAR@ @@ -332,6 +374,7 @@ nat_traversal.c nat_traversal.h \ ocsp.c ocsp.h \ packet.c packet.h \ pkcs7.c pkcs7.h \ +pluto.c pluto.h \ plutomain.c \ rcv_whack.c rcv_whack.h \ server.c server.h \ @@ -342,7 +385,8 @@ timer.c timer.h \ vendor.c vendor.h \ virtual.c virtual.h \ whack_attribute.c whack_attribute.h \ -xauth.c xauth.h \ +xauth/xauth_manager.c xauth/xauth_manager.h \ +xauth/xauth_provider.h xauth/xauth_verifier.h \ x509.c x509.h \ builder.c builder.h \ rsaref/pkcs11t.h rsaref/pkcs11.h rsaref/unix.h rsaref/pkcs11f.h @@ -358,10 +402,10 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/whack -AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ +AM_CFLAGS = -rdynamic -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DSHARED_SECRETS_FILE=\"${sysconfdir}/ipsec.secrets\" \ - -DPLUGINS=\""${pluto_plugins}\"" \ + -DPLUGINS=\""${pluto_plugins} ${libhydra_plugins}\"" \ -DPKCS11_DEFAULT_LIB=\"${default_pkcs11}\" -DKERNEL26_SUPPORT \ -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO -DKLIPS -DDEBUG \ $(am__append_1) $(am__append_2) $(am__append_3) \ @@ -373,8 +417,14 @@ _pluto_adns_LDADD = \ $(LIBFREESWANDIR)/libfreeswan.a \ -lresolv $(DLLIB) +CLEANFILES = ipsec.secrets.5 dist_man_MANS = pluto.8 ipsec.secrets.5 -all: all-am +EXTRA_DIST = ipsec.secrets.5.in + +# build optional plugins +######################## +SUBDIRS = . $(am__append_8) +all: all-recursive .SUFFIXES: .SUFFIXES: .c .lo .o .obj @@ -497,6 +547,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ocsp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/packet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pkcs7.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pluto.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/plutomain.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rcv_whack.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/server.Po@am__quote@ @@ -508,7 +559,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virtual.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/whack_attribute.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_manager.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -531,6 +582,20 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +xauth_manager.o: xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.o -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xauth/xauth_manager.c' object='xauth_manager.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.o `test -f 'xauth/xauth_manager.c' || echo '$(srcdir)/'`xauth/xauth_manager.c + +xauth_manager.obj: xauth/xauth_manager.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT xauth_manager.obj -MD -MP -MF $(DEPDIR)/xauth_manager.Tpo -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/xauth_manager.Tpo $(DEPDIR)/xauth_manager.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xauth/xauth_manager.c' object='xauth_manager.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o xauth_manager.obj `if test -f 'xauth/xauth_manager.c'; then $(CYGPATH_W) 'xauth/xauth_manager.c'; else $(CYGPATH_W) '$(srcdir)/xauth/xauth_manager.c'; fi` + mostlyclean-libtool: -rm -f *.lo @@ -613,6 +678,76 @@ uninstall-man8: echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } +# This directory's subdirectories are mostly independent; you can cd +# into them and run `make' without going through this Makefile. +# To change the values of `make' variables: instead of editing Makefiles, +# (1) if the variable is set in `config.status', edit `config.status' +# (which will cause the Makefiles to be regenerated when you run `make'); +# (2) otherwise, pass the desired values on the `make' command line. +$(RECURSIVE_TARGETS): + @fail= failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + target=`echo $@ | sed s/-recursive//`; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + dot_seen=yes; \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done; \ + if test "$$dot_seen" = "no"; then \ + $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ + fi; test -z "$$fail" + +$(RECURSIVE_CLEAN_TARGETS): + @fail= failcom='exit 1'; \ + for f in x $$MAKEFLAGS; do \ + case $$f in \ + *=* | --[!k]*);; \ + *k*) failcom='fail=yes';; \ + esac; \ + done; \ + dot_seen=no; \ + case "$@" in \ + distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ + *) list='$(SUBDIRS)' ;; \ + esac; \ + rev=''; for subdir in $$list; do \ + if test "$$subdir" = "."; then :; else \ + rev="$$subdir $$rev"; \ + fi; \ + done; \ + rev="$$rev ."; \ + target=`echo $@ | sed s/-recursive//`; \ + for subdir in $$rev; do \ + echo "Making $$target in $$subdir"; \ + if test "$$subdir" = "."; then \ + local_target="$$target-am"; \ + else \ + local_target="$$target"; \ + fi; \ + ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ + || eval $$failcom; \ + done && test -z "$$fail" +tags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ + done +ctags-recursive: + list='$(SUBDIRS)'; for subdir in $$list; do \ + test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ + done + ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -623,10 +758,23 @@ ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) mkid -fID $$unique tags: TAGS -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) set x; \ here=`pwd`; \ + if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ + include_option=--etags-include; \ + empty_fix=.; \ + else \ + include_option=--include; \ + empty_fix=; \ + fi; \ + list='$(SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test ! -f $$subdir/TAGS || \ + set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ + fi; \ + done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ @@ -645,7 +793,7 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ fi; \ fi ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ +CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -708,22 +856,51 @@ distdir: $(DISTFILES) || exit 1; \ fi; \ done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + test -d "$(distdir)/$$subdir" \ + || $(MKDIR_P) "$(distdir)/$$subdir" \ + || exit 1; \ + fi; \ + done + @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" = .; then :; else \ + dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ + $(am__relativize); \ + new_distdir=$$reldir; \ + dir1=$$subdir; dir2="$(top_distdir)"; \ + $(am__relativize); \ + new_top_distdir=$$reldir; \ + echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ + echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ + ($(am__cd) $$subdir && \ + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$$new_top_distdir" \ + distdir="$$new_distdir" \ + am__remove_distdir=: \ + am__skip_length_check=: \ + am__skip_mode_fix=: \ + distdir) \ + || exit 1; \ + fi; \ + done check-am: all-am -check: check-am +check: check-recursive all-am: Makefile $(PROGRAMS) $(MANS) -installdirs: +installdirs: installdirs-recursive +installdirs-am: for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man5dir)" "$(DESTDIR)$(man8dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am +install: install-recursive +install-exec: install-exec-recursive +install-data: install-data-recursive +uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am -installcheck: installcheck-am +installcheck: installcheck-recursive install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ @@ -732,6 +909,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -740,72 +918,72 @@ distclean-generic: maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." -clean: clean-am +clean: clean-recursive clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ mostlyclean-am -distclean: distclean-am +distclean: distclean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags -dvi: dvi-am +dvi: dvi-recursive dvi-am: -html: html-am +html: html-recursive html-am: -info: info-am +info: info-recursive info-am: install-data-am: install-ipsecPROGRAMS install-man -install-dvi: install-dvi-am +install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: -install-html: install-html-am +install-html: install-html-recursive install-html-am: -install-info: install-info-am +install-info: install-info-recursive install-info-am: install-man: install-man5 install-man8 -install-pdf: install-pdf-am +install-pdf: install-pdf-recursive install-pdf-am: -install-ps: install-ps-am +install-ps: install-ps-recursive install-ps-am: installcheck-am: -maintainer-clean: maintainer-clean-am +maintainer-clean: maintainer-clean-recursive -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic -mostlyclean: mostlyclean-am +mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-compile mostlyclean-generic \ mostlyclean-libtool -pdf: pdf-am +pdf: pdf-recursive pdf-am: -ps: ps-am +ps: ps-recursive ps-am: @@ -813,27 +991,35 @@ uninstall-am: uninstall-ipsecPROGRAMS uninstall-man uninstall-man: uninstall-man5 uninstall-man8 -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ - clean-ipsecPROGRAMS clean-libtool ctags distclean \ - distclean-compile distclean-generic distclean-libtool \ - distclean-tags distdir dvi dvi-am html html-am info info-am \ - install install-am install-data install-data-am install-dvi \ - install-dvi-am install-exec install-exec-am install-html \ - install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man5 install-man8 \ - install-pdf install-pdf-am install-ps install-ps-am \ - install-strip installcheck installcheck-am installdirs \ - maintainer-clean maintainer-clean-generic mostlyclean \ - mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ - pdf pdf-am ps ps-am tags uninstall uninstall-am \ +.MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ + install-am install-strip tags-recursive + +.PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ + all all-am check check-am clean clean-generic \ + clean-ipsecPROGRAMS clean-libtool ctags ctags-recursive \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-ipsecPROGRAMS install-man install-man5 \ + install-man8 install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs installdirs-am maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags tags-recursive uninstall uninstall-am \ uninstall-ipsecPROGRAMS uninstall-man uninstall-man5 \ uninstall-man8 plutomain.o : $(top_builddir)/config.status +ipsec.secrets.5 : ipsec.secrets.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/pluto/ac.c b/src/pluto/ac.c index 3ee05d213..3339d91fb 100644 --- a/src/pluto/ac.c +++ b/src/pluto/ac.c @@ -141,7 +141,7 @@ static void ac_add_cert(certificate_t *cert) if (hIssuer->equals(hIssuer, ac_old->get_holderIssuer(ac_old)) && chunk_equals(hSerial, ac_old->get_holderSerial(ac_old))) { - if (cert->is_newer(cert, cert_old)) + if (certificate_is_newer(cert, cert_old)) { acerts->remove_at(acerts, enumerator); cert_old->destroy(cert_old); diff --git a/src/pluto/certs.c b/src/pluto/certs.c index 8bce4c5c2..24e8ffb27 100644 --- a/src/pluto/certs.c +++ b/src/pluto/certs.c @@ -318,11 +318,11 @@ void list_pgp_end_certs(bool utc) key_type_names, key->get_type(key), key->get_keysize(key) * BITS_PER_BYTE, has_private_key(cert)? ", has private key" : ""); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT, " keyid: %#B", &keyid); } - if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid)) { whack_log(RC_COMMENT, " subjkey: %#B", &keyid); } diff --git a/src/pluto/connections.c b/src/pluto/connections.c index dd193042a..e1f47f2d6 100644 --- a/src/pluto/connections.c +++ b/src/pluto/connections.c @@ -63,6 +63,7 @@ #include "nat_traversal.h" #include "virtual.h" #include "whack_attribute.h" +#include "modecfg.h" static void flush_pending_by_connection(connection_t *c); /* forward */ @@ -294,8 +295,10 @@ void release_connection(connection_t *c, bool relations) void delete_connection(connection_t *c, bool relations) { - connection_t *old_cur_connection - = cur_connection == c? NULL : cur_connection; + modecfg_attribute_t *ca; + connection_t *old_cur_connection; + + old_cur_connection = cur_connection == c? NULL : cur_connection; #ifdef DEBUG lset_t old_cur_debugging = cur_debugging; #endif @@ -366,14 +369,29 @@ void delete_connection(connection_t *c, bool relations) /* release virtual IP address lease if any */ if (c->spd.that.modecfg && c->spd.that.pool && - !isanyaddr(&c->spd.that.host_srcip)) + !c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { - host_t *vip; - - vip = host_create_from_sockaddr((sockaddr_t*)&c->spd.that.host_srcip); hydra->attributes->release_address(hydra->attributes, c->spd.that.pool, - vip, c->spd.that.id); - vip->destroy(vip); + c->spd.that.host_srcip, c->spd.that.id); + } + + /* release requested attributes if any */ + if (c->requested) + { + c->requested->destroy_function(c->requested, + (void*)modecfg_attribute_destroy); + } + + /* release other attributes if any */ + if (c->attributes) + { + while (c->attributes->remove_last(c->attributes, (void **)&ca) == SUCCESS) + { + hydra->attributes->release(hydra->attributes, ca->handler, + c->spd.that.id, ca->type, ca->value); + modecfg_attribute_destroy(ca); + } + c->attributes->destroy(c->attributes); } if (c->kind != CK_GOING_AWAY) @@ -386,14 +404,17 @@ void delete_connection(connection_t *c, bool relations) cur_debugging = old_cur_debugging; #endif free(c->name); + DESTROY_IF(c->xauth_identity); DESTROY_IF(c->spd.this.id); DESTROY_IF(c->spd.this.ca); DESTROY_IF(c->spd.this.groups); + DESTROY_IF(c->spd.this.host_srcip); free(c->spd.this.updown); free(c->spd.this.pool); DESTROY_IF(c->spd.that.id); DESTROY_IF(c->spd.that.ca); DESTROY_IF(c->spd.that.groups); + DESTROY_IF(c->spd.that.host_srcip); free(c->spd.that.updown); free(c->spd.that.pool); if (c->requested_ca) @@ -656,7 +677,7 @@ size_t format_end(char *buf, size_t buf_len, const struct end *this, subnettot(&this->client, 0, client, sizeof(client)); } } - else if (this->modecfg && isanyaddr(&this->host_srcip)) + else if (this->modecfg && this->host_srcip->is_anyaddr(this->host_srcip)) { /* we are mode config client, or a server with a pool */ client_sep = "==="; @@ -738,9 +759,14 @@ static size_t format_connection(char *buf, size_t buf_len, static void unshare_connection_strings(connection_t *c) { c->name = clone_str(c->name); + if (c->xauth_identity) + { + c->xauth_identity = c->xauth_identity->clone(c->xauth_identity); + } c->spd.this.id = c->spd.this.id->clone(c->spd.this.id); c->spd.this.pool = clone_str(c->spd.this.pool); c->spd.this.updown = clone_str(c->spd.this.updown); + c->spd.this.host_srcip = c->spd.this.host_srcip->clone(c->spd.this.host_srcip); scx_share(c->spd.this.sc); cert_share(c->spd.this.cert); if (c->spd.this.ca) @@ -754,6 +780,7 @@ static void unshare_connection_strings(connection_t *c) c->spd.that.id = c->spd.that.id->clone(c->spd.that.id); c->spd.that.pool = clone_str(c->spd.that.pool); c->spd.that.updown = clone_str(c->spd.that.updown); + c->spd.that.host_srcip = c->spd.that.host_srcip->clone(c->spd.that.host_srcip); scx_share(c->spd.that.sc); cert_share(c->spd.that.cert); if (c->spd.that.ca) @@ -902,7 +929,7 @@ static bool extract_end(struct end *dst, const whack_end_t *src, /* the rest is simple copying of corresponding fields */ dst->host_addr = src->host_addr; dst->host_nexthop = src->host_nexthop; - dst->host_srcip = src->host_srcip; + dst->host_srcip = host_create_from_sockaddr((sockaddr_t*)&src->host_srcip); dst->has_natip = src->has_natip; dst->client = src->client; dst->protocol = src->protocol; @@ -927,10 +954,14 @@ static bool extract_end(struct end *dst, const whack_end_t *src, /* if host sourceip is defined but no client is present * behind the host then set client to sourceip/32 */ - if (addrbytesptr(&dst->host_srcip, NULL) && - !isanyaddr(&dst->host_srcip) && !dst->has_natip && !dst->has_client) + if (!dst->host_srcip->is_anyaddr(dst->host_srcip) && + !dst->has_natip && !dst->has_client) { - err_t ugh = addrtosubnet(&dst->host_srcip, &dst->client); + ip_address addr; + err_t ugh; + + addr = *(ip_address*)dst->host_srcip->get_sockaddr(dst->host_srcip); + ugh = addrtosubnet(&addr, &dst->client); if (ugh) { @@ -1110,6 +1141,12 @@ void add_connection(const whack_message_t *wm) } } + if (wm->xauth_identity) + { + c->xauth_identity + = identification_create_from_string(wm->xauth_identity); + } + c->sa_ike_life_seconds = wm->sa_ike_life_seconds; c->sa_ipsec_life_seconds = wm->sa_ipsec_life_seconds; c->sa_rekey_margin = wm->sa_rekey_margin; @@ -1211,7 +1248,8 @@ void add_connection(const whack_message_t *wm) c->spd.that.modecfg = TRUE; c->spd.that.has_client = FALSE; /* reset the host_srcip so that it gets assigned in modecfg */ - anyaddr(AF_INET, &c->spd.that.host_srcip); + DESTROY_IF(c->spd.that.host_srcip); + c->spd.that.host_srcip = host_create_any(AF_INET); } if (c->ikev1) @@ -3046,7 +3084,8 @@ void ISAKMP_SA_established(connection_t *c, so_serial_t serial) /* the connection is now oriented so that we are able to determine * whether we are a mode config server with a virtual IP to send. */ - if (!isanyaddr(&c->spd.that.host_srcip) && !c->spd.that.has_natip) + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip) && + !c->spd.that.has_natip) { c->spd.that.modecfg = TRUE; } @@ -3693,8 +3732,10 @@ static connection_t *fc_try(const connection_t *c, struct host_pair *hp, } else { + host_t *vip = c->spd.that.host_srcip; + if (!peer_net_is_host && !(sr->that.modecfg && c->spd.that.modecfg && - subnetisaddr(peer_net, &c->spd.that.host_srcip))) + subnetisaddr(peer_net, (ip_address*)vip->get_sockaddr(vip)))) { continue; } diff --git a/src/pluto/connections.h b/src/pluto/connections.h index 66aea1541..b67f0b562 100644 --- a/src/pluto/connections.h +++ b/src/pluto/connections.h @@ -1,6 +1,6 @@ /* information about connections between hosts and clients * Copyright (C) 1998-2001 D. Hugh Redelmeier - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil + * Copyright (C) 2009-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -18,6 +18,7 @@ #include +#include #include #include #include @@ -131,10 +132,8 @@ struct virtual_t; struct end { identification_t *id; - ip_address - host_addr, - host_nexthop, - host_srcip; + ip_address host_addr, host_nexthop; + host_t *host_srcip; ip_subnet client; bool is_left; @@ -184,6 +183,8 @@ struct connection { unsigned long sa_rekey_fuzz; unsigned long sa_keying_tries; + identification_t *xauth_identity; /* XAUTH identity */ + /* RFC 3706 DPD */ time_t dpd_delay; time_t dpd_timeout; @@ -226,6 +227,8 @@ struct connection { connection_t *hp_next; /* host pair list link */ connection_t *ac_next; /* all connections list link */ linked_list_t *requested_ca; /* collected certificate requests */ + linked_list_t *requested; /* requested attributes with handlers */ + linked_list_t *attributes; /* configuration attributes with handlers */ bool got_certrequest; }; diff --git a/src/pluto/constants.h b/src/pluto/constants.h index e9567c07a..790bbefa6 100644 --- a/src/pluto/constants.h +++ b/src/pluto/constants.h @@ -543,45 +543,6 @@ extern enum_names attr_msg_type_names; extern enum_names modecfg_attr_names; -/* XAUTH attribute values */ -#define XAUTH_TYPE 16520 -#define XAUTH_USER_NAME 16521 -#define XAUTH_USER_PASSWORD 16522 -#define XAUTH_PASSCODE 16523 -#define XAUTH_MESSAGE 16524 -#define XAUTH_CHALLENGE 16525 -#define XAUTH_DOMAIN 16526 -#define XAUTH_STATUS 16527 -#define XAUTH_NEXT_PIN 16528 -#define XAUTH_ANSWER 16529 - -#define XAUTH_BASE XAUTH_TYPE - -extern enum_names xauth_attr_names; - -/* ISAKMP mode config attributes specific to Microsoft */ -#define INTERNAL_IP4_SERVER 23456 -#define INTERNAL_IP6_SERVER 23457 - -extern enum_names microsoft_attr_names; - -/* ISAKMP mode config attributes specific to the Unity vendor ID */ -#define UNITY_BANNER 28672 -#define UNITY_SAVE_PASSWD 28673 -#define UNITY_DEF_DOMAIN 28674 -#define UNITY_SPLITDNS_NAME 28675 -#define UNITY_SPLIT_INCLUDE 28676 -#define UNITY_NATT_PORT 28677 -#define UNITY_LOCAL_LAN 28678 -#define UNITY_PFS 28679 -#define UNITY_FW_TYPE 28680 -#define UNITY_BACKUP_SERVERS 28681 -#define UNITY_DDNS_HOSTNAME 28682 - -#define UNITY_BASE UNITY_BANNER - -extern enum_names unity_attr_names; - /* XAUTH authentication types */ #define XAUTH_TYPE_GENERIC 0 #define XAUTH_TYPE_CHAP 1 diff --git a/src/pluto/crl.c b/src/pluto/crl.c index 84fe77554..c8fb107d5 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -159,7 +159,7 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) { certificate_t *old_cert_crl = oldcrl->crl; - if (cert_crl->is_newer(cert_crl, old_cert_crl)) + if (crl_is_newer((crl_t*)cert_crl, (crl_t*)old_cert_crl)) { /* keep any known CRL distribution points */ add_distribution_points(x509crl->distributionPoints, @@ -202,9 +202,11 @@ bool insert_crl(x509crl_t *x509crl, char *crl_uri, bool cache_crl) snprintf(buf, sizeof(buf), "%s/%s.crl", CRL_PATH, hex); free(hex.ptr); - encoding = cert_crl->get_encoding(cert_crl); - chunk_write(encoding, buf, "crl", 022, TRUE); - free(encoding.ptr); + if (cert_crl->get_encoding(cert_crl, CERT_ASN1_DER, &encoding)) + { + chunk_write(encoding, buf, "crl", 022, TRUE); + free(encoding.ptr); + } } /* is the fetched crl valid? */ @@ -313,7 +315,7 @@ void check_crls(void) certificate_t *cert_crl = x509crl->crl; crl_t *crl = (crl_t*)cert_crl; identification_t *issuer = cert_crl->get_issuer(cert_crl); - chunk_t authKeyID = crl->get_authKeyIdentifier(crl); + chunk_t authKeyID = crl->get_authKeyIdentifier(crl); cert_crl->get_validity(cert_crl, &now, NULL, &nextUpdate); time_left = nextUpdate - now; @@ -353,7 +355,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, char *point; ca = get_ca_info(issuer, authKeyID); - + *revocationDate = UNDEFINED_TIME; *revocationReason = CRL_REASON_UNSPECIFIED; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index fad1450cd..617353c6c 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1215,7 +1215,7 @@ read_packet(struct msg_digest *md) /* ignore IKEv2 packets - they will be handled by charon */ if (pbs_room(&md->packet_pbs) > IKEV2_VERSION_OFFSET - && md->packet_pbs.start[IKEV2_VERSION_OFFSET] == IKEV2_VERSION) + && (md->packet_pbs.start[IKEV2_VERSION_OFFSET] & 0xF0) == IKEV2_VERSION) { DBG(DBG_CONTROLMORE, DBG_log(" ignoring IKEv2 packet") diff --git a/src/pluto/demux.h b/src/pluto/demux.h index 2161bbd02..6ce53c14f 100644 --- a/src/pluto/demux.h +++ b/src/pluto/demux.h @@ -12,9 +12,12 @@ * for more details. */ +#ifndef _DEMUX_H +#define _DEMUX_H + #include "packet.h" +#include "state.h" -struct state; /* forward declaration of tag */ extern void init_demux(void); extern bool send_packet(struct state *st, const char *where); extern void comm_handle(const struct iface *ifp); @@ -90,3 +93,5 @@ typedef stf_status state_transition_fn(struct msg_digest *md); extern void complete_state_transition(struct msg_digest **mdp, stf_status result); extern void free_md_pool(void); + +#endif /* _DEMUX_H */ diff --git a/src/pluto/dnskey.c b/src/pluto/dnskey.c index ec56b8530..4f8e4ebf4 100644 --- a/src/pluto/dnskey.c +++ b/src/pluto/dnskey.c @@ -424,7 +424,7 @@ static err_t process_txt_rr_body(u_char *str, bool doit, public_key_t *key = gi.key->public_key; if (gi.gw_key_present && - key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &keyid)) + key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &keyid)) { DBG_log("gateway for %s is %s with key %#B", client_id, gi.gw_id, &keyid); diff --git a/src/pluto/ipsec.secrets.5 b/src/pluto/ipsec.secrets.5 index 3cce4d3f8..6c39f86e1 100644 --- a/src/pluto/ipsec.secrets.5 +++ b/src/pluto/ipsec.secrets.5 @@ -1,148 +1,116 @@ -.TH IPSEC.SECRETS 5 "28 March 1999" +.TH IPSEC.SECRETS 5 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION The file \fIipsec.secrets\fP holds a table of secrets. -These secrets are used by \fIipsec_pluto\fP(8), the FreeS/WAN Internet Key -Exchange daemon, to authenticate other hosts. -Currently there are two kinds of secrets: preshared secrets and -.\" the private part of DSS keys. -RSA private keys. +These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons +pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. .LP It is vital that these secrets be protected. The file should be owned by the super-user, and its permissions should be set to block all access by others. .LP The file is a sequence of entries and include directives. -Here is an example. Each entry or directive must start at the -left margin, but if it continues beyond a single line, each continuation -line must be indented. +Here is an example. .LP .RS .nf -# sample /etc/ipsec.secrets file for 10.1.0.1 -10.1.0.1 10.2.0.1: PSK "secret shared by two hosts" +# /etc/ipsec.secrets - strongSwan IPsec secrets file +192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" -# an entry may be split across lines, -# but indentation matters -www.xs4all.nl @www.kremvax.ru -\ \ \ \ 10.6.0.1 10.7.0.1 1.8.0.1: PSK "secret shared by 5" +: RSA moonKey.pem -.\" # Private part of our DSS key, in base 64, -.\" # as generated by BIND 8.2.1's dnskeygen. -.\" # Since this is the default key for this host, -.\" # there is no need to specify indices. -.\" : DSS 0siMs0N/hfRoCBMXA6plPtuv58/+c= -# an RSA private key. -# note that the lines are too wide for a -# man page, so ... has been substituted for -# the truncated part -@my.com: rsa { -\ \ \ \ Modulus:\ 0syXpo/6waam+ZhSs8Lt6jnBzu3C4grtt... -\ \ \ \ PublicExponent:\ 0sAw== -\ \ \ \ PrivateExponent:\ 0shlGbVR1m8Z+7rhzSyenCaBN... -\ \ \ \ Prime1:\ 0s8njV7WTxzVzRz7AP+0OraDxmEAt1BL5l... -\ \ \ \ Prime2:\ 0s1LgR7/oUMo9BvfU8yRFNos1s211KX5K0... -\ \ \ \ Exponent1:\ 0soaXj85ihM5M2inVf/NfHmtLutVz4r... -\ \ \ \ Exponent2:\ 0sjdAL9VFizF+BKU4ohguJFzOd55OG6... -\ \ \ \ Coefficient:\ 0sK1LWwgnNrNFGZsS/2GuMBg9nYVZ... -\ \ \ \ } +alice@strongswan.org : EAP "x3.dEhgN" -include ipsec.*.secrets # get secrets from other files +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" + +# get secrets from other files +include ipsec.*.secrets .fi .RE .LP -Each entry in the file is a list of indices, followed by a secret. -The two parts are separated by a colon (\fB:\fP) that is -followed by whitespace or a newline. For compatability -with the previous form of this file, if the key part is just a -double-quoted string the colon may be left out. +Each entry in the file is a list of optional ID selectors, followed by a secret. +The two parts are separated by a colon (\fB:\fP) that is surrounded +by whitespace. If no ID selectors are specified the line must start with a +colon. .LP -An index is an IP address, or a Fully Qualified Domain Name, user@FQDN, +A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, \fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written in the familiar dotted quad form or as a domain name to be looked up -when the file is loaded -(or in any of the forms supported by the FreeS/WAN \fIipsec_ttoaddr\fP(3) -routine). In many cases it is a bad idea to use domain names because +when the file is loaded. +In many cases it is a bad idea to use domain names because the name server may not be running or may be insecure. To denote a Fully Qualified Domain Name (as opposed to an IP address denoted by its domain name), precede the name with an at sign (\fB@\fP). .LP -Matching IDs with indices is fairly straightforward: they have to be +Matching IDs with selectors is fairly straightforward: they have to be equal. In the case of a ``Road Warrior'' connection, if an equal match is not found for the Peer's ID, and it is in the form of an IP -address, an index of \fB%any\fP will match the peer's IP address if IPV4 +address, a selector of \fB%any\fP will match the peer's IP address if IPV4 and \fB%any6\fP will match a the peer's IP address if IPV6. Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of \fB%any\fP. .LP -An additional complexity +In IKEv1 an additional complexity arises in the case of authentication by preshared secret: the responder will need to look up the secret before the Peer's ID payload has been decoded, so the ID used will be the IP address. .LP To authenticate a connection between two hosts, the entry that most specifically matches the host and peer IDs is used. An entry with no -index will match any host and peer. More specifically, an entry with one index will -match a host and peer if the index matches the host's ID (the peer isn't -considered). Still more specifically, an entry with multiple indices will match a host and -peer if the host ID and peer ID each match one of the indices. If the key -is for an asymmetric authentication technique (i.e. a public key -system such as RSA), an entry with multiple indices will match a host -and peer even if only the host ID matches an index (it is presumed that the -multiple indices are all identities of the host). +selectors will match any host and peer. More specifically, an entry with one +selector will match a host and peer if the selector matches the host's ID (the +peer isn't considered). Still more specifically, an entry with multiple +selectors will match a host and peer if the host ID and peer ID each match one +of the selectors. If the key is for an asymmetric authentication technique +(i.e. a public key system such as RSA), an entry with multiple selectors will +match a host and peer even if only the host ID matches a selector (it is +presumed that the selectors are all identities of the host). It is acceptable for two entries to be the best match as long as they agree about the secret or private key. .LP Authentication by preshared secret requires that both systems find the identical secret (the secret is not actually transmitted by the IKE -protocol). If both the host and peer appear in the index list, the +protocol). If both the host and peer appear in the selector list, the same entry will be suitable for both systems so verbatim copying between systems can be used. This naturally extends to larger groups -sharing the same secret. Thus multiple-index entries are best for PSK +sharing the same secret. Thus multiple-selector entries are best for PSK authentication. .LP -Authentication by RSA Signatures requires that each host have its own private -key. A host could reasonably use a different private keys +Authentication by public key systems such as RSA requires that each host +have its own private key. A host could reasonably use a different private keys for different interfaces and for different peers. But it would not -be normal to share entries between systems. Thus thus no-index and -one-index forms of entry often make sense for RSA Signature authentication. -.LP -The key part of an entry may start with a token indicating the kind of -key. ``RSA'' signifies RSA private key and ``PSK'' signifies -PreShared Key (case is ignored). For compatability with previous -forms of this file, PSK is the default. -.LP -A preshared secret is most conveniently represented as a sequence of -characters, delimited by the double-quote -character (\fB"\fP). The sequence cannot contain a newline or -double-quote. Strictly speaking, the secret is actually the sequence -of bytes that is used in the file to represent the sequence of -characters (excluding the delimiters). -A preshared secret may also be represented, without quotes, in any form supported by -\fIipsec_ttodata\fP(3). -.LP -An RSA private key is a composite of eight generally large numbers. The notation -used is a brace-enclosed list of field name and value pairs (see the example above). -A suitable key, in a suitable format, may be generated by \fIipsec_rsasigkey\fP(8). -The structure is very similar to that used by BIND 8.2.2 or later, but note that -the numbers must have a ``0s'' prefix if they are in base 64. The order of -the fields is fixed. -.LP -The first token an entry must start in -the first column of its line. Subsequent tokens must be -separated by whitespace, -except for a colon token, which only needs to be followed by whitespace. -A newline is taken as whitespace, but every -line of an entry after the first must be indented. -.LP -Whitespace at the end of a line is ignored (except in the 0t -notation for a key). At the start of line or +be normal to share entries between systems. Thus thus no-selector and +one-selector forms of entry often make sense for public key authentication. +.LP +The key part of an entry must start with a token indicating the kind of +key. The following types of secrets are currently supported: +.TP +.B PSK +defines a pre-shared key +.TP +.B RSA +defines an RSA private key +.TP +.B ECDSA +defines an ECDSA private key +.TP +.B EAP +defines EAP credentials +.TP +.B XAUTH +defines XAUTH credentials +.TP +.B PIN +defines a smartcard PIN +.LP +Details on each type of secret are given below. +.LP +Whitespace at the end of a line is ignored. At the start of a line or after whitespace, \fB#\fP and the following text up to the end of the -line is treated as a comment. Within entries, all lines must be -indented (except for lines with no tokens). -Outside entries, no line may be indented (this is to make sure that -the file layout reflects its structure). +line is treated as a comment. .LP An include directive causes the contents of the named file to be processed before continuing with the current file. The filename is subject to @@ -153,23 +121,55 @@ directory containing the current file is prepended to the name. The include directive is a line that starts with the word \fBinclude\fP, followed by whitespace, followed by the filename (which must not contain whitespace). +.SS TYPES OF SECRETS +.TP +.B [ ] : PSK +A preshared secret is most conveniently represented as a sequence of +characters, delimited by double-quote characters (\fB"\fP). +The sequence cannot contain a newline or double-quote. +Strictly speaking, the secret is actually the sequence +of bytes that is used in the file to represent the sequence of +characters (excluding the delimiters). +.TP +.B [ ] : RSA [ | %prompt ] +.TQ +.B [ ] : ECDSA [ | %prompt ] +For the private key file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the private key file is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemons to ask the user for the password +whenever it is required to decrypt the key. +.TP +.B : EAP +As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, +delimited by double-quote characters (\fB"\fP). +.br +\fBEAP\fP secrets are IKEv2 only. +.TP +.B : XAUTH +\fBXAUTH\fP secrets are IKEv1 only. +.TP +.B : PIN | %prompt +The format +.B "%smartcard[[:]]" +is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, +instead of specifying the pin code statically, +.B %prompt +can be specified, which causes the pluto daemon to ask the user for the pin +code. +.LP + .SH FILES /etc/ipsec.secrets .SH SEE ALSO -The rest of the FreeS/WAN distribution, in particular \fIipsec.conf\fP(5), -\fIipsec\fP(8), -\fIipsec_newhostkey\fP(8), -\fIipsec_rsasigkey\fP(8), -\fIipsec_showhostkey\fP(8), -\fIipsec_auto\fP(8) \fB\-\-rereadsecrets\fP, -and \fIipsec_pluto\fP(8) \fB\-\-listen\fP,. +\fIipsec\fP(8) .br -BIND 8.2.2 or later, ftp://ftp.isc.org/isc/bind/src/ .SH HISTORY -Designed for the FreeS/WAN project - -by D. Hugh Redelmeier. +Originally written for the FreeS/WAN project by D. Hugh Redelmeier. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. .SH BUGS If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec.secrets.5.in b/src/pluto/ipsec.secrets.5.in new file mode 100644 index 000000000..adb915e4d --- /dev/null +++ b/src/pluto/ipsec.secrets.5.in @@ -0,0 +1,175 @@ +.TH IPSEC.SECRETS 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec.secrets \- secrets for IKE/IPsec authentication +.SH DESCRIPTION +The file \fIipsec.secrets\fP holds a table of secrets. +These secrets are used by the strongSwan Internet Key Exchange (IKE) daemons +pluto (IKEv1) and charon (IKEv2) to authenticate other hosts. +.LP +It is vital that these secrets be protected. The file should be owned +by the super-user, +and its permissions should be set to block all access by others. +.LP +The file is a sequence of entries and include directives. +Here is an example. +.LP +.RS +.nf +# /etc/ipsec.secrets - strongSwan IPsec secrets file +192.168.0.1 %any : PSK "v+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL" + +: RSA moonKey.pem + +alice@strongswan.org : EAP "x3.dEhgN" + +: XAUTH carol "4iChxLT3" + +: XAUTH dave "ryftzG4A" + +# get secrets from other files +include ipsec.*.secrets +.fi +.RE +.LP +Each entry in the file is a list of optional ID selectors, followed by a secret. +The two parts are separated by a colon (\fB:\fP) that is surrounded +by whitespace. If no ID selectors are specified the line must start with a +colon. +.LP +A selector is an IP address, a Fully Qualified Domain Name, user@FQDN, +\fB%any\fP or \fB%any6\fP (other kinds may come). An IP address may be written +in the familiar dotted quad form or as a domain name to be looked up +when the file is loaded. +In many cases it is a bad idea to use domain names because +the name server may not be running or may be insecure. To denote a +Fully Qualified Domain Name (as opposed to an IP address denoted by +its domain name), precede the name with an at sign (\fB@\fP). +.LP +Matching IDs with selectors is fairly straightforward: they have to be +equal. In the case of a ``Road Warrior'' connection, if an equal +match is not found for the Peer's ID, and it is in the form of an IP +address, a selector of \fB%any\fP will match the peer's IP address if IPV4 +and \fB%any6\fP will match a the peer's IP address if IPV6. +Currently, the obsolete notation \fB0.0.0.0\fP may be used in place of +\fB%any\fP. +.LP +In IKEv1 an additional complexity +arises in the case of authentication by preshared secret: the +responder will need to look up the secret before the Peer's ID payload has +been decoded, so the ID used will be the IP address. +.LP +To authenticate a connection between two hosts, the entry that most +specifically matches the host and peer IDs is used. An entry with no +selectors will match any host and peer. More specifically, an entry with one +selector will match a host and peer if the selector matches the host's ID (the +peer isn't considered). Still more specifically, an entry with multiple +selectors will match a host and peer if the host ID and peer ID each match one +of the selectors. If the key is for an asymmetric authentication technique +(i.e. a public key system such as RSA), an entry with multiple selectors will +match a host and peer even if only the host ID matches a selector (it is +presumed that the selectors are all identities of the host). +It is acceptable for two entries to be the best match as +long as they agree about the secret or private key. +.LP +Authentication by preshared secret requires that both systems find the +identical secret (the secret is not actually transmitted by the IKE +protocol). If both the host and peer appear in the selector list, the +same entry will be suitable for both systems so verbatim copying +between systems can be used. This naturally extends to larger groups +sharing the same secret. Thus multiple-selector entries are best for PSK +authentication. +.LP +Authentication by public key systems such as RSA requires that each host +have its own private key. A host could reasonably use a different private keys +for different interfaces and for different peers. But it would not +be normal to share entries between systems. Thus thus no-selector and +one-selector forms of entry often make sense for public key authentication. +.LP +The key part of an entry must start with a token indicating the kind of +key. The following types of secrets are currently supported: +.TP +.B PSK +defines a pre-shared key +.TP +.B RSA +defines an RSA private key +.TP +.B ECDSA +defines an ECDSA private key +.TP +.B EAP +defines EAP credentials +.TP +.B XAUTH +defines XAUTH credentials +.TP +.B PIN +defines a smartcard PIN +.LP +Details on each type of secret are given below. +.LP +Whitespace at the end of a line is ignored. At the start of a line or +after whitespace, \fB#\fP and the following text up to the end of the +line is treated as a comment. +.LP +An include directive causes the contents of the named file to be processed +before continuing with the current file. The filename is subject to +``globbing'' as in \fIsh\fP(1), so every file with a matching name +is processed. Includes may be nested to a modest +depth (10, currently). If the filename doesn't start with a \fB/\fP, the +directory containing the current file is prepended to the name. The +include directive is a line that starts with the word \fBinclude\fP, +followed by whitespace, followed by the filename (which must not contain +whitespace). +.SS TYPES OF SECRETS +.TP +.B [ ] : PSK +A preshared secret is most conveniently represented as a sequence of +characters, delimited by double-quote characters (\fB"\fP). +The sequence cannot contain a newline or double-quote. +Strictly speaking, the secret is actually the sequence +of bytes that is used in the file to represent the sequence of +characters (excluding the delimiters). +.TP +.B [ ] : RSA [ | %prompt ] +.TQ +.B [ ] : ECDSA [ | %prompt ] +For the private key file both absolute paths or paths relative to +\fI/etc/ipsec.d/private\fP are accepted. If the private key file is +encrypted, the \fIpassphrase\fP must be defined. Instead of a passphrase +.B %prompt +can be used which then causes the daemons to ask the user for the password +whenever it is required to decrypt the key. +.TP +.B : EAP +As with \fBPSK\fP secrets the \fIsecret\fP is a sequence of characters, +delimited by double-quote characters (\fB"\fP). +.br +\fBEAP\fP secrets are IKEv2 only. +.TP +.B : XAUTH +\fBXAUTH\fP secrets are IKEv1 only. +.TP +.B : PIN | %prompt +The format +.B "%smartcard[[:]]" +is used to specify the smartcard selector (e.g. %smartcard1:50). For IKEv1, +instead of specifying the pin code statically, +.B %prompt +can be specified, which causes the pluto daemon to ask the user for the pin +code. +.LP + +.SH FILES +/etc/ipsec.secrets +.SH SEE ALSO +\fIipsec.conf\fP(5), +\fIipsec\fP(8) +.br +.SH HISTORY +Originally written for the FreeS/WAN project by D. Hugh Redelmeier. +Updated and extended for the strongSwan project by +Tobias Brunner and Andreas Steffen. +.SH BUGS +If an ID is \fB0.0.0.0\fP, it will match \fB%any\fP; +if it is \fB0::0\fP, it will match \fB%any6\fP. diff --git a/src/pluto/ipsec_doi.c b/src/pluto/ipsec_doi.c index 34c42e294..4a6a7c872 100644 --- a/src/pluto/ipsec_doi.c +++ b/src/pluto/ipsec_doi.c @@ -260,7 +260,7 @@ static linked_list_t* collect_rw_ca_candidates(struct msg_digest *md) { new_entry = FALSE; break; - } + } } enumerator->destroy(enumerator); @@ -702,7 +702,7 @@ void accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p) { struct isakmp_delete *d = &(p->payload.delete); - identification_t *this_id, *that_id; + identification_t *this_id = NULL, *that_id = NULL; ip_address peer_addr; size_t sizespi; int i; @@ -1568,7 +1568,7 @@ static bool take_a_crack(struct tac_state *s, pubkey_t *kr) s->tried_cnt++; scheme = oakley_to_signature_scheme(s->st->st_oakley.auth); - pub_key->get_fingerprint(pub_key, KEY_ID_PUBKEY_INFO_SHA1, &keyid); + pub_key->get_fingerprint(pub_key, KEYID_PUBKEY_INFO_SHA1, &keyid); if (pub_key->verify(pub_key, scheme, s->hash, s->sig)) { @@ -1944,27 +1944,34 @@ stf_status quick_outI1(int whack_sock, struct state *isakmp_sa, bool has_client = c->spd.this.has_client || c->spd.that.has_client || c->spd.this.protocol || c->spd.that.protocol || c->spd.this.port || c->spd.that.port; - bool send_natoa = FALSE; u_int8_t np = ISAKMP_NEXT_NONE; + connection_t *ph1_c = isakmp_sa->st_connection; if (c->spd.this.modecfg && !c->spd.this.has_client && - isanyaddr(&c->spd.this.host_srcip)) + c->spd.this.host_srcip->is_anyaddr(c->spd.this.host_srcip)) { - connection_t *ph1_c = isakmp_sa->st_connection; + host_t * ph1_srcip = ph1_c->spd.this.host_srcip; - if (ph1_c->spd.this.modecfg && !isanyaddr(&ph1_c->spd.this.host_srcip)) + if (ph1_c->spd.this.modecfg && !ph1_srcip->is_anyaddr(ph1_srcip)) { - char srcip[ADDRTOT_BUF]; - - c->spd.this.host_srcip = ph1_c->spd.this.host_srcip; + c->spd.this.host_srcip->destroy(c->spd.this.host_srcip); + c->spd.this.host_srcip = ph1_srcip->clone(ph1_srcip); c->spd.this.client = ph1_c->spd.this.client; c->spd.this.has_client = TRUE; - addrtot(&c->spd.this.host_srcip, 0, srcip, sizeof(srcip)); - plog("inheriting virtual IP source address %s from ModeCfg", srcip); + plog("inheriting virtual IP source address %H from ModeCfg", ph1_srcip); } } + if (ph1_c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + ph1_c->xauth_identity && !c->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", ph1_c->xauth_identity) + ) + c->xauth_identity = ph1_c->xauth_identity->clone(ph1_c->xauth_identity); + } + st->st_whack_sock = whack_sock; st->st_connection = c; set_cur_state(st); /* we must reset before exit */ @@ -3535,7 +3542,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) struct state *const st = md->st; pb_stream *const keyex_pbs = &md->chain[ISAKMP_NEXT_KE]->pbs; pb_stream id_pbs; /* ID Payload; also used for hash calculation */ - + connection_t *c = st->st_connection; certpolicy_t cert_policy = c->spd.this.sendcert; cert_t *mycert = c->spd.this.cert; @@ -3638,7 +3645,7 @@ stf_status main_inR2_outI3(struct msg_digest *md) } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; @@ -3650,9 +3657,12 @@ stf_status main_inR2_outI3(struct msg_digest *md) { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4079,7 +4089,7 @@ main_inI3_outR3_tail(struct msg_digest *md } if (send_cert) { - bool success; + bool success = FALSE; chunk_t cert_encoding; pb_stream cert_pbs; struct isakmp_cert cert_hd; @@ -4091,9 +4101,12 @@ main_inI3_outR3_tail(struct msg_digest *md { return STF_INTERNAL_ERROR; } - cert_encoding = mycert->cert->get_encoding(mycert->cert); - success = out_chunk(cert_encoding, &cert_pbs, "CERT"); - free(cert_encoding.ptr); + if (mycert->cert->get_encoding(mycert->cert, CERT_ASN1_DER, + &cert_encoding)) + { + success = out_chunk(cert_encoding, &cert_pbs, "CERT"); + free(cert_encoding.ptr); + } if (!success) { return STF_INTERNAL_ERROR; @@ -4888,23 +4901,32 @@ static stf_status quick_inI1_outR1_tail(struct verify_oppo_bundle *b, /* Plain Road Warrior: * instantiate, carrying over authenticated peer ID */ + host_t *vip = c->spd.that.host_srcip; + p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port , his_net, c->spd.that.id); - /* inherit any virtual IP assigned by a Mode Config exchange */ + /* inherit any virtual IP assigned by a Mode Config exchange */ if (p->spd.that.modecfg && c->spd.that.modecfg && - subnetisaddr(his_net, &c->spd.that.host_srcip)) + subnetisaddr(his_net, (ip_address*)vip->get_sockaddr(vip))) { - char srcip[ADDRTOT_BUF]; - DBG(DBG_CONTROL, - addrtot(&c->spd.that.host_srcip, 0, srcip, sizeof(srcip)); - DBG_log("inheriting virtual IP source address %s from ModeCfg", srcip) + DBG_log("inheriting virtual IP source address %H from ModeCfg", vip) ) - p->spd.that.host_srcip = c->spd.that.host_srcip; + p->spd.that.host_srcip->destroy(p->spd.that.host_srcip); + p->spd.that.host_srcip = vip->clone(vip); p->spd.that.client = c->spd.that.client; p->spd.that.has_client = TRUE; } + + if (c->policy & (POLICY_XAUTH_RSASIG | POLICY_XAUTH_PSK) && + c->xauth_identity && !p->xauth_identity) + { + DBG(DBG_CONTROL, + DBG_log("inheriting XAUTH identity %Y", c->xauth_identity) + ) + p->xauth_identity = c->xauth_identity->clone(c->xauth_identity); + } } } #ifdef DEBUG diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index ee22fb55e..dd7ed8893 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -464,9 +464,11 @@ static bool do_command(connection_t *c, struct spd_route *sr, peerclientnet_str[ADDRTOT_BUF], peerclientmask_str[ADDRTOT_BUF], peerca_str[BUF_LEN], + xauth_id_str[BUF_LEN] = "", secure_myid_str[BUF_LEN] = "", secure_peerid_str[BUF_LEN] = "", - secure_peerca_str[BUF_LEN] = ""; + secure_peerca_str[BUF_LEN] = "", + secure_xauth_id_str[BUF_LEN] = ""; ip_address ta; pubkey_list_t *p; @@ -483,16 +485,14 @@ static bool do_command(connection_t *c, struct spd_route *sr, strncat(nexthop_str, "' ", sizeof(nexthop_str)); } - if (addrbytesptr(&sr->this.host_srcip, NULL) - && !isanyaddr(&sr->this.host_srcip)) + if (!sr->this.host_srcip->is_anyaddr(sr->this.host_srcip)) { char *n; strcpy(srcip_str, "PLUTO_MY_SOURCEIP='"); n = srcip_str + strlen(srcip_str); - - addrtot(&sr->this.host_srcip, 0 - ,n , sizeof(srcip_str)-strlen(srcip_str)); + snprintf(n, sizeof(srcip_str)-strlen(srcip_str), "%H", + sr->this.host_srcip); strncat(srcip_str, "' ", sizeof(srcip_str)); } @@ -505,6 +505,16 @@ static bool do_command(connection_t *c, struct spd_route *sr, maskof(&sr->this.client, &ta); addrtot(&ta, 0, myclientmask_str, sizeof(myclientmask_str)); + if (c->xauth_identity && + c->xauth_identity->get_type(c->xauth_identity) != ID_ANY) + { + snprintf(xauth_id_str, sizeof(xauth_id_str), "%Y", c->xauth_identity); + escape_metachar(xauth_id_str, secure_xauth_id_str, + sizeof(secure_xauth_id_str)); + snprintf(xauth_id_str, sizeof(xauth_id_str), "PLUTO_XAUTH_ID='%s' ", + secure_xauth_id_str); + } + addrtot(&sr->that.host_addr, 0, peer_str, sizeof(peer_str)); snprintf(peerid_str, sizeof(peerid_str), "%Y", sr->that.id); escape_metachar(peerid_str, secure_peerid_str, sizeof(secure_peerid_str)); @@ -562,6 +572,7 @@ static bool do_command(connection_t *c, struct spd_route *sr, "PLUTO_PEER_PROTOCOL='%u' " "PLUTO_PEER_CA='%s' " "%s" /* optional PLUTO_MY_SRCIP */ + "%s" /* optional PLUTO_XAUTH_ID */ "%s" /* actual script */ , verb, verb_suffix , c->name @@ -585,6 +596,7 @@ static bool do_command(connection_t *c, struct spd_route *sr, , sr->that.protocol , secure_peerca_str , srcip_str + , xauth_id_str , sr->this.updown == NULL? DEFAULT_UPDOWN : sr->this.updown)) { loglog(RC_LOG_SERIOUS, "%s%s command too long!", verb, verb_suffix); diff --git a/src/pluto/keys.c b/src/pluto/keys.c index 8cf28ace1..6db757ba7 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -53,25 +53,26 @@ #include "whack.h" /* for RC_LOG_SERIOUS */ #include "timer.h" #include "fetch.h" -#include "xauth.h" const char *shared_secrets_file = SHARED_SECRETS_FILE; -typedef struct id_list id_list_t; -struct id_list { - identification_t *id; - id_list_t *next; +typedef enum secret_kind_t secret_kind_t; + +enum secret_kind_t { + SECRET_PSK, + SECRET_PUBKEY, + SECRET_XAUTH, + SECRET_PIN }; -typedef struct secret secret_t; +typedef struct secret_t secret_t; -struct secret { - id_list_t *ids; - enum PrivateKeyKind kind; +struct secret_t { + linked_list_t *ids; + secret_kind_t kind; union { chunk_t preshared_secret; - xauth_t xauth_secret; private_key_t *private_key; smartcard_t *smartcard; } u; @@ -92,12 +93,11 @@ static void free_public_key(pubkey_t *pk) secret_t *secrets = NULL; -/* find the struct secret associated with the combination of - * me and the peer. We match the Id (if none, the IP address). - * Failure is indicated by a NULL. +/** + * Find the secret associated with the combination of me and the peer. */ -static const secret_t* get_secret(const connection_t *c, - enum PrivateKeyKind kind, bool asym) +const secret_t* match_secret(identification_t *my_id, identification_t *his_id, + secret_kind_t kind) { enum { /* bits */ match_default = 0x01, @@ -106,128 +106,92 @@ static const secret_t* get_secret(const connection_t *c, }; unsigned int best_match = 0; - secret_t *best = NULL; - secret_t *s; - identification_t *my_id, *his_id; + secret_t *s, *best = NULL; - /* is there a certificate assigned to this connection? */ - if (kind == PPK_PUBKEY && c->spd.this.cert) + for (s = secrets; s != NULL; s = s->next) { - certificate_t *certificate = c->spd.this.cert->cert; + unsigned int match = 0; - public_key_t *pub_key = certificate->get_public_key(certificate); - - for (s = secrets; s != NULL; s = s->next) + if (s->kind != kind) { - if (s->kind == kind && - s->u.private_key->belongs_to(s->u.private_key, pub_key)) - { - best = s; - break; /* we have found the private key - no sense in searching further */ - } + continue; } - pub_key->destroy(pub_key); - return best; - } - - my_id = c->spd.this.id; - - if (his_id_was_instantiated(c)) - { - /* roadwarrior: replace him with 0.0.0.0 */ - his_id = identification_create_from_string("%any"); - } - else if (kind == PPK_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) && - ((c->kind == CK_TEMPLATE && - c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) || - (c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id)))) - { - /* roadwarrior: replace him with 0.0.0.0 */ - his_id = identification_create_from_string("%any"); - } - else - { - his_id = c->spd.that.id->clone(c->spd.that.id); - } - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == kind) + if (s->ids->get_count(s->ids) == 0) + { + /* a default (signified by lack of ids): + * accept if no more specific match found + */ + match = match_default; + } + else { - unsigned int match = 0; + /* check if both ends match ids */ + enumerator_t *enumerator; + identification_t *id; - if (s->ids == NULL) - { - /* a default (signified by lack of ids): - * accept if no more specific match found - */ - match = match_default; - } - else + enumerator = s->ids->create_enumerator(s->ids); + while (enumerator->enumerate(enumerator, &id)) { - /* check if both ends match ids */ - id_list_t *i; - - for (i = s->ids; i != NULL; i = i->next) + if (my_id->equals(my_id, id)) { - if (my_id->equals(my_id, i->id)) - { - match |= match_me; - } - if (his_id->equals(his_id, i->id)) - { - match |= match_him; - } + match |= match_me; } - - /* If our end matched the only id in the list, - * default to matching any peer. - * A more specific match will trump this. - */ - if (match == match_me && s->ids->next == NULL) + if (his_id->equals(his_id, id)) { - match |= match_default; + match |= match_him; } } + enumerator->destroy(enumerator); - switch (match) + /* If our end matched the only id in the list, + * default to matching any peer. + * A more specific match will trump this. + */ + if (match == match_me && s->ids->get_count(s->ids) == 1) { + match |= match_default; + } + } + + switch (match) + { case match_me: /* if this is an asymmetric (eg. public key) system, * allow this-side-only match to count, even if * there are other ids in the list. */ - if (!asym) + if (kind != SECRET_PUBKEY) { break; } /* FALLTHROUGH */ - case match_default: /* default all */ - case match_me | match_default: /* default peer */ - case match_me | match_him: /* explicit */ + case match_default: /* default all */ + case match_me | match_default: /* default peer */ + case match_me | match_him: /* explicit */ if (match == best_match) { - /* two good matches are equally good: - * do they agree? - */ + /* two good matches are equally good: do they agree? */ bool same = FALSE; switch (kind) { - case PPK_PSK: - same = s->u.preshared_secret.len == best->u.preshared_secret.len - && memeq(s->u.preshared_secret.ptr, best->u.preshared_secret.ptr, s->u.preshared_secret.len); + case SECRET_PSK: + case SECRET_XAUTH: + same = chunk_equals(s->u.preshared_secret, + best->u.preshared_secret); break; - case PPK_PUBKEY: - same = s->u.private_key->equals(s->u.private_key, best->u.private_key); + case SECRET_PUBKEY: + same = s->u.private_key->equals(s->u.private_key, + best->u.private_key); break; default: bad_case(kind); } if (!same) { - loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with distinct secrets match endpoints:" - " first secret used"); + loglog(RC_LOG_SERIOUS, "multiple ipsec.secrets entries with " + "distinct secrets match endpoints: first secret used"); best = s; /* list is backwards: take latest in list */ } } @@ -237,9 +201,63 @@ static const secret_t* get_secret(const connection_t *c, best_match = match; best = s; } - } } } + return best; +} + +/** + * Retrieves an XAUTH secret primarily based on the user ID and + * secondarily based on the server ID + */ +bool get_xauth_secret(identification_t *user, identification_t *server, + chunk_t *secret) +{ + const secret_t *s; + + s = match_secret(user, server, SECRET_XAUTH); + if (s) + { + *secret = chunk_clone(s->u.preshared_secret); + return TRUE; + } + else + { + *secret = chunk_empty; + return FALSE; + } +} + +/** + * We match the ID (if none, the IP address). Failure is indicated by a NULL. + */ +static const secret_t* get_secret(const connection_t *c, secret_kind_t kind) +{ + identification_t *my_id, *his_id; + const secret_t *best; + + my_id = c->spd.this.id; + + if (his_id_was_instantiated(c)) + { + /* roadwarrior: replace him with 0.0.0.0 */ + his_id = identification_create_from_string("%any"); + } + else if (kind == SECRET_PSK && (c->policy & (POLICY_PSK | POLICY_XAUTH_PSK)) && + ((c->kind == CK_TEMPLATE && + c->spd.that.id->get_type(c->spd.that.id) == ID_ANY) || + (c->kind == CK_INSTANCE && id_is_ipaddr(c->spd.that.id)))) + { + /* roadwarrior: replace him with 0.0.0.0 */ + his_id = identification_create_from_string("%any"); + } + else + { + his_id = c->spd.that.id->clone(c->spd.that.id); + } + + best = match_secret(my_id, his_id, kind); + his_id->destroy(his_id); return best; } @@ -250,7 +268,7 @@ static const secret_t* get_secret(const connection_t *c, */ const chunk_t* get_preshared_secret(const connection_t *c) { - const secret_t *s = get_secret(c, PPK_PSK, FALSE); + const secret_t *s = get_secret(c, SECRET_PSK); DBG(DBG_PRIVATE, if (s == NULL) @@ -272,7 +290,7 @@ bool has_private_key(cert_t *cert) for (s = secrets; s != NULL; s = s->next) { - if (s->kind == PPK_PUBKEY && + if (s->kind == SECRET_PUBKEY && s->u.private_key->belongs_to(s->u.private_key, pub_key)) { has_key = TRUE; @@ -295,7 +313,7 @@ private_key_t* get_x509_private_key(const cert_t *cert) for (s = secrets; s != NULL; s = s->next) { - if (s->kind == PPK_PUBKEY && + if (s->kind == SECRET_PUBKEY && s->u.private_key->belongs_to(s->u.private_key, public_key)) { private_key = s->u.private_key; @@ -311,9 +329,33 @@ private_key_t* get_x509_private_key(const cert_t *cert) */ private_key_t* get_private_key(const connection_t *c) { - const secret_t *s = get_secret(c, PPK_PUBKEY, TRUE); + const secret_t *s, *best = NULL; + + /* is a certificate assigned to this connection? */ + if (c->spd.this.cert) + { + certificate_t *certificate; + public_key_t *pub_key; - return s == NULL? NULL : s->u.private_key; + certificate = c->spd.this.cert->cert; + pub_key = certificate->get_public_key(certificate); + + for (s = secrets; s != NULL; s = s->next) + { + if (s->kind == SECRET_PUBKEY && + s->u.private_key->belongs_to(s->u.private_key, pub_key)) + { + best = s; + break; /* found the private key - no sense in searching further */ + } + } + pub_key->destroy(pub_key); + } + else + { + best = get_secret(c, SECRET_PUBKEY); + } + return best ? best->u.private_key : NULL; } /* digest a secrets file @@ -555,120 +597,6 @@ static err_t process_keyfile(private_key_t **key, key_type_t type, int whackfd) return *key ? NULL : "Private key file -- could not be loaded"; } -/** - * Process xauth secret read from ipsec.secrets - */ -static err_t process_xauth(secret_t *s) -{ - chunk_t user_name; - - s->kind = PPK_XAUTH; - - if (!shift()) - return "missing xauth user name"; - if (*tok == '"' || *tok == '\'') /* quoted user name */ - { - user_name.ptr = tok + 1; - user_name.len = flp->cur - tok - 2; - } - else - { - user_name.ptr = tok; - user_name.len = flp->cur - tok; - } - plog(" loaded xauth credentials of user '%.*s'" - , user_name.len - , user_name.ptr); - s->u.xauth_secret.user_name = chunk_clone(user_name); - - if (!shift()) - return "missing xauth user password"; - return process_psk_secret(&s->u.xauth_secret.user_password); -} - -/** - * Get XAUTH secret from chained secrets lists - * only one entry is currently supported - */ -static bool xauth_get_secret(xauth_t *xauth_secret) -{ - secret_t *s; - bool found = FALSE; - - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == PPK_XAUTH) - { - if (found) - { - plog("found multiple xauth secrets - first selected"); - } - else - { - found = TRUE; - *xauth_secret = s->u.xauth_secret; - } - } - } - return found; -} - -/** - * find a matching secret - */ -static bool xauth_verify_secret(const xauth_peer_t *peer, - const xauth_t *xauth_secret) -{ - bool found = FALSE; - secret_t *s; - - for (s = secrets; s != NULL; s = s->next) - { - if (s->kind == PPK_XAUTH) - { - if (!chunk_equals(xauth_secret->user_name, s->u.xauth_secret.user_name)) - { - continue; - } - found = TRUE; - if (chunk_equals(xauth_secret->user_password, s->u.xauth_secret.user_password)) - { - return TRUE; - } - } - } - plog("xauth user '%.*s' %s" - , xauth_secret->user_name.len, xauth_secret->user_name.ptr - , found? "sent wrong password":"not found"); - return FALSE; -} - -/** - * the global xauth_module struct is defined here - */ -xauth_module_t xauth_module; - -/** - * Assign the default xauth functions to any null function pointers - */ -void xauth_defaults(void) -{ - if (xauth_module.get_secret == NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module: using default get_secret() function") - ) - xauth_module.get_secret = xauth_get_secret; - } - if (xauth_module.verify_secret == NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module: using default verify_secret() function") - ) - xauth_module.verify_secret = xauth_verify_secret; - } -}; - /** * Process pin read from ipsec.secrets or prompted for it using whack */ @@ -677,7 +605,7 @@ static err_t process_pin(secret_t *s, int whackfd) smartcard_t *sc; const char *pin_status = "no pin"; - s->kind = PPK_PIN; + s->kind = SECRET_PIN; /* looking for the smartcard keyword */ if (!shift() || strncmp(tok, SCX_TOKEN, strlen(SCX_TOKEN)) != 0) @@ -748,57 +676,69 @@ static err_t process_pin(secret_t *s, int whackfd) return NULL; } -static void log_psk(secret_t *s) +static void log_psk(char *label, secret_t *s) { int n = 0; char buf[BUF_LEN]; - id_list_t *id_list = s->ids; + enumerator_t *enumerator; + identification_t *id; - if (id_list == NULL) + if (s->ids->get_count(s->ids) == 0) { n = snprintf(buf, BUF_LEN, "%%any"); } else { - do + enumerator = s->ids->create_enumerator(s->ids); + while(enumerator->enumerate(enumerator, &id)) { - n += snprintf(buf + n, BUF_LEN - n, "%Y ", id_list->id); + n += snprintf(buf + n, BUF_LEN - n, "%Y ", id); if (n >= BUF_LEN) { n = BUF_LEN - 1; break; } - id_list = id_list->next; } - while (id_list); + enumerator->destroy(enumerator); } - plog(" loaded shared key for %.*s", n, buf); + plog(" loaded %s secret for %.*s", label, n, buf); } static void process_secret(secret_t *s, int whackfd) { err_t ugh = NULL; - s->kind = PPK_PSK; /* default */ + s->kind = SECRET_PSK; /* default */ if (*tok == '"' || *tok == '\'') { + log_psk("PSK", s); + /* old PSK format: just a string */ - log_psk(s); ugh = process_psk_secret(&s->u.preshared_secret); } else if (tokeqword("psk")) { + log_psk("PSK", s); + /* preshared key: quoted string or ttodata format */ - log_psk(s); ugh = !shift()? "unexpected end of record in PSK" : process_psk_secret(&s->u.preshared_secret); } + else if (tokeqword("xauth")) + { + s->kind = SECRET_XAUTH; + log_psk("XAUTH", s); + + /* xauth secret: quoted string or ttodata format */ + ugh = !shift()? "unexpected end of record in XAUTH" + : process_psk_secret(&s->u.preshared_secret); + } else if (tokeqword("rsa")) { /* RSA key: the fun begins. * A braced list of keyword and value pairs. */ - s->kind = PPK_PUBKEY; + s->kind = SECRET_PUBKEY; if (!shift()) { ugh = "bad RSA key syntax"; @@ -814,7 +754,7 @@ static void process_secret(secret_t *s, int whackfd) } else if (tokeqword("ecdsa")) { - s->kind = PPK_PUBKEY; + s->kind = SECRET_PUBKEY; if (!shift()) { ugh = "bad ECDSA key syntax"; @@ -824,10 +764,6 @@ static void process_secret(secret_t *s, int whackfd) ugh = process_keyfile(&s->u.private_key, KEY_ECDSA, whackfd); } } - else if (tokeqword("xauth")) - { - ugh = process_xauth(s); - } else if (tokeqword("pin")) { ugh = process_pin(s, whackfd); @@ -919,8 +855,8 @@ static void process_secret_records(int whackfd) secret_t *s = malloc_thing(secret_t); zero(s); - s->ids = NULL; - s->kind = PPK_PSK; /* default */ + s->ids = linked_list_create(); + s->kind = SECRET_PSK; /* default */ s->u.preshared_secret = chunk_empty; s->next = NULL; @@ -941,14 +877,10 @@ static void process_secret_records(int whackfd) } else { - /* an id - * See RFC2407 IPsec Domain of Interpretation 4.6.2 - */ - id_list_t *i = malloc_thing(id_list_t); + identification_t *id; - i->id = identification_create_from_string(tok); - i->next = s->ids; - s->ids = i; + id = identification_create_from_string(tok); + s->ids->insert_last(s->ids, id); if (!shift()) { @@ -1035,32 +967,23 @@ void free_preshared_secrets(void) for (s = secrets; s != NULL; s = ns) { - id_list_t *i, *ni; - ns = s->next; - for (i = s->ids; i != NULL; i = ni) - { - ni = i->next; - i->id->destroy(i->id); - free(i); - } + s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); + switch (s->kind) { - case PPK_PSK: - free(s->u.preshared_secret.ptr); - break; - case PPK_PUBKEY: - DESTROY_IF(s->u.private_key); - break; - case PPK_XAUTH: - free(s->u.xauth_secret.user_name.ptr); - free(s->u.xauth_secret.user_password.ptr); - break; - case PPK_PIN: - scx_release(s->u.smartcard); - break; - default: - bad_case(s->kind); + case SECRET_PSK: + case SECRET_XAUTH: + free(s->u.preshared_secret.ptr); + break; + case SECRET_PUBKEY: + DESTROY_IF(s->u.private_key); + break; + case SECRET_PIN: + scx_release(s->u.smartcard); + break; + default: + bad_case(s->kind); } free(s); } @@ -1315,7 +1238,7 @@ void add_public_key_from_cert(cert_t *cert , time_t until, /* insert all subjectAltNames from X.509 certificates */ enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) + while (enumerator->enumerate(enumerator, &id)) { if (id->get_type(id) != ID_ANY) { @@ -1404,7 +1327,7 @@ void list_public_keys(bool utc) public->get_keysize(public) * BITS_PER_BYTE, &key->until_time, utc, check_expiry(key->until_time, PUBKEY_WARNING_INTERVAL, TRUE)); - if (public->get_fingerprint(public, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (public->get_fingerprint(public, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT," keyid: %#B", &keyid); } diff --git a/src/pluto/keys.h b/src/pluto/keys.h index d856c0009..73cc21392 100644 --- a/src/pluto/keys.h +++ b/src/pluto/keys.h @@ -21,6 +21,7 @@ #include #include "certs.h" +#include "connections.h" #ifndef SHARED_SECRETS_FILE # define SHARED_SECRETS_FILE IPSEC_CONFDIR "/ipsec.secrets" @@ -31,20 +32,12 @@ const char *shared_secrets_file; extern void load_preshared_secrets(int whackfd); extern void free_preshared_secrets(void); -enum PrivateKeyKind { - PPK_PSK, - PPK_PUBKEY, - PPK_XAUTH, - PPK_PIN -}; - extern void xauth_defaults(void); -/* forward declaration */ -struct connection; - -extern const chunk_t *get_preshared_secret(const struct connection *c); -extern private_key_t *get_private_key(const struct connection *c); +extern bool get_xauth_secret(identification_t *user, identification_t *server, + chunk_t *secret); +extern const chunk_t *get_preshared_secret(const connection_t *c); +extern private_key_t *get_private_key(const connection_t *c); extern private_key_t *get_x509_private_key(const cert_t *cert); /* public key machinery */ diff --git a/src/pluto/modecfg.c b/src/pluto/modecfg.c index 0c4f2bd6b..0d0cd899c 100644 --- a/src/pluto/modecfg.c +++ b/src/pluto/modecfg.c @@ -2,7 +2,7 @@ * Copyright (C) 2001-2002 Colubris Networks * Copyright (C) 2003 Sean Mathews - Nu Tech Software Solutions, inc. * Copyright (C) 2003-2004 Xelerance Corporation - * Copyright (C) 2006-2009 Andreas Steffen - Hochschule fuer Technik Rapperswil + * Copyright (C) 2006-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -27,7 +27,7 @@ #include #include -#include +#include #include #include "constants.h" @@ -40,106 +40,121 @@ #include "crypto.h" #include "modecfg.h" #include "whack.h" -#include "xauth.h" +#include "pluto.h" #define MAX_XAUTH_TRIES 3 -#define DNS_SERVER_MAX 2 -#define NBNS_SERVER_MAX 2 -#define SUPPORTED_ATTR_SET ( LELEM(INTERNAL_IP4_ADDRESS) \ - | LELEM(INTERNAL_IP4_NETMASK) \ - | LELEM(INTERNAL_IP4_DNS) \ - | LELEM(INTERNAL_IP4_NBNS) \ - | LELEM(APPLICATION_VERSION) \ - | LELEM(INTERNAL_IP6_DNS) \ - | LELEM(INTERNAL_IP6_NBNS) \ - ) +#define DEFAULT_UNITY_BANNER "Welcome to strongSwan - the Linux VPN Solution!\n" -#define SUPPORTED_UNITY_ATTR_SET ( LELEM(UNITY_BANNER - UNITY_BASE) ) +/** + * Creates a modecfg_attribute_t object + */ +static modecfg_attribute_t *modecfg_attribute_create(configuration_attribute_type_t type, + chunk_t value) +{ + modecfg_attribute_t *this; -#define UNITY_BANNER_STR "Welcome to strongSwan - the Linux VPN Solution!\n" + this = malloc_thing(modecfg_attribute_t); + this->type = ((u_int16_t)type) & 0x7FFF; + this->is_tv = FALSE; + this->value = chunk_clone(value); + this->handler = NULL; -/* - * Addresses assigned (usually via ModeCfg) to the Initiator - */ -typedef struct internal_addr internal_addr_t; + return this; +} -struct internal_addr +/** + * Creates a modecfg_attribute_t object coded in TV format + */ +static modecfg_attribute_t *modecfg_attribute_create_tv(configuration_attribute_type_t type, + size_t value) { - lset_t attr_set; - lset_t xauth_attr_set; - lset_t unity_attr_set; - - /* ModeCfg variables */ - ip_address ipaddr; - ip_address dns[DNS_SERVER_MAX]; - ip_address nbns[NBNS_SERVER_MAX]; + modecfg_attribute_t *this; - char *unity_banner; + this = modecfg_attribute_create(type, chunk_empty); + this->value.len = value; + this->is_tv = TRUE; - /* XAUTH variables */ - u_int16_t xauth_type; - xauth_t xauth_secret; - bool xauth_status; -}; + return this; +} /** - * Initialize an internal_addr struct + * Destroys a modecfg_attribute_t object */ -static void init_internal_addr(internal_addr_t *ia) +void modecfg_attribute_destroy(modecfg_attribute_t *this) { - int i; + free(this->value.ptr); + free(this); +} - ia->attr_set = LEMPTY; - ia->xauth_attr_set = LEMPTY; - ia->xauth_secret.user_name = chunk_empty; - ia->xauth_secret.user_password = chunk_empty; - ia->xauth_type = XAUTH_TYPE_GENERIC; - ia->xauth_status = XAUTH_STATUS_FAIL; - ia->unity_attr_set = LEMPTY; - ia->unity_banner = NULL; +/** + * Get attributes to be sent to client + */ +static void get_attributes(connection_t *c, linked_list_t *ca_list) +{ + configuration_attribute_type_t type; + identification_t *client_id; + modecfg_attribute_t *ca; + enumerator_t *enumerator; + chunk_t value; + host_t *vip = NULL, *requested_vip = NULL; + bool want_unity_banner = FALSE; + int family; - anyaddr(AF_INET, &ia->ipaddr); +#ifdef CISCO_QUIRKS + /* always send banner in ModeCfg push mode */ + if (ca_list->get_count(ca_list) == 0) + { + want_unity_banner = TRUE; + } +#endif - /* initialize DNS server information */ - for (i = 0; i < DNS_SERVER_MAX; i++) + /* scan list of requested attributes in ModeCfg pull mode */ + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) { - anyaddr(AF_INET, &ia->dns[i]); + switch (ca->type) + { + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP6_ADDRESS: + { + int family; + + family = (ca->type == INTERNAL_IP4_ADDRESS) ? AF_INET : AF_INET6; + requested_vip = (ca->value.len) ? + host_create_from_chunk(family, ca->value, 0) : + host_create_any(family); + plog("peer requested virtual IP %H", requested_vip); + break; + } +#ifdef CISCO_QUIRKS + case UNITY_BANNER: + want_unity_banner = TRUE; + break; +#endif + default: + break; + } + modecfg_attribute_destroy(ca); } - /* initialize NBNS server information */ - for (i = 0; i < NBNS_SERVER_MAX; i++) + if (requested_vip == NULL) { - anyaddr(AF_INET, &ia->nbns[i]); + requested_vip = host_create_any(AF_INET); } -} -/** - * Get internal IP address for a connection - */ -static void get_internal_addr(connection_t *c, host_t *requested_vip, - internal_addr_t *ia) -{ - int dns_idx = 0, nbns_idx = 0; - enumerator_t *enumerator; - configuration_attribute_type_t type; - chunk_t value; - host_t *vip = NULL; + client_id = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; - if (isanyaddr(&c->spd.that.host_srcip)) + /* if no virtual IP has been assigned yet - acquire one */ + if (c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { if (c->spd.that.pool) { vip = hydra->attributes->acquire_address(hydra->attributes, - c->spd.that.pool, c->spd.that.id, - requested_vip); + c->spd.that.pool, client_id, requested_vip); if (vip) { - chunk_t addr = vip->get_address(vip); - - plog("assigning virtual IP %H to peer", vip); - initaddr(addr.ptr, addr.len, vip->get_family(vip), &ia->ipaddr); - + c->spd.that.host_srcip->destroy(c->spd.that.host_srcip); + c->spd.that.host_srcip = vip; } } else @@ -147,132 +162,184 @@ static void get_internal_addr(connection_t *c, host_t *requested_vip, plog("no virtual IP found"); } } - else - { - ia->ipaddr = c->spd.that.host_srcip; - vip = host_create_from_sockaddr((sockaddr_t*)&ia->ipaddr); - plog("assigning virtual IP %H to peer", vip); - } - if (!isanyaddr(&ia->ipaddr)) /* We got an IP address, send it */ + requested_vip->destroy(requested_vip); + + /* if we have a virtual IP address - send it */ + if (!c->spd.that.host_srcip->is_anyaddr(c->spd.that.host_srcip)) { - c->spd.that.host_srcip = ia->ipaddr; - c->spd.that.client.addr = ia->ipaddr; - c->spd.that.client.maskbits = 32; + vip = c->spd.that.host_srcip; + plog("assigning virtual IP %H to peer", vip); + family = vip->get_family(vip); + ca = modecfg_attribute_create((family == AF_INET) ? + INTERNAL_IP4_ADDRESS : + INTERNAL_IP6_ADDRESS, + vip->get_address(vip)); + ca_list->insert_last(ca_list, ca); + + /* set the remote client subnet to virtual IP */ + c->spd.that.client.addr = *(ip_address*)vip->get_sockaddr(vip); + c->spd.that.client.maskbits = (family == AF_INET) ? 32 : 128; c->spd.that.has_client = TRUE; - - ia->attr_set = LELEM(INTERNAL_IP4_ADDRESS) - | LELEM(INTERNAL_IP4_NETMASK); } /* assign attributes from registered providers */ enumerator = hydra->attributes->create_responder_enumerator(hydra->attributes, - c->spd.that.id, vip); + c->spd.that.pool, client_id, vip); while (enumerator->enumerate(enumerator, &type, &value)) { - err_t ugh; - host_t *server; - sa_family_t family = AF_INET; + ca = modecfg_attribute_create(type, value); + ca_list->insert_last(ca_list, ca); + if (type == UNITY_BANNER) + { + want_unity_banner = FALSE; + } + } + enumerator->destroy(enumerator); + + if (want_unity_banner) + { + ca = modecfg_attribute_create(UNITY_BANNER, + chunk_create(DEFAULT_UNITY_BANNER, + strlen(DEFAULT_UNITY_BANNER))); + ca_list->insert_last(ca_list, ca); + } +} + +/** + * Set srcip and client subnet to internal IP address + */ +static bool set_attributes(connection_t *c, linked_list_t *ca_list) +{ + host_t *vip, *srcip; + modecfg_attribute_t *ca, *ca_handler; + enumerator_t *enumerator; + bool vip_set = FALSE; + + enumerator = ca_list->create_enumerator(ca_list); + while (enumerator->enumerate(enumerator, &ca)) + { + int family = AF_INET6; + attribute_handler_t *handler = NULL; + enumerator_t *e; - switch (type) + switch (ca->type) { - case INTERNAL_IP6_DNS: - family = AF_INET6; - /* fallthrough */ - case INTERNAL_IP4_DNS: - if (dns_idx >= DNS_SERVER_MAX) + case INTERNAL_IP4_ADDRESS: + family = AF_INET; + /* fall */ + case INTERNAL_IP6_ADDRESS: + if (ca->value.len == 0) { - plog("exceeded the maximum number of %d DNS servers", - DNS_SERVER_MAX); - break; + vip = host_create_any(family); } - ugh = initaddr(value.ptr, value.len, family, &ia->dns[dns_idx]); - if (ugh) + else { - plog("error in DNS server address: %s", ugh); - break; + /* skip prefix byte in IPv6 payload*/ + if (family == AF_INET6) + { + ca->value.len = 16; + } + vip = host_create_from_chunk(family, ca->value, 0); } - server = host_create_from_chunk(family, value, 0); - plog("assigning DNS server %H to peer", server); - server->destroy(server); - - /* differentiate between IP4 and IP6 in modecfg_build_msg() */ - ia->attr_set |= LELEM(INTERNAL_IP4_DNS); - dns_idx++; - break; - - case INTERNAL_IP6_NBNS: - family = AF_INET6; - /* fallthrough */ - case INTERNAL_IP4_NBNS: - if (nbns_idx >= NBNS_SERVER_MAX) + if (vip) { - plog("exceeded the maximum number of %d NBNS servers", - NBNS_SERVER_MAX); - break; - } - ugh = initaddr(value.ptr, value.len, family, &ia->nbns[nbns_idx]); - if (ugh) + srcip = c->spd.this.host_srcip; + + if (srcip->is_anyaddr(srcip) || srcip->equals(srcip, vip)) + { + plog("setting virtual IP source address to %H", vip); + } + else + { + plog("replacing virtual IP source address %H by %H", + srcip, vip); + } + srcip->destroy(srcip); + c->spd.this.host_srcip = vip; + + /* setting client subnet to vip/32 */ + addrtosubnet((ip_address*)vip->get_sockaddr(vip), + &c->spd.this.client); + setportof(0, &c->spd.this.client.addr); + c->spd.this.has_client = TRUE; + + vip_set = TRUE; + } + continue; + case APPLICATION_VERSION: +#ifdef CISCO_QUIRKS + case UNITY_BANNER: +#endif + if (ca->value.len > 0) { - plog("error in NBNS server address: %s", ugh); - break; + DBG(DBG_PARSING | DBG_CONTROLMORE, + DBG_log(" '%.*s'", ca->value.len, ca->value.ptr) + ) } - server = host_create_from_chunk(family, value, 0); - plog("assigning NBNS server %H to peer", server); - server->destroy(server); - - /* differentiate between IP4 and IP6 in modecfg_build_msg() */ - ia->attr_set |= LELEM(INTERNAL_IP4_NBNS); - nbns_idx++; break; - default: break; } - } - enumerator->destroy(enumerator); - DESTROY_IF(vip); -} - -/** - * Set srcip and client subnet to internal IP address - */ -static bool set_internal_addr(connection_t *c, internal_addr_t *ia) -{ - if (ia->attr_set & LELEM(INTERNAL_IP4_ADDRESS) - && !isanyaddr(&ia->ipaddr)) - { - if (addrbytesptr(&c->spd.this.host_srcip, NULL) == 0 - || isanyaddr(&c->spd.this.host_srcip) - || sameaddr(&c->spd.this.host_srcip, &ia->ipaddr)) + /* find the first handler which requested this attribute */ + e = c->requested->create_enumerator(c->requested); + while (e->enumerate(e, &ca_handler)) { - char srcip[ADDRTOT_BUF]; - - addrtot(&ia->ipaddr, 0, srcip, sizeof(srcip)); - plog("setting virtual IP source address to %s", srcip); + if (ca_handler->type == ca->type) + { + handler = ca_handler->handler; + break; + } } - else + e->destroy(e); + + /* and pass it to the handle function */ + handler = hydra->attributes->handle(hydra->attributes, + c->spd.that.id, handler, ca->type, ca->value); + if (handler) { - char old_srcip[ADDRTOT_BUF]; - char new_srcip[ADDRTOT_BUF]; + ca_handler = modecfg_attribute_create(ca->type, ca->value); + ca_handler->handler = handler; - addrtot(&c->spd.this.host_srcip, 0, old_srcip, sizeof(old_srcip)); - addrtot(&ia->ipaddr, 0, new_srcip, sizeof(new_srcip)); - plog("replacing virtual IP source address %s by %s" - , old_srcip, new_srcip); + if (c->attributes == NULL) + { + c->attributes = linked_list_create(); + } + c->attributes->insert_last(c->attributes, ca_handler); } + } + enumerator->destroy(enumerator); + c->requested->destroy_function(c->requested, (void*)modecfg_attribute_destroy); + c->requested = NULL; + return vip_set; +} - /* setting srcip */ - c->spd.this.host_srcip = ia->ipaddr; +/** + * Register configuration attribute handlers + */ +static void register_attribute_handlers(connection_t *c) +{ + configuration_attribute_type_t type; + modecfg_attribute_t *ca; + chunk_t value; + attribute_handler_t *handler; + enumerator_t *enumerator; - /* setting client subnet to srcip/32 */ - addrtosubnet(&ia->ipaddr, &c->spd.this.client); - setportof(0, &c->spd.this.client.addr); - c->spd.this.has_client = TRUE; - return TRUE; + /* add configuration attributes requested by handlers */ + if (c->requested == NULL) + { + c->requested = linked_list_create(); } - return FALSE; + enumerator = hydra->attributes->create_initiator_enumerator( + hydra->attributes,c->spd.that.id, c->spd.this.host_srcip); + while (enumerator->enumerate(enumerator, &handler, &type, &value)) + { + ca = modecfg_attribute_create(type, value); + ca->handler = handler; + c->requested->insert_last(c->requested, ca); + } + enumerator->destroy(enumerator); } /** @@ -307,218 +374,53 @@ static size_t modecfg_hash(u_char *dest, u_char *start, u_char *roof, * Generate an IKE message containing ModeCfg information (eg: IP, DNS, WINS) */ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, - u_int16_t msg_type, - internal_addr_t *ia, + u_int16_t msg_type, linked_list_t *ca_list, u_int16_t ap_id) { u_char *r_hash_start, *r_hashval; + struct isakmp_mode_attr attrh; + struct isakmp_attribute attr; + pb_stream strattr,attrval; + enumerator_t *enumerator; + modecfg_attribute_t *ca; START_HASH_PAYLOAD(*rbody, ISAKMP_NEXT_ATTR); - /* ATTR out */ + attrh.isama_np = ISAKMP_NEXT_NONE; + attrh.isama_type = msg_type; + attrh.isama_identifier = ap_id; + + if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) { - struct isakmp_mode_attr attrh; - struct isakmp_attribute attr; - pb_stream strattr,attrval; - int attr_type, dns_attr_type, nbns_attr_type; - int dns_idx, nbns_idx; - bool dont_advance; - bool is_xauth_attr_set = ia->xauth_attr_set != LEMPTY; - bool is_unity_attr_set = ia->unity_attr_set != LEMPTY; - lset_t attr_set = ia->attr_set; - - attrh.isama_np = ISAKMP_NEXT_NONE; - attrh.isama_type = msg_type; - attrh.isama_identifier = ap_id; - - if (!out_struct(&attrh, &isakmp_attr_desc, rbody, &strattr)) + return STF_INTERNAL_ERROR; + } + + enumerator = ca_list->create_enumerator(ca_list); + while (enumerator->enumerate(enumerator, &ca)) + { + DBG(DBG_CONTROLMORE, + DBG_log("building %N attribute", configuration_attribute_type_names, ca->type) + ) + if (ca->is_tv) { - return STF_INTERNAL_ERROR; + attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TV; + attr.isaat_lv = ca->value.len; + out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); } - attr_type = 0; - dns_idx = 0; - nbns_idx = 0; - - while (attr_set != LEMPTY || is_xauth_attr_set || is_unity_attr_set) + else { - if (attr_set == LEMPTY) - { - if (is_xauth_attr_set) - { - attr_set = ia->xauth_attr_set; - attr_type = XAUTH_BASE; - is_xauth_attr_set = FALSE; - } - else - { - attr_set = ia->unity_attr_set; - attr_type = UNITY_BASE; - is_unity_attr_set = FALSE; - } - } - - dont_advance = FALSE; - - if (attr_set & 1) - { - const u_char *byte_ptr; - u_int len; - - /* ISAKMP attr out */ - if (attr_type == XAUTH_TYPE) - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; - attr.isaat_lv = ia->xauth_type; - } - else if (attr_type == XAUTH_STATUS) - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TV; - attr.isaat_lv = ia->xauth_status; - } - else if (attr_type == INTERNAL_IP4_DNS && !isanyaddr(&ia->dns[dns_idx])) - { - dns_attr_type = (addrtypeof(&ia->dns[dns_idx]) == AF_INET) ? - INTERNAL_IP4_DNS : INTERNAL_IP6_DNS; - attr.isaat_af_type = dns_attr_type | ISAKMP_ATTR_AF_TLV; - - } - else if (attr_type == INTERNAL_IP4_NBNS && !isanyaddr(&ia->nbns[nbns_idx])) - { - nbns_attr_type = (addrtypeof(&ia->nbns[nbns_idx]) == AF_INET) ? - INTERNAL_IP4_NBNS : INTERNAL_IP6_NBNS; - attr.isaat_af_type = nbns_attr_type | ISAKMP_ATTR_AF_TLV; - - } - else - { - attr.isaat_af_type = attr_type | ISAKMP_ATTR_AF_TLV; - } - out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); + char buf[BUF_LEN]; - switch (attr_type) - { - case INTERNAL_IP4_ADDRESS: - if (!isanyaddr(&ia->ipaddr)) - { - len = addrbytesptr(&ia->ipaddr, &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_addr"); - } - break; - case INTERNAL_IP4_NETMASK: - { - u_int mask; -#if 0 - char mask[4],bits[8]={0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe}; - int t,m=st->st_connection->that.host_addr.maskbit; - for (t=0; t<4; t++) - { - if (m < 8) - mask[t] = bits[m]; - else - mask[t] = 0xff; - m -= 8; - } -#endif - if (st->st_connection->spd.this.client.maskbits == 0) - { - mask = 0; - } - else - { - mask = 0xffffffff * 1; - out_raw(&mask, 4, &attrval, "IP4_mask"); - } - } - break; - case INTERNAL_IP4_SUBNET: - { - char mask[4]; - char bits[8] = {0x00,0x80,0xc0,0xe0,0xf0,0xf8,0xfc,0xfe}; - int t; - int m = st->st_connection->spd.this.client.maskbits; - - for (t = 0; t < 4; t++) - { - mask[t] = (m < 8) ? bits[m] : 0xff; - m -= 8; - if (m < 0) - { - m = 0; - } - } - len = addrbytesptr(&st->st_connection->spd.this.client.addr, &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP4_subnet"); - out_raw(mask, sizeof(mask), &attrval, "IP4_submsk"); - } - break; - case INTERNAL_IP4_DNS: - case INTERNAL_IP6_DNS: - if (!isanyaddr(&ia->dns[dns_idx])) - { - len = addrbytesptr(&ia->dns[dns_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP_dns"); - } - if (dns_idx < DNS_SERVER_MAX && !isanyaddr(&ia->dns[dns_idx])) - { - dont_advance = TRUE; - } - break; - case INTERNAL_IP4_NBNS: - case INTERNAL_IP6_NBNS: - if (!isanyaddr(&ia->nbns[nbns_idx])) - { - len = addrbytesptr(&ia->nbns[nbns_idx++], &byte_ptr); - out_raw(byte_ptr, len, &attrval, "IP_nbns"); - } - if (nbns_idx < NBNS_SERVER_MAX && !isanyaddr(&ia->nbns[nbns_idx])) - { - dont_advance = TRUE; - } - break; - case XAUTH_TYPE: - break; - case XAUTH_USER_NAME: - if (ia->xauth_secret.user_name.ptr != NULL) - { - out_raw(ia->xauth_secret.user_name.ptr - , ia->xauth_secret.user_name.len - , &attrval, "xauth_user_name"); - } - break; - case XAUTH_USER_PASSWORD: - if (ia->xauth_secret.user_password.ptr != NULL) - { - out_raw(ia->xauth_secret.user_password.ptr - , ia->xauth_secret.user_password.len - , &attrval, "xauth_user_password"); - } - break; - case XAUTH_STATUS: - break; - case UNITY_BANNER: - if (ia->unity_banner != NULL) - { - out_raw(ia->unity_banner - , strlen(ia->unity_banner) - , &attrval, "UNITY_BANNER"); - } - break; - default: - plog("attempt to send unsupported mode cfg attribute %s." - , enum_show(&modecfg_attr_names, attr_type)); - break; - } - close_output_pbs(&attrval); - } - if (!dont_advance) - { - attr_type++; - attr_set >>= 1; - } + attr.isaat_af_type = ca->type | ISAKMP_ATTR_AF_TLV; + out_struct(&attr, &isakmp_modecfg_attribute_desc, &strattr, &attrval); + snprintf(buf, BUF_LEN, "%N", configuration_attribute_type_names, ca->type); + out_raw(ca->value.ptr, ca->value.len, &attrval, buf); } - close_message(&strattr); + close_output_pbs(&attrval); } - + enumerator->destroy(enumerator); + close_message(&strattr); + modecfg_hash(r_hashval, r_hash_start, rbody->cur, st); close_message(rbody); encrypt_message(rbody, st); @@ -529,7 +431,7 @@ static stf_status modecfg_build_msg(struct state *st, pb_stream *rbody, * Send ModeCfg message */ static stf_status modecfg_send_msg(struct state *st, int isama_type, - internal_addr_t *ia) + linked_list_t *ca_list) { pb_stream msg; pb_stream rbody; @@ -561,12 +463,8 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type, } } - /* ATTR out */ - modecfg_build_msg(st, &rbody - , isama_type - , ia - , 0 /* XXX isama_id */ - ); + /* ATTR out with isama_id of 0 */ + modecfg_build_msg(st, &rbody, isama_type, ca_list, 0); free(st->st_tpacket.ptr); st->st_tpacket = chunk_create(msg.start, pbs_offset(&msg)); @@ -586,221 +484,157 @@ static stf_status modecfg_send_msg(struct state *st, int isama_type, /** * Parse a ModeCfg attribute payload */ -static stf_status modecfg_parse_attributes(pb_stream *attrs, internal_addr_t *ia) +static stf_status modecfg_parse_attributes(pb_stream *attrs, linked_list_t *ca_list) { struct isakmp_attribute attr; pb_stream strattr; - err_t ugh; - char buf[BUF_LEN]; - int dns_idx = 0; - int nbns_idx = 0; + u_int16_t attr_type; + u_int16_t attr_len; + chunk_t attr_chunk; + modecfg_attribute_t *ca; while (pbs_left(attrs) >= sizeof(struct isakmp_attribute)) { - u_int16_t attr_type; - u_int16_t attr_len; - if (!in_struct(&attr, &isakmp_modecfg_attribute_desc, attrs, &strattr)) { return STF_FAIL; } attr_type = attr.isaat_af_type & ISAKMP_ATTR_RTYPE_MASK; attr_len = attr.isaat_lv; + DBG(DBG_CONTROLMORE, + DBG_log("processing %N attribute", + configuration_attribute_type_names, attr_type) + ) switch (attr_type) { - case INTERNAL_IP4_ADDRESS: - if (attr_len == 4) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->ipaddr); - if (ugh != NULL) - { - plog("received invalid virtual IPv4 address: %s", ugh); - } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_DNS: - if (attr_len == 4 && dns_idx < DNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->dns[dns_idx]); - if (ugh != NULL) - { - plog("received invalid IPv4 DNS server address: %s", ugh); - } - else - { - addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN); - plog("received IPv4 DNS server address %s", buf); - dns_idx++; - } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_NBNS: - if (attr_len == 4 && nbns_idx < NBNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 4, AF_INET, &ia->nbns[nbns_idx]); - if (ugh != NULL) + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP4_NETMASK: + case INTERNAL_IP4_DNS: + case INTERNAL_IP4_NBNS: + case INTERNAL_ADDRESS_EXPIRY: + case INTERNAL_IP4_DHCP: + if (attr_len != 4 && attr_len != 0) { - plog("received invalid IPv4 NBNS server address: %s", ugh); + goto error; } - else + break; + case INTERNAL_IP4_SUBNET: + if (attr_len != 8 && attr_len != 0) { - addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN); - plog("received IPv4 NBNS server address %s", buf); - nbns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP6_DNS: - if (attr_len == 16 && dns_idx < DNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->dns[dns_idx]); - if (ugh != NULL) + break; + case INTERNAL_IP6_NETMASK: + case INTERNAL_IP6_DNS: + case INTERNAL_IP6_NBNS: + case INTERNAL_IP6_DHCP: + if (attr_len != 16 && attr_len != 0) { - plog("received invalid IPv6 DNS server address: %s", ugh); + goto error; } - else + break; + case INTERNAL_IP6_ADDRESS: + if (attr_len != 17 && attr_len != 16 && attr_len != 0) { - addrtot(&ia->dns[dns_idx], 0, buf, BUF_LEN); - plog("received IPv6 DNS server address %s", buf); - dns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP6_NBNS: - if (attr_len == 16 && nbns_idx < NBNS_SERVER_MAX) - { - ugh = initaddr((char *)(strattr.cur), 16, AF_INET6, &ia->nbns[nbns_idx]); - if (ugh != NULL) + break; + case INTERNAL_IP6_SUBNET: + if (attr_len != 17 && attr_len != 0) { - plog("received invalid IPv6 NBNS server address: %s", ugh); + goto error; } - else + break; + case SUPPORTED_ATTRIBUTES: + if (attr_len % 2) { - addrtot(&ia->nbns[nbns_idx], 0, buf, BUF_LEN); - plog("received IPv6 NBNS server address %s", buf); - nbns_idx++; + goto error; } - } - ia->attr_set |= LELEM(attr_type); - break; - case INTERNAL_IP4_NETMASK: - case INTERNAL_IP4_SUBNET: - case INTERNAL_ADDRESS_EXPIRY: - case INTERNAL_IP4_DHCP: - case INTERNAL_IP6_ADDRESS: - case INTERNAL_IP6_NETMASK: - case INTERNAL_IP6_DHCP: - case SUPPORTED_ATTRIBUTES: - case INTERNAL_IP6_SUBNET: - ia->attr_set |= LELEM(attr_type); - break; - case APPLICATION_VERSION: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - ia->attr_set |= LELEM(attr_type); - break; - case XAUTH_TYPE: - ia->xauth_type = attr.isaat_lv; - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_USER_NAME: - ia->xauth_secret.user_name = chunk_create(strattr.cur, attr_len); - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_USER_PASSWORD: - ia->xauth_secret.user_password = chunk_create(strattr.cur, attr_len); - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_STATUS: - ia->xauth_status = attr.isaat_lv; - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case XAUTH_MESSAGE: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - /* fall through to set attribute flag */ - case XAUTH_PASSCODE: - case XAUTH_CHALLENGE: - case XAUTH_DOMAIN: - case XAUTH_NEXT_PIN: - case XAUTH_ANSWER: - ia->xauth_attr_set |= LELEM(attr_type - XAUTH_BASE); - break; - case UNITY_DDNS_HOSTNAME: - if (attr_len > 0) - { - DBG(DBG_PARSING, - DBG_log(" '%.*s'", attr_len, strattr.cur) - ) - } - /* fall through to set attribute flag */ - case UNITY_BANNER: - case UNITY_SAVE_PASSWD: - case UNITY_DEF_DOMAIN: - case UNITY_SPLITDNS_NAME: - case UNITY_SPLIT_INCLUDE: - case UNITY_NATT_PORT: - case UNITY_LOCAL_LAN: - case UNITY_PFS: - case UNITY_FW_TYPE: - case UNITY_BACKUP_SERVERS: - ia->unity_attr_set |= LELEM(attr_type - UNITY_BASE); - break; - default: - plog("unsupported ModeCfg attribute %s received." - , enum_show(&modecfg_attr_names, attr_type)); - break; + break; + case APPLICATION_VERSION: + break; + /* XAUTH attributes */ + case XAUTH_TYPE: + case XAUTH_STATUS: + case XAUTH_USER_NAME: + case XAUTH_USER_PASSWORD: + case XAUTH_PASSCODE: + case XAUTH_MESSAGE: + case XAUTH_CHALLENGE: + case XAUTH_DOMAIN: + case XAUTH_NEXT_PIN: + case XAUTH_ANSWER: + break; + /* Microsoft attributes */ + case INTERNAL_IP4_SERVER: + case INTERNAL_IP6_SERVER: + break; + /* Cisco Unity attributes */ + case UNITY_BANNER: + case UNITY_SAVE_PASSWD: + case UNITY_DEF_DOMAIN: + case UNITY_SPLITDNS_NAME: + case UNITY_SPLIT_INCLUDE: + case UNITY_NATT_PORT: + case UNITY_LOCAL_LAN: + case UNITY_PFS: + case UNITY_FW_TYPE: + case UNITY_BACKUP_SERVERS: + case UNITY_DDNS_HOSTNAME: + break; + default: + plog("unknown attribute type (%u)", attr_type); + continue; } + + /* add attribute */ + if (attr.isaat_af_type & ISAKMP_ATTR_AF_TV) + { + ca = modecfg_attribute_create_tv(attr_type, attr_len); + } + else + { + attr_chunk = chunk_create(strattr.cur, attr_len); + ca = modecfg_attribute_create(attr_type, attr_chunk); + } + ca_list->insert_last(ca_list, ca); } return STF_OK; + +error: + plog("%N attribute has invalid size of %u octets", + configuration_attribute_type_names, attr_type, attr_len); + return STF_FAIL; } /** * Parse a ModeCfg message */ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, - u_int16_t *isama_id, internal_addr_t *ia) + u_int16_t *isama_id, linked_list_t *ca_list) { + modecfg_attribute_t *ca; struct state *const st = md->st; struct payload_digest *p; stf_status stat; st->st_msgid = md->hdr.isa_msgid; - CHECK_QUICK_HASH(md, modecfg_hash(hash_val - , hash_pbs->roof - , md->message_pbs.roof, st) - , "MODECFG-HASH", "ISAKMP_CFG_MSG"); + CHECK_QUICK_HASH(md, modecfg_hash(hash_val, hash_pbs->roof, + md->message_pbs.roof, st), "MODECFG-HASH", "ISAKMP_CFG_MSG"); /* process the ModeCfg payloads received */ for (p = md->chain[ISAKMP_NEXT_ATTR]; p != NULL; p = p->next) { - internal_addr_t ia_candidate; - - init_internal_addr(&ia_candidate); - if (p->payload.attribute.isama_type == isama_type) { *isama_id = p->payload.attribute.isama_identifier; - stat = modecfg_parse_attributes(&p->pbs, &ia_candidate); + stat = modecfg_parse_attributes(&p->pbs, ca_list); if (stat == STF_OK) { /* return with a valid set of attributes */ - *ia = ia_candidate; return STF_OK; } } @@ -810,34 +644,61 @@ static stf_status modecfg_parse_msg(struct msg_digest *md, int isama_type, , enum_name(&attr_msg_type_names, isama_type) , enum_name(&attr_msg_type_names, p->payload.attribute.isama_type)); - stat = modecfg_parse_attributes(&p->pbs, &ia_candidate); + stat = modecfg_parse_attributes(&p->pbs, ca_list); } + + /* abort if a parsing error occurred */ if (stat != STF_OK) { + ca_list->destroy_function(ca_list, (void*)modecfg_attribute_destroy); return stat; } + + /* discard the parsed attributes and look for another payload */ + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) {} } return STF_IGNORE; } /** - * Send ModeCfg request message from client to server in pull mode + * Used in ModeCfg pull mode on the client (initiator) + * called in demux.c + * client -> CFG_REQUEST + * STF_OK transitions to STATE_MODE_CFG_I1 */ stf_status modecfg_send_request(struct state *st) { connection_t *c = st->st_connection; stf_status stat; - internal_addr_t ia; - - init_internal_addr(&ia); - - ia.attr_set = LELEM(INTERNAL_IP4_ADDRESS) - | LELEM(INTERNAL_IP4_NETMASK); - ia.ipaddr = c->spd.this.host_srcip; + modecfg_attribute_t *ca; + enumerator_t *enumerator; + int family; + chunk_t value; + host_t *vip; + linked_list_t *ca_list = linked_list_create(); + + vip = c->spd.this.host_srcip; + value = vip->is_anyaddr(vip) ? chunk_empty : vip->get_address(vip); + family = vip->get_family(vip); + ca = modecfg_attribute_create((family == AF_INET) ? + INTERNAL_IP4_ADDRESS : INTERNAL_IP6_ADDRESS, + value); + ca_list->insert_last(ca_list, ca); + + register_attribute_handlers(c); + enumerator = c->requested->create_enumerator(c->requested); + while (enumerator->enumerate(enumerator, &ca)) + { + ca = modecfg_attribute_create(ca->type, chunk_empty); + ca_list->insert_last(ca_list, ca); + } + enumerator->destroy(enumerator); plog("sending ModeCfg request"); + st->st_state = STATE_MODE_CFG_I1; - stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_modecfg.started = TRUE; @@ -845,53 +706,37 @@ stf_status modecfg_send_request(struct state *st) return stat; } -/* STATE_MODE_CFG_R0: - * HDR*, HASH, ATTR(REQ=IP) --> HDR*, HASH, ATTR(REPLY=IP) - * - * used in ModeCfg pull mode, on the server (responder) +/** + * Used in ModeCfg pull mode on the server (responder) + * called in demux.c from STATE_MODE_CFG_R0 + * server <- CFG_REQUEST + * server -> CFG_REPLY + * STF_OK transitions to STATE_MODE_CFG_R0 */ stf_status modecfg_inR0(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; - bool want_unity_banner; stf_status stat, stat_build; - host_t *requested_vip; + linked_list_t *ca_list = linked_list_create(); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); + plog("parsing ModeCfg request"); + + stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - if (ia.attr_set & LELEM(INTERNAL_IP4_ADDRESS)) - { - requested_vip = host_create_from_sockaddr((sockaddr_t*)&ia.ipaddr); - } - else - { - requested_vip = host_create_any(AF_INET); - } - plog("peer requested virtual IP %H", requested_vip); - - want_unity_banner = (ia.unity_attr_set & LELEM(UNITY_BANNER - UNITY_BASE)) != LEMPTY; - init_internal_addr(&ia); - get_internal_addr(st->st_connection, requested_vip, &ia); - requested_vip->destroy(requested_vip); - - if (want_unity_banner) - { - ia.unity_banner = UNITY_BANNER_STR; - ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); - } + /* build the CFG_REPLY */ + get_attributes(st->st_connection, ca_list); plog("sending ModeCfg reply"); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_REPLY - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY, + ca_list, isama_id); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); + if (stat_build != STF_OK) { return stat_build; @@ -900,53 +745,50 @@ stf_status modecfg_inR0(struct msg_digest *md) return STF_OK; } -/* STATE_MODE_CFG_I1: - * HDR*, HASH, ATTR(REPLY=IP) - * - * used in ModeCfg pull mode, on the client (initiator) +/** + * Used in ModeCfg pull mode on the client (initiator) + * called in demux.c from STATE_MODE_CFG_I1 + * client <- CFG_REPLY + * STF_OK transitions to STATE_MODE_CFG_I2 */ stf_status modecfg_inI1(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing ModeCfg reply"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); + st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list); st->st_msgid = 0; + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); return STF_OK; } - /** - * Send ModeCfg set message from server to client in push mode + * Used in ModeCfg push mode on the server (responder) + * called in demux.c + * server -> CFG_SET + * STF_OK transitions to STATE_MODE_CFG_R3 */ stf_status modecfg_send_set(struct state *st) { stf_status stat; - internal_addr_t ia; - host_t *vip; + linked_list_t *ca_list = linked_list_create(); - init_internal_addr(&ia); - vip = host_create_any(AF_INET); - get_internal_addr(st->st_connection, vip, &ia); - vip->destroy(vip); -#ifdef CISCO_QUIRKS - ia.unity_banner = UNITY_BANNER_STR; - ia.unity_attr_set |= LELEM(UNITY_BANNER - UNITY_BASE); -#endif + plog("sending ModeCfg set"); - plog("sending ModeCfg set"); + get_attributes(st->st_connection, ca_list); st->st_state = STATE_MODE_CFG_R3; - stat = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_modecfg.started = TRUE; @@ -954,41 +796,64 @@ stf_status modecfg_send_set(struct state *st) return stat; } -/* STATE_MODE_CFG_I0: - * HDR*, HASH, ATTR(SET=IP) --> HDR*, HASH, ATTR(ACK,OK) - * - * used in ModeCfg push mode, on the client (initiator). +/** + * Used in ModeCfg push mode on the client (initiator) + * called in demux.c from STATE_MODE_CFG_I0 + * client <- CFG_SET + * client -> CFG_ACK + * STF_OK transitions to STATE_MODE_CFG_I3 */ stf_status modecfg_inI0(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; - lset_t attr_set, unity_attr_set; stf_status stat, stat_build; + modecfg_attribute_t *ca; + linked_list_t *ca_list, *ca_ack_list; plog("parsing ModeCfg set"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia); + ca_list = linked_list_create(); + stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - st->st_modecfg.vars_set = set_internal_addr(st->st_connection, &ia); + register_attribute_handlers(st->st_connection); + st->st_modecfg.vars_set = set_attributes(st->st_connection, ca_list); /* prepare ModeCfg ack which sends zero length attributes */ - attr_set = ia.attr_set; - unity_attr_set = ia.unity_attr_set; - init_internal_addr(&ia); - ia.attr_set = attr_set & SUPPORTED_ATTR_SET; - ia.unity_attr_set = unity_attr_set & SUPPORTED_UNITY_ATTR_SET; + ca_ack_list = linked_list_create(); + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + switch (ca->type) + { + case INTERNAL_IP4_ADDRESS: + case INTERNAL_IP4_DNS: + case INTERNAL_IP4_NBNS: + case APPLICATION_VERSION: + case INTERNAL_IP6_ADDRESS: + case INTERNAL_IP6_DNS: + case INTERNAL_IP6_NBNS: +#ifdef CISCO_QUIRKS + case UNITY_BANNER: +#endif + /* supported attributes */ + ca->value.len = 0; + ca_ack_list->insert_last(ca_ack_list, ca); + break; + default: + /* unsupportd attributes */ + modecfg_attribute_destroy(ca); + } + } + ca_list->destroy(ca_list); plog("sending ModeCfg ack"); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_ACK - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, + ca_ack_list, isama_id); + ca_ack_list->destroy_function(ca_ack_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -997,21 +862,23 @@ stf_status modecfg_inI0(struct msg_digest *md) return STF_OK; } -/* STATE_MODE_CFG_R3: - * HDR*, HASH, ATTR(ACK,OK) - * - * used in ModeCfg push mode, on the server (responder) +/** + * Used in ModeCfg push mode on the server (responder) + * called in demux.c from STATE_MODE_CFG_R3 + * server <- CFG_ACK + * STF_OK transitions to STATE_MODE_CFG_R4 */ stf_status modecfg_inR3(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing ModeCfg ack"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat != STF_OK) { return stat; @@ -1021,20 +888,26 @@ stf_status modecfg_inR3(struct msg_digest *md) } /** - * Send XAUTH credentials request (username + password) + * Used on the XAUTH server (responder) + * called in demux.c + * server -> CFG_REQUEST + * STF_OK transitions to STATE_XAUTH_R1 */ stf_status xauth_send_request(struct state *st) { stf_status stat; - internal_addr_t ia; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); - init_internal_addr(&ia); - ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); + ca = modecfg_attribute_create(XAUTH_USER_NAME, chunk_empty); + ca_list->insert_last(ca_list, ca); + ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, chunk_empty); + ca_list->insert_last(ca_list, ca); plog("sending XAUTH request"); st->st_state = STATE_XAUTH_R1; - stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, &ia); + stat = modecfg_send_msg(st, ISAKMP_CFG_REQUEST, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat == STF_OK) { st->st_xauth.started = TRUE; @@ -1042,53 +915,87 @@ stf_status xauth_send_request(struct state *st) return stat; } -/* STATE_XAUTH_I0: - * HDR*, HASH, ATTR(REQ) --> HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) - * - * used on the XAUTH client (initiator) +/** + * Used on the XAUTH client (initiator) + * called in demux.c from STATE_XAUTH_I0 + * client <- CFG_REQUEST + * client -> CFG_REPLY + * STF_OK transitions to STATE_XAUTH_I1 */ stf_status xauth_inI0(struct msg_digest *md) { struct state *const st = md->st; + connection_t *c = st->st_connection; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; - bool xauth_type_present; + modecfg_attribute_t *ca; + bool xauth_user_name_present = FALSE; + bool xauth_user_password_present = FALSE; + bool xauth_type_present = FALSE; + chunk_t xauth_user_name, xauth_user_password; + identification_t *user_id; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH request"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REQUEST, &isama_id, ca_list); if (stat != STF_OK) { return stat; } - /* check XAUTH attributes */ - xauth_type_present = (ia.xauth_attr_set & LELEM(XAUTH_TYPE - XAUTH_BASE)) != LEMPTY; - - if (xauth_type_present && ia.xauth_type != XAUTH_TYPE_GENERIC) + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) { - plog("xauth type %s is not supported", enum_name(&xauth_type_names, ia.xauth_type)); - stat = STF_FAIL; + switch (ca->type) + { + case XAUTH_TYPE: + if (ca->value.len != XAUTH_TYPE_GENERIC) + { + plog("xauth type %s is not supported", + enum_name(&xauth_type_names, ca->value.len)); + stat = STF_FAIL; + } + else + { + xauth_type_present = TRUE; + } + break; + case XAUTH_USER_NAME: + xauth_user_name_present = TRUE; + break; + case XAUTH_USER_PASSWORD: + xauth_user_password_present = TRUE; + break; + case XAUTH_MESSAGE: + if (ca->value.len) + { + DBG(DBG_PARSING | DBG_CONTROLMORE, + DBG_log(" '%.*s'", ca->value.len, ca->value.ptr) + ) + } + break; + default: + break; + } + modecfg_attribute_destroy(ca); } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) + + if (!xauth_user_name_present) { plog("user name attribute is missing in XAUTH request"); stat = STF_FAIL; } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) + if (!xauth_user_password_present) { plog("user password attribute is missing in XAUTH request"); stat = STF_FAIL; } /* prepare XAUTH reply */ - init_internal_addr(&ia); - if (stat == STF_OK) { /* get user credentials using a plugin function */ - if (!xauth_module.get_secret(&ia.xauth_secret)) + if (!pluto->xauth->get_secret(pluto->xauth, c, &xauth_user_password)) { plog("xauth user credentials not found"); stat = STF_FAIL; @@ -1096,35 +1003,42 @@ stf_status xauth_inI0(struct msg_digest *md) } if (stat == STF_OK) { + /* insert xauth type if present */ + if (xauth_type_present) + { + ca = modecfg_attribute_create_tv(XAUTH_TYPE, XAUTH_TYPE_GENERIC); + ca_list->insert_last(ca_list, ca); + } + + /* insert xauth user name */ + user_id = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id; + xauth_user_name = user_id->get_encoding(user_id); DBG(DBG_CONTROL, - DBG_log("my xauth user name is '%.*s'" - , ia.xauth_secret.user_name.len - , ia.xauth_secret.user_name.ptr) + DBG_log("my xauth user name is '%.*s'", xauth_user_name.len, + xauth_user_name.ptr) ) + ca = modecfg_attribute_create(XAUTH_USER_NAME, xauth_user_name); + ca_list->insert_last(ca_list, ca); + + /* insert xauth user password */ DBG(DBG_PRIVATE, - DBG_log("my xauth user password is '%.*s'" - , ia.xauth_secret.user_password.len - , ia.xauth_secret.user_password.ptr) + DBG_log("my xauth user password is '%.*s'", xauth_user_password.len, + xauth_user_password.ptr) ) - ia.xauth_attr_set = LELEM(XAUTH_USER_NAME - XAUTH_BASE) - | LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE); - if (xauth_type_present) - { - ia.xauth_attr_set |= LELEM(XAUTH_TYPE - XAUTH_BASE); - } + ca = modecfg_attribute_create(XAUTH_USER_PASSWORD, xauth_user_password); + ca_list->insert_last(ca_list, ca); + chunk_clear(&xauth_user_password); } else { - ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); - ia.xauth_status = XAUTH_STATUS_FAIL; + ca = modecfg_attribute_create_tv(XAUTH_STATUS, XAUTH_STATUS_FAIL); + ca_list->insert_last(ca_list, ca); } plog("sending XAUTH reply"); - - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_REPLY - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_REPLY, + ca_list, isama_id); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -1147,79 +1061,105 @@ stf_status xauth_inI0(struct msg_digest *md) } } -/* STATE_XAUTH_R1: - * HDR*, HASH, ATTR(REPLY=USERNAME/PASSWORD) --> HDR*, HASH, ATTR(STATUS) - * - * used on the XAUTH server (responder) +/** + * Used on the XAUTH server (responder) + * called in demux.c from STATE_XAUTH_R1 + server <- CFG_REPLY + server -> CFG_SET + STF_OK transitions to STATE_XAUTH_R2 */ stf_status xauth_inR1(struct msg_digest *md) { struct state *const st = md->st; + connection_t *c = st->st_connection; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; + chunk_t xauth_user_name, xauth_user_password; + int xauth_status = XAUTH_STATUS_OK; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH reply"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_REPLY, &isama_id, ca_list); if (stat != STF_OK) { return stat; } + /* initialize xauth_secret */ + xauth_user_name = chunk_empty; + xauth_user_password = chunk_empty; + + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + switch (ca->type) + { + case XAUTH_STATUS: + xauth_status = ca->value.len; + break; + case XAUTH_USER_NAME: + xauth_user_name = chunk_clone(ca->value); + break; + case XAUTH_USER_PASSWORD: + xauth_user_password = chunk_clone(ca->value); + break; + default: + break; + } + modecfg_attribute_destroy(ca); + } /* did the client return an XAUTH FAIL status? */ - if ((ia.xauth_attr_set & LELEM(XAUTH_STATUS - XAUTH_BASE)) != LEMPTY) + if (xauth_status == XAUTH_STATUS_FAIL) { plog("received FAIL status in XAUTH reply"); /* client is not able to do XAUTH, delete ISAKMP SA */ + free(xauth_user_name.ptr); + free(xauth_user_password.ptr); delete_state(st); + ca_list->destroy(ca_list); return STF_IGNORE; } /* check XAUTH reply */ - if ((ia.xauth_attr_set & LELEM(XAUTH_USER_NAME - XAUTH_BASE)) == LEMPTY) + if (xauth_user_name.ptr == NULL) { plog("user name attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; } - else if ((ia.xauth_attr_set & LELEM(XAUTH_USER_PASSWORD - XAUTH_BASE)) == LEMPTY) + else if (xauth_user_password.ptr == NULL) { plog("user password attribute is missing in XAUTH reply"); st->st_xauth.status = FALSE; } else { - xauth_peer_t peer; - - peer.conn_name = st->st_connection->name; - addrtot(&md->sender, 0, peer.ip_address, sizeof(peer.ip_address)); - snprintf(peer.id, sizeof(peer.id), "%Y", - md->st->st_connection->spd.that.id); - DBG(DBG_CONTROL, - DBG_log("peer xauth user name is '%.*s'" - , ia.xauth_secret.user_name.len - , ia.xauth_secret.user_name.ptr) + DBG_log("peer xauth user name is '%.*s'", xauth_user_name.len, + xauth_user_name.ptr) ) + DESTROY_IF(c->xauth_identity); + c->xauth_identity = identification_create_from_data(xauth_user_name); + DBG(DBG_PRIVATE, - DBG_log("peer xauth user password is '%.*s'" - , ia.xauth_secret.user_password.len - , ia.xauth_secret.user_password.ptr) + DBG_log("peer xauth user password is '%.*s'", xauth_user_password.len, + xauth_user_password.ptr) ) /* verify the user credentials using a plugin function */ - st->st_xauth.status = xauth_module.verify_secret(&peer, &ia.xauth_secret); + st->st_xauth.status = pluto->xauth->verify_secret(pluto->xauth, c, + xauth_user_password); plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); } - - /* prepare XAUTH set which sends the authentication status */ - init_internal_addr(&ia); - ia.xauth_attr_set = LELEM(XAUTH_STATUS - XAUTH_BASE); - ia.xauth_status = (st->st_xauth.status)? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL; - - plog("sending XAUTH status:"); - - stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, &ia); + chunk_clear(&xauth_user_name); + chunk_clear(&xauth_user_password); + + plog("sending XAUTH status"); + xauth_status = (st->st_xauth.status) ? XAUTH_STATUS_OK : XAUTH_STATUS_FAIL; + ca = modecfg_attribute_create_tv(XAUTH_STATUS, xauth_status); + ca_list->insert_last(ca_list, ca); + stat_build = modecfg_send_msg(st, ISAKMP_CFG_SET, ca_list); + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); if (stat_build != STF_OK) { return stat_build; @@ -1227,20 +1167,23 @@ stf_status xauth_inR1(struct msg_digest *md) return STF_OK; } -/* STATE_XAUTH_I1: - * HDR*, HASH, ATTR(STATUS) --> HDR*, HASH, ATTR(ACK) - * - * used on the XAUTH client (initiator) +/** + * Used on the XAUTH client (initiator) + * called in demux.c from STATE_XAUTH_I1 + * client <- CFG_SET + * client -> CFG_ACK + * STF_OK transitions to STATE_XAUTH_I2 */ stf_status xauth_inI1(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat, stat_build; + modecfg_attribute_t *ca; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH status"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_SET, &isama_id, ca_list); if (stat != STF_OK) { /* notification payload - not exactly the right choice, but okay */ @@ -1248,15 +1191,21 @@ stf_status xauth_inI1(struct msg_digest *md) return stat; } - st->st_xauth.status = ia.xauth_status; + st->st_xauth.status = FALSE; + while (ca_list->remove_last(ca_list, (void **)&ca) == SUCCESS) + { + if (ca->type == XAUTH_STATUS) + { + st->st_xauth.status = (ca->value.len == XAUTH_STATUS_OK); + } + modecfg_attribute_destroy(ca); + } plog("extended authentication %s", st->st_xauth.status? "was successful":"failed"); plog("sending XAUTH ack"); - init_internal_addr(&ia); - stat_build = modecfg_build_msg(st, &md->rbody - , ISAKMP_CFG_ACK - , &ia - , isama_id); + stat_build = modecfg_build_msg(st, &md->rbody, ISAKMP_CFG_ACK, ca_list, isama_id); + ca_list->destroy(ca_list); + if (stat_build != STF_OK) { return stat_build; @@ -1278,25 +1227,27 @@ stf_status xauth_inI1(struct msg_digest *md) } } -/* STATE_XAUTH_R2: - * HDR*, ATTR(STATUS), HASH --> Done - * - * used on the XAUTH server (responder) +/** + * Used on the XAUTH server (responder) + * called in demux.c from STATE_XAUTH_R2 + * server <- CFG_ACK + * STF_OK transitions to STATE_XAUTH_R3 */ stf_status xauth_inR2(struct msg_digest *md) { struct state *const st = md->st; u_int16_t isama_id; - internal_addr_t ia; stf_status stat; + linked_list_t *ca_list = linked_list_create(); plog("parsing XAUTH ack"); - stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, &ia); + stat = modecfg_parse_msg(md, ISAKMP_CFG_ACK, &isama_id, ca_list); if (stat != STF_OK) { return stat; } + ca_list->destroy_function(ca_list, (void *)modecfg_attribute_destroy); st->st_msgid = 0; if (st->st_xauth.status) { @@ -1307,4 +1258,5 @@ stf_status xauth_inR2(struct msg_digest *md) delete_state(st); return STF_IGNORE; } + } diff --git a/src/pluto/modecfg.h b/src/pluto/modecfg.h index bc1443012..7adf18682 100644 --- a/src/pluto/modecfg.h +++ b/src/pluto/modecfg.h @@ -16,8 +16,41 @@ #ifndef _MODECFG_H #define _MODECFG_H -struct state; -struct msg_digest; +#include +#include + +#include "state.h" +#include "demux.h" + +typedef struct modecfg_attribute_t modecfg_attribute_t; + +/** + * Defines a modecfg_attribute_t object. + */ +struct modecfg_attribute_t { + /** + * Type of the attribute. + */ + u_int16_t type; + + /** + * Attribute is coded as TV + */ + bool is_tv; + + /** + * Attribute value as chunk. + */ + chunk_t value; + + /** + * Attribute handler. + */ + attribute_handler_t *handler; +}; + +/* Destroys a modecfg_attribute_t object */ +extern void modecfg_attribute_destroy(modecfg_attribute_t *this); /* ModeConfig pull mode start function */ extern stf_status modecfg_send_request(struct state *st); diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index b1f558ebf..8a351be6d 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -621,7 +621,7 @@ void list_ocsp_locations(ocsp_location_t *location, bool requests, } else { - whack_log(RC_COMMENT, " serial: %#B, %s, until %T %s", + whack_log(RC_COMMENT, " serial: %#B, %s, until %T %s", &certinfo->serialNumber, cert_status_names[certinfo->status], &certinfo->nextUpdate, utc, @@ -767,7 +767,7 @@ static chunk_t sc_build_sha1_signature(chunk_t tbs, smartcard_t *sc) */ static chunk_t build_signature(chunk_t tbsRequest) { - chunk_t sigdata, cert, certs; + chunk_t sigdata, cert, certs = chunk_empty; if (ocsp_requestor_sc) { @@ -786,10 +786,12 @@ static chunk_t build_signature(chunk_t tbsRequest) } /* include our certificate */ - cert = ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert); - certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "m", cert)); - + if (ocsp_requestor_cert->cert->get_encoding(ocsp_requestor_cert->cert, + CERT_ASN1_DER, &cert)) + { + certs = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_SEQUENCE, "m", cert)); + } /* build signature comprising algorithm, signature and cert */ return asn1_wrap(ASN1_CONTEXT_C_0, "m" , asn1_wrap(ASN1_SEQUENCE, "mmm" @@ -1013,7 +1015,7 @@ static bool valid_ocsp_response(response_t *res) { plog("certificate is invalid (valid from %T to %T)", ¬_before, FALSE, ¬_after, FALSE); - + unlock_authcert_list("valid_ocsp_response"); return FALSE; } @@ -1154,7 +1156,7 @@ static bool parse_basic_ocsp_response(chunk_t blob, int level0, response_t *res) break; } x509 = (x509_t*)cert->cert; - + if ((x509->get_flags(x509) & X509_OCSP_SIGNER) && trust_authcert_candidate(cert, NULL)) { diff --git a/src/pluto/pkcs7.c b/src/pluto/pkcs7.c index b24ef1a8c..c0fd041a7 100644 --- a/src/pluto/pkcs7.c +++ b/src/pluto/pkcs7.c @@ -591,7 +591,7 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes, contentInfo_t pkcs7Data, signedData; chunk_t authenticatedAttributes = chunk_empty; chunk_t encryptedDigest = chunk_empty; - chunk_t signerInfo, cInfo, signature; + chunk_t signerInfo, cInfo, signature, encoding = chunk_empty;; signature_scheme_t scheme = signature_scheme_from_oid(digest_alg); if (attributes.ptr) @@ -622,12 +622,13 @@ chunk_t pkcs7_build_signedData(chunk_t data, chunk_t attributes, pkcs7Data.content = (data.ptr == NULL)? chunk_empty : asn1_simple_object(ASN1_OCTET_STRING, data); + cert->get_encoding(cert, CERT_ASN1_DER, &encoding); signedData.type = OID_PKCS7_SIGNED_DATA; signedData.content = asn1_wrap(ASN1_SEQUENCE, "cmmmm" , ASN1_INTEGER_1 , asn1_wrap(ASN1_SET, "m", asn1_algorithmIdentifier(digest_alg)) , pkcs7_build_contentInfo(&pkcs7Data) - , asn1_wrap(ASN1_CONTEXT_C_0, "m", cert->get_encoding(cert)) + , asn1_wrap(ASN1_CONTEXT_C_0, "m", encoding) , asn1_wrap(ASN1_SET, "m", signerInfo)); cInfo = pkcs7_build_contentInfo(&signedData); diff --git a/src/pluto/plugins/xauth/Makefile.am b/src/pluto/plugins/xauth/Makefile.am new file mode 100644 index 000000000..354325b35 --- /dev/null +++ b/src/pluto/plugins/xauth/Makefile.am @@ -0,0 +1,15 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \ + -I$(top_srcdir)/src/pluto + +AM_CFLAGS = -rdynamic + +plugin_LTLIBRARIES = libstrongswan-xauth.la + +libstrongswan_xauth_la_SOURCES = \ + xauth_plugin.h xauth_plugin.c \ + xauth_default_provider.c xauth_default_provider.h \ + xauth_default_verifier.c xauth_default_verifier.h + +libstrongswan_xauth_la_LDFLAGS = -module -avoid-version diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in new file mode 100644 index 000000000..13749e5af --- /dev/null +++ b/src/pluto/plugins/xauth/Makefile.in @@ -0,0 +1,577 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/pluto/plugins/xauth +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(plugin_LTLIBRARIES) +libstrongswan_xauth_la_LIBADD = +am_libstrongswan_xauth_la_OBJECTS = xauth_plugin.lo \ + xauth_default_provider.lo xauth_default_verifier.lo +libstrongswan_xauth_la_OBJECTS = $(am_libstrongswan_xauth_la_OBJECTS) +libstrongswan_xauth_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_xauth_la_LDFLAGS) $(LDFLAGS) -o $@ +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_xauth_la_SOURCES) +DIST_SOURCES = $(libstrongswan_xauth_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgid = @ipsecgid@ +ipsecgroup = @ipsecgroup@ +ipsecuid = @ipsecuid@ +ipsecuser = @ipsecuser@ +libdir = @libdir@ +libexecdir = @libexecdir@ +libhydra_plugins = @libhydra_plugins@ +libstrongswan_plugins = @libstrongswan_plugins@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +piddir = @piddir@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/whack \ + -I$(top_srcdir)/src/pluto + +AM_CFLAGS = -rdynamic +plugin_LTLIBRARIES = libstrongswan-xauth.la +libstrongswan_xauth_la_SOURCES = \ + xauth_plugin.h xauth_plugin.c \ + xauth_default_provider.c xauth_default_provider.h \ + xauth_default_verifier.c xauth_default_verifier.h + +libstrongswan_xauth_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/pluto/plugins/xauth/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-xauth.la: $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_DEPENDENCIES) + $(libstrongswan_xauth_la_LINK) -rpath $(plugindir) $(libstrongswan_xauth_la_OBJECTS) $(libstrongswan_xauth_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_provider.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_default_verifier.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/xauth_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-pluginLTLIBRARIES \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-pluginLTLIBRARIES ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am install-man \ + install-pdf install-pdf-am install-pluginLTLIBRARIES \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/pluto/plugins/xauth/xauth_default_provider.c b/src/pluto/plugins/xauth/xauth_default_provider.c new file mode 100644 index 000000000..77c5facc4 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_provider.c @@ -0,0 +1,66 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "xauth_default_provider.h" + +typedef struct private_xauth_default_provider_t private_xauth_default_provider_t; + +/** + * private data of xauth_default_provider + */ +struct private_xauth_default_provider_t { + + /** + * public functions + */ + xauth_provider_t public; +}; + +METHOD(xauth_provider_t, get_secret, bool, + private_xauth_default_provider_t *this, connection_t *c, chunk_t *secret) +{ + identification_t *user, *server; + + server = c->spd.that.id; + user = (c->xauth_identity) ? c->xauth_identity : c->spd.this.id; + + return get_xauth_secret(user, server, secret); +} + +METHOD(xauth_provider_t, destroy, void, + private_xauth_default_provider_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +xauth_provider_t *xauth_default_provider_create() +{ + private_xauth_default_provider_t *this; + + INIT(this, + .public = { + .get_secret = _get_secret, + .destroy = _destroy, + } + ); + + return &this->public; +} + diff --git a/src/pluto/plugins/xauth/xauth_default_provider.h b/src/pluto/plugins/xauth/xauth_default_provider.h new file mode 100644 index 000000000..ff1a91d16 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_provider.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_default_provider xauth_default_provider + * @{ @ingroup xauth + */ + +#ifndef XAUTH_DEFAULT_PROVIDER_H_ +#define XAUTH_DEFAULT_PROVIDER_H_ + +#include + + +/** + * Create an xauth_default_provider instance. + */ +xauth_provider_t *xauth_default_provider_create(); + +#endif /** XAUTH_DEFAULT_PROVIDER_H_ @}*/ + diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.c b/src/pluto/plugins/xauth/xauth_default_verifier.c new file mode 100644 index 000000000..776f77134 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_verifier.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "xauth_default_verifier.h" + +typedef struct private_xauth_default_verifier_t private_xauth_default_verifier_t; + +/** + * private data of xauth_default_verifier + */ +struct private_xauth_default_verifier_t { + + /** + * public functions + */ + xauth_verifier_t public; +}; + +METHOD(xauth_verifier_t, verify_secret, bool, + private_xauth_default_verifier_t *this, connection_t *c, chunk_t secret) +{ + identification_t *user, *server; + chunk_t xauth_secret; + bool success = FALSE; + + server = c->spd.this.id; + user = (c->xauth_identity) ? c->xauth_identity : c->spd.that.id; + + if (get_xauth_secret(user, server, &xauth_secret)) + { + success = chunk_equals(secret, xauth_secret); + chunk_clear(&xauth_secret); + } + return success; +} + +METHOD(xauth_verifier_t, destroy, void, + private_xauth_default_verifier_t *this) +{ + free(this); +} + + +/* + * Described in header. + */ +xauth_verifier_t *xauth_default_verifier_create() +{ + private_xauth_default_verifier_t *this; + + INIT(this, + .public = { + .verify_secret = _verify_secret, + .destroy = _destroy, + } + ); + + return &this->public; +} + diff --git a/src/pluto/plugins/xauth/xauth_default_verifier.h b/src/pluto/plugins/xauth/xauth_default_verifier.h new file mode 100644 index 000000000..e5814d7b4 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_default_verifier.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_default_verifier xauth_default_verifier + * @{ @ingroup xauth + */ + +#ifndef XAUTH_DEFAULT_VERIFIER_H_ +#define XAUTH_DEFAULT_VERIFIER_H_ + +#include + + +/** + * Create an xauth_default_verifier instance. + */ +xauth_verifier_t *xauth_default_verifier_create(); + +#endif /** XAUTH_DEFAULT_VERIFIER_H_ @}*/ + diff --git a/src/pluto/plugins/xauth/xauth_plugin.c b/src/pluto/plugins/xauth/xauth_plugin.c new file mode 100644 index 000000000..74e16eacd --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_plugin.c @@ -0,0 +1,43 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include + +#include "xauth_plugin.h" +#include "xauth_default_provider.h" +#include "xauth_default_verifier.h" +/** + * Implementation of plugin_t.destroy + */ +static void destroy(xauth_plugin_t *this) +{ + free(this); +} + +/* + * see header file + */ +plugin_t *xauth_plugin_create() +{ + xauth_plugin_t *this = malloc_thing(xauth_plugin_t); + + this->plugin.destroy = (void(*)(plugin_t*))destroy; + + pluto->xauth->add_provider(pluto->xauth, xauth_default_provider_create()); + pluto->xauth->add_verifier(pluto->xauth, xauth_default_verifier_create()); + + return &this->plugin; +} + diff --git a/src/pluto/plugins/xauth/xauth_plugin.h b/src/pluto/plugins/xauth/xauth_plugin.h new file mode 100644 index 000000000..4f14828d2 --- /dev/null +++ b/src/pluto/plugins/xauth/xauth_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth xauth + * @ingroup pplugins + * + * @defgroup xauth_plugin xauth_plugin + * @{ @ingroup xauth + */ + +#ifndef XAUTH_PLUGIN_H_ +#define XAUTH_PLUGIN_H_ + +#include + +typedef struct xauth_plugin_t xauth_plugin_t; + +/** + * XAUTH plugin + */ +struct xauth_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** XAUTH_PLUGIN_H_ @}*/ diff --git a/src/pluto/pluto.c b/src/pluto/pluto.c new file mode 100644 index 000000000..e9c7c316b --- /dev/null +++ b/src/pluto/pluto.c @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pluto.h" + +#include + +typedef struct private_pluto_t private_pluto_t; + +/** + * Private additions to pluto_t. + */ +struct private_pluto_t { + + /** + * Public members of pluto_t. + */ + pluto_t public; +}; + +/** + * Single instance of pluto_t. + */ +pluto_t *pluto; + +/** + * Described in header. + */ +void pluto_deinit() +{ + private_pluto_t *this = (private_pluto_t*)pluto; + this->public.xauth->destroy(this->public.xauth); + free(this); + pluto = NULL; +} + +/** + * Described in header. + */ +bool pluto_init(char *file) +{ + private_pluto_t *this; + + INIT(this, + .public = { + .xauth = xauth_manager_create(), + }, + ); + pluto = &this->public; + + if (lib->integrity && + !lib->integrity->check_file(lib->integrity, "pluto", file)) + { + DBG1(DBG_LIB, "integrity check of pluto failed"); + return FALSE; + } + return TRUE; +} + diff --git a/src/pluto/pluto.h b/src/pluto/pluto.h new file mode 100644 index 000000000..37e6e3f33 --- /dev/null +++ b/src/pluto/pluto.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pluto pluto + * + * @defgroup xauth xauth + * @ingroup pluto + * + * @defgroup pplugins plugins + * @ingroup pluto + * + * @addtogroup pluto + * @{ + */ + +#ifndef PLUTO_H_ +#define PLUTO_H_ + +typedef struct pluto_t pluto_t; + +#include + +#include + +/** + * Pluto daemon support object. + */ +struct pluto_t { + + /** + * manager for payload attributes + */ + xauth_manager_t *xauth; +}; + +/** + * The single instance of pluto_t. + * + * Set between calls to pluto_init() and pluto_deinit() calls. + */ +extern pluto_t *pluto; + +/** + * Initialize pluto. + * + * @return FALSE if integrity check failed + */ +bool pluto_init(char *file); + +/** + * Deinitialize pluto. + */ +void pluto_deinit(void); + +#endif /** PLUTO_H_ @}*/ + diff --git a/src/pluto/plutomain.c b/src/pluto/plutomain.c index aa04594bc..89123bb8a 100644 --- a/src/pluto/plutomain.c +++ b/src/pluto/plutomain.c @@ -33,7 +33,9 @@ #include #ifdef CAPABILITIES +#ifdef HAVE_SYS_CAPABILITY_H #include +#endif /* HAVE_SYS_CAPABILITY_H */ #endif /* CAPABILITIES */ #include @@ -68,7 +70,6 @@ #include "ocsp.h" #include "crl.h" #include "fetch.h" -#include "xauth.h" #include "crypto.h" #include "nat_traversal.h" #include "virtual.h" @@ -76,6 +77,7 @@ #include "vendor.h" #include "builder.h" #include "whack_attribute.h" +#include "pluto.h" static void usage(const char *mess) { @@ -258,7 +260,6 @@ int main(int argc, char **argv) char *virtual_private = NULL; int lockfd; #ifdef CAPABILITIES - cap_t caps; int keep[] = { CAP_NET_ADMIN, CAP_NET_BIND_SERVICE }; #endif /* CAPABILITIES */ @@ -268,18 +269,18 @@ int main(int argc, char **argv) library_deinit(); exit(SS_RC_LIBSTRONGSWAN_INTEGRITY); } - if (lib->integrity && - !lib->integrity->check_file(lib->integrity, "pluto", argv[0])) + if (!libhydra_init("pluto")) { - fprintf(stderr, "integrity check of pluto failed\n"); + libhydra_deinit(); library_deinit(); - exit(SS_RC_DAEMON_INTEGRITY); + exit(SS_RC_INITIALIZATION_FAILED); } - if (!libhydra_init("pluto")) + if (!pluto_init(argv[0])) { + pluto_deinit(); libhydra_deinit(); library_deinit(); - exit(SS_RC_INITIALIZATION_FAILED); + exit(SS_RC_DAEMON_INTEGRITY); } options = options_create(); @@ -677,7 +678,6 @@ int main(int argc, char **argv) init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf); init_virtual_ip(virtual_private); scx_init(pkcs11_module_path, pkcs11_init_args); - xauth_init(); init_states(); init_demux(); init_kernel(); @@ -717,18 +717,41 @@ int main(int argc, char **argv) } #endif -#ifdef CAPABILITIES - caps = cap_init(); - cap_set_flag(caps, CAP_EFFECTIVE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_INHERITABLE, 2, keep, CAP_SET); - cap_set_flag(caps, CAP_PERMITTED, 2, keep, CAP_SET); - if (cap_set_proc(caps) != 0) +#ifdef CAPABILITIES_LIBCAP + { + cap_t caps; + caps = cap_init(); + cap_set_flag(caps, CAP_EFFECTIVE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_INHERITABLE, countof(keep), keep, CAP_SET); + cap_set_flag(caps, CAP_PERMITTED, countof(keep), keep, CAP_SET); + if (cap_set_proc(caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } + cap_free(caps); + } +#endif /* CAPABILITIES_LIBCAP */ +#ifdef CAPABILITIES_NATIVE { - plog("unable to drop daemon capabilities"); - abort(); + struct __user_cap_data_struct caps = { .effective = 0 }; + struct __user_cap_header_struct header = { + .version = _LINUX_CAPABILITY_VERSION, + }; + int i; + for (i = 0; i < countof(keep); i++) + { + caps.effective |= 1 << keep[i]; + caps.permitted |= 1 << keep[i]; + caps.inheritable |= 1 << keep[i]; + } + if (capset(&header, &caps) != 0) + { + plog("unable to drop daemon capabilities"); + abort(); + } } - cap_free(caps); -#endif /* CAPABILITIES */ +#endif /* CAPABILITIES_NATIVE */ /* loading X.509 CA certificates */ load_authcerts("ca", CA_CERT_PATH, X509_CA); @@ -771,7 +794,6 @@ void exit_pluto(int status) free_ifaces(); ac_finalize(); /* free X.509 attribute certificates */ scx_finalize(); /* finalize and unload PKCS #11 module */ - xauth_finalize(); /* finalize and unload XAUTH module */ stop_adns(); free_md_pool(); free_crypto(); @@ -781,6 +803,7 @@ void exit_pluto(int status) free_builder(); delete_lock(); options->destroy(options); + pluto_deinit(); lib->plugins->unload(lib->plugins); libhydra_deinit(); library_deinit(); diff --git a/src/pluto/rcv_whack.c b/src/pluto/rcv_whack.c index bf5ccb10c..c140095f0 100644 --- a/src/pluto/rcv_whack.c +++ b/src/pluto/rcv_whack.c @@ -329,6 +329,7 @@ void whack_handle(int whackctlfd) || !unpack_str(&msg.sc_data) /* string 26 */ || !unpack_str(&msg.whack_lease_ip) /* string 27 */ || !unpack_str(&msg.whack_lease_id) /* string 28 */ + || !unpack_str(&msg.xauth_identity) /* string 29 */ || str_roof - next_str != (ptrdiff_t)msg.keyval.len) /* check chunk */ { ugh = "message from whack contains bad string"; diff --git a/src/pluto/state.h b/src/pluto/state.h index 35ffe5a5b..c4e8db485 100644 --- a/src/pluto/state.h +++ b/src/pluto/state.h @@ -14,6 +14,9 @@ * for more details. */ +#ifndef _STATE_H +#define _STATE_H + #include #include #include @@ -270,3 +273,5 @@ extern void fmt_state(bool all, struct state *st, time_t n , char *state_buf, size_t state_buf_len , char *state_buf2, size_t state_buf_len2); extern void delete_states_by_peer(ip_address *peer); + +#endif /* _STATE_H */ diff --git a/src/pluto/x509.c b/src/pluto/x509.c index 0a29830ea..2b8681246 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -393,6 +393,10 @@ void list_x509cert_chain(const char *caption, cert_t* cert, { written = snprintf(pos, len, ", %Y", id); } + if (written < 0 || written >= len) + { + break; + } pos += written; len -= written; } @@ -427,11 +431,11 @@ void list_x509cert_chain(const char *caption, cert_t* cert, cert->smartcard ? ", on smartcard" : (has_private_key(cert)? ", has private key" : "")); - if (key->get_fingerprint(key, KEY_ID_PUBKEY_INFO_SHA1, &keyid)) + if (key->get_fingerprint(key, KEYID_PUBKEY_INFO_SHA1, &keyid)) { whack_log(RC_COMMENT, " keyid: %#B", &keyid); } - if (key->get_fingerprint(key, KEY_ID_PUBKEY_SHA1, &subjkey)) + if (key->get_fingerprint(key, KEYID_PUBKEY_SHA1, &subjkey)) { whack_log(RC_COMMENT, " subjkey: %#B", &subjkey); } diff --git a/src/pluto/x509.h b/src/pluto/x509.h index e904618b3..3101724a6 100644 --- a/src/pluto/x509.h +++ b/src/pluto/x509.h @@ -26,6 +26,8 @@ #include "constants.h" #include "certs.h" +#define X509_MAX_PATH_LEN 7 + extern bool same_keyid(chunk_t a, chunk_t b); extern bool x509_check_signature(chunk_t tbs, chunk_t sig, int algorithm, certificate_t *issuer_cert); diff --git a/src/pluto/xauth.c b/src/pluto/xauth.c deleted file mode 100644 index 2086a92cc..000000000 --- a/src/pluto/xauth.c +++ /dev/null @@ -1,77 +0,0 @@ -/* Initialization and finalization of the dynamic XAUTH module - * Copyright (C) 2006 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include - -#include - -#include "constants.h" -#include "defs.h" -#include "xauth.h" -#include "keys.h" -#include "log.h" - -void -xauth_init(void) -{ -#ifdef XAUTH_DEFAULT_LIB - xauth_module.handle = dlopen(XAUTH_DEFAULT_LIB, RTLD_NOW); - - if (xauth_module.handle != NULL) - { - DBG(DBG_CONTROL, - DBG_log("xauth module '%s' loading'", XAUTH_DEFAULT_LIB) - ) - xauth_module.get_secret = (bool (*) (const xauth_t*)) - dlsym(xauth_module.handle, "get_secret"); - DBG(DBG_CONTROL, - if (xauth_module.get_secret != NULL) - { - DBG_log("xauth module: found get_secret() function"); - } - ) - xauth_module.verify_secret = (bool (*) (const xauth_peer_t*, const xauth_t*)) - dlsym(xauth_module.handle, "verify_secret"); - DBG(DBG_CONTROL, - if (xauth_module.verify_secret != NULL) - { - DBG_log("xauth module: found verify_secret() function"); - } - ) - } -#endif - /* any null function pointers will be filled in by default functions */ - xauth_defaults(); -} - -void -xauth_finalize(void) -{ -#ifdef XAUTH_DEFAULT_LIB - if (xauth_module.handle != NULL) - { - if (dlclose(xauth_module.handle)) - { - plog("failed to unload xauth module"); - } - else - { - DBG(DBG_CONTROL, - DBG_log("xauth module unloaded") - ) - } - } -#endif -} diff --git a/src/pluto/xauth.h b/src/pluto/xauth.h deleted file mode 100644 index 23cae3ed8..000000000 --- a/src/pluto/xauth.h +++ /dev/null @@ -1,48 +0,0 @@ -/* Interface definition of the XAUTH server and|or client module - * Copyright (C) 2006 Andreas Steffen - * Hochschule fuer Technik Rapperswil, Switzerland - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _XAUTH_H -#define _XAUTH_H - -#include -#include "defs.h" - -/* XAUTH credentials */ - -struct chunk_t; - -typedef struct { - char *conn_name; - char id[BUF_LEN]; - char ip_address[ADDRTOT_BUF]; -} xauth_peer_t; - -typedef struct { - chunk_t user_name; - chunk_t user_password; -} xauth_t; - -typedef struct { - void *handle; - bool (*get_secret) (xauth_t *xauth_secret); - bool (*verify_secret) (const xauth_peer_t *peer, const xauth_t *xauth_secret); -} xauth_module_t; - -extern xauth_module_t xauth_module; - -extern void xauth_init(void); -extern void xauth_finalize(void); - -#endif /* _XAUTH_H */ diff --git a/src/pluto/xauth/xauth_manager.c b/src/pluto/xauth/xauth_manager.c new file mode 100644 index 000000000..2e57ccefa --- /dev/null +++ b/src/pluto/xauth/xauth_manager.c @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "xauth_manager.h" + +typedef struct private_xauth_manager_t private_xauth_manager_t; + +/** + * private data of xauth_manager + */ +struct private_xauth_manager_t { + + /** + * public functions + */ + xauth_manager_t public; + + /** + * list of registered secret providers + */ + linked_list_t *providers; + + /** + * list of registered secret verifiers + */ + linked_list_t *verifiers; +}; + +METHOD(xauth_manager_t, get_secret, bool, + private_xauth_manager_t *this, connection_t *c, chunk_t *secret) +{ + xauth_provider_t *provider; + enumerator_t *enumerator; + bool success = FALSE; + + *secret = chunk_empty; + + enumerator = this->providers->create_enumerator(this->providers); + while (enumerator->enumerate(enumerator, &provider)) + { + if (provider->get_secret(provider, c, secret)) + { + success = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return success; +} + +METHOD(xauth_manager_t, verify_secret, bool, + private_xauth_manager_t *this, connection_t *c, chunk_t secret) +{ + xauth_verifier_t *verifier; + enumerator_t *enumerator; + bool success = FALSE; + + enumerator = this->verifiers->create_enumerator(this->verifiers); + while (enumerator->enumerate(enumerator, &verifier)) + { + if (verifier->verify_secret(verifier, c, secret)) + { + success = TRUE; + break; + } + } + enumerator->destroy(enumerator); + return success; +} + +METHOD(xauth_manager_t, add_provider, void, + private_xauth_manager_t *this, xauth_provider_t *provider) +{ + this->providers->insert_last(this->providers, provider); +} + +METHOD(xauth_manager_t, add_verifier, void, + private_xauth_manager_t *this, xauth_verifier_t *verifier) +{ + this->verifiers->insert_last(this->verifiers, verifier); +} + +METHOD(xauth_manager_t, destroy, void, + private_xauth_manager_t *this) +{ + this->providers->destroy_offset(this->providers, + offsetof(xauth_provider_t, destroy)); + this->verifiers->destroy_offset(this->verifiers, + offsetof(xauth_verifier_t, destroy)); + free(this); +} + +/* + * Described in header. + */ +xauth_manager_t *xauth_manager_create() +{ + private_xauth_manager_t *this; + + INIT(this, + .public = { + .get_secret = _get_secret, + .verify_secret = _verify_secret, + .add_provider = _add_provider, + .add_verifier = _add_verifier, + .destroy = _destroy, + } + ); + + this->providers = linked_list_create(); + this->verifiers = linked_list_create(); + + return &this->public; +} + diff --git a/src/pluto/xauth/xauth_manager.h b/src/pluto/xauth/xauth_manager.h new file mode 100644 index 000000000..843eb2ff0 --- /dev/null +++ b/src/pluto/xauth/xauth_manager.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_manager xauth_manager + * @{ @ingroup xauth + */ + +#ifndef XAUTH_MANAGER_H_ +#define XAUTH_MANAGER_H_ + +#include "xauth_provider.h" +#include "xauth_verifier.h" + +typedef struct xauth_manager_t xauth_manager_t; + +/** + * An xauth_manager registers xauth_providers and xauth_verifiers. + */ +struct xauth_manager_t { + + /** + * Register an xauth_provider + * + * @param provider xauth_provider to be registered + */ + void (*add_provider)(xauth_manager_t *this, xauth_provider_t *provider); + + /** + * Register an xauth_verifier + * + * @param verifier xauth_verifier to be registered + */ + void (*add_verifier)(xauth_manager_t *this, xauth_verifier_t *verifier); + + /** + * Use registered providers to retrieve an XAUTH user secret + * based on connection information. + * + * @param c connection information + * @param secret secret if found, chunk_empty otherwise + * @return TRUE if a matching secret was found + */ + bool (*get_secret)(xauth_manager_t *this, connection_t *c, chunk_t *secret); + + /** + * Use registered verifiers to verify an XAUTH user secret + * based on connection information + * + * @param c connection information + * @param secret secret to be compared + * @return TRUE if secret matches + */ + bool (*verify_secret)(xauth_manager_t *this, connection_t *c, chunk_t secret); + + /** + * Destroy an xauth_verifier instance. + */ + void (*destroy)(xauth_manager_t *this); +}; + +/** + * Create an xauth_manager instance. + */ +xauth_manager_t *xauth_manager_create(); + +#endif /** XAUTH_MANAGER_H_ @}*/ + diff --git a/src/pluto/xauth/xauth_provider.h b/src/pluto/xauth/xauth_provider.h new file mode 100644 index 000000000..90adbff50 --- /dev/null +++ b/src/pluto/xauth/xauth_provider.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_provider xauth_provider + * @{ @ingroup xauth + */ + +#ifndef XAUTH_PROVIDER_H_ +#define XAUTH_PROVIDER_H_ + +#include + +#include + +typedef struct xauth_provider_t xauth_provider_t; + +/** + * An xauth provider retrieves xauth user secrets on the client side. + */ +struct xauth_provider_t { + + /** + * Retrieve an XAUTH user secret based on connection information. + * + * @param c connection information + * @param secret secret if found, chunk_empty otherwise + * @return TRUE if a matching secret was found + */ + bool (*get_secret)(xauth_provider_t *this, connection_t *c, chunk_t *secret); + + /** + * Destroy an xauth_provider instance. + */ + void (*destroy)(xauth_provider_t *this); +}; + +/** + * Create an xauth_provider instance. + */ +xauth_provider_t *xauth_provider_create(); + +#endif /** XAUTH_PROVIDER_H_ @}*/ + diff --git a/src/pluto/xauth/xauth_verifier.h b/src/pluto/xauth/xauth_verifier.h new file mode 100644 index 000000000..7c9ff3a7f --- /dev/null +++ b/src/pluto/xauth/xauth_verifier.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup xauth_verifier xauth_verifier + * @{ @ingroup xauth + */ + +#ifndef XAUTH_VERIFIER_H_ +#define XAUTH_VERIFIER_H_ + +#include + +#include + +typedef struct xauth_verifier_t xauth_verifier_t; + +/** + * An xauth verifier verifies xauth user secrets on the server side. + */ +struct xauth_verifier_t { + + /** + * Verify an XAUTH user secret base on connection information + * + * @param c connection information + * @param secret secret to be compared + * @return TRUE if secret matches + */ + bool (*verify_secret)(xauth_verifier_t *this, connection_t *c, chunk_t secret); + + /** + * Destroy an xauth_verifier instance. + */ + void (*destroy)(xauth_verifier_t *this); +}; + +/** + * Create an xauth_verifier instance. + */ +xauth_verifier_t *xauth_verifier_create(); + +#endif /** XAUTH_VERIFIER_H_ @}*/ + diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index db930756a..7832e5f66 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c index 598705636..29f6eab70 100644 --- a/src/scepclient/scep.c +++ b/src/scepclient/scep.c @@ -281,7 +281,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID, bool msb_set; u_char *pos; - key->get_encoding(key, KEY_PUB_ASN1_DER, &keyEncoding); + key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding); keyInfo = asn1_wrap(ASN1_SEQUENCE, "mm", asn1_algorithmIdentifier(OID_RSA_ENCRYPTION), diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c index 385f6f328..5c32bbdef 100644 --- a/src/scepclient/scepclient.c +++ b/src/scepclient/scepclient.c @@ -398,7 +398,7 @@ int main(int argc, char **argv) transID = chunk_empty; fingerprint = chunk_empty; encoding = chunk_empty; - pkcs10_encoding = chunk_empty; + pkcs10_encoding = chunk_empty; issuerAndSubject = chunk_empty; challengePassword = chunk_empty; getCertInitial = chunk_empty; @@ -866,7 +866,7 @@ int main(int argc, char **argv) { exit_scepclient("generating pkcs10 request failed"); } - pkcs10_encoding = pkcs10_req->get_encoding(pkcs10_req); + pkcs10_req->get_encoding(pkcs10_req, CERT_ASN1_DER, &pkcs10_encoding); fingerprint = scep_generate_pkcs10_fingerprint(pkcs10_encoding); plog(" fingerprint: %s", fingerprint.ptr); } @@ -900,7 +900,7 @@ int main(int argc, char **argv) DBG(DBG_CONTROL, DBG_log("building pkcs1 object:") ) - if (!private_key->get_encoding(private_key, KEY_PRIV_ASN1_DER, &pkcs1) || + if (!private_key->get_encoding(private_key, PRIVKEY_ASN1_DER, &pkcs1) || !chunk_write(pkcs1, path, "pkcs1", 0066, force)) { exit_scepclient("could not write pkcs1 file '%s'", path); @@ -941,8 +941,7 @@ int main(int argc, char **argv) { char *path = concatenate_paths(HOST_CERT_PATH, file_out_cert_self); - encoding = x509_signer->get_encoding(x509_signer); - if (!encoding.ptr) + if (!x509_signer->get_encoding(x509_signer, CERT_ASN1_DER, &encoding)) { exit_scepclient("encoding certificate failed"); } @@ -964,7 +963,7 @@ int main(int argc, char **argv) */ { char *path = concatenate_paths(CA_CERT_PATH, file_in_cacert_enc); - + x509_ca_enc = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, BUILD_FROM_FILE, path, BUILD_END); if (!x509_ca_enc) @@ -1138,8 +1137,8 @@ int main(int argc, char **argv) { exit_scepclient("multiple certs received, only first stored"); } - encoding = cert->get_encoding(cert); - if (!chunk_write(encoding, path, "requested cert", 0022, force)) + if (!cert->get_encoding(cert, CERT_ASN1_DER, &encoding) || + !chunk_write(encoding, path, "requested cert", 0022, force)) { exit_scepclient("could not write cert file '%s'", path); } diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index a235013f2..9813a0c06 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -23,8 +23,9 @@ AM_CFLAGS = \ -DDEBUG starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -38,6 +39,15 @@ if USE_CHARON AM_CFLAGS += -DSTART_CHARON endif +if USE_LOAD_WARNING + AM_CFLAGS += -DLOAD_WARNING +endif + +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 11449f465..d06c8974d 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, @@ -37,6 +37,7 @@ host_triplet = @host@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_PLUTO_TRUE@am__append_1 = -DSTART_PLUTO @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON +@USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ $(srcdir)/Makefile.in @@ -285,10 +286,11 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ -DIPSEC_CONFDIR=\"${sysconfdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \ -DIPSEC_EAPDIR=\"${eapdir}\" -DDEV_RANDOM=\"${random_device}\" \ -DDEV_URANDOM=\"${urandom_device}\" -DDEBUG $(am__append_1) \ - $(am__append_2) + $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) -EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf +EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf ipsec.conf.5.in dist_man_MANS = ipsec.conf.5 starter.8 +CLEANFILES = ipsec.conf.5 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -618,6 +620,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -719,6 +722,11 @@ uninstall-man: uninstall-man5 uninstall-man8 uninstall-man8 +ipsec.conf.5: ipsec.conf.5.in + sed \ + -e "s:@IPSEC_VERSION@:$(PACKAGE_VERSION):" \ + $(srcdir)/$@.in > $@ + lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h $(LEX) $(srcdir)/parser.l diff --git a/src/starter/args.c b/src/starter/args.c index 512f2f46f..ab6b60509 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -230,9 +230,14 @@ static const token_info_t token_info[] = { ARG_TIME, offsetof(starter_conn_t, inactivity), NULL }, { ARG_MISC, 0, NULL /* KW_MODECONFIG */ }, { ARG_MISC, 0, NULL /* KW_XAUTH */ }, + { ARG_STR, offsetof(starter_conn_t, xauth_identity), NULL }, { ARG_ENUM, offsetof(starter_conn_t, me_mediation), LST_bool }, { ARG_STR, offsetof(starter_conn_t, me_mediated_by), NULL }, { ARG_STR, offsetof(starter_conn_t, me_peerid), NULL }, + { ARG_UINT, offsetof(starter_conn_t, reqid), NULL }, + { ARG_MISC, 0, NULL /* KW_MARK */ }, + { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, + { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, diff --git a/src/starter/cmp.c b/src/starter/cmp.c index 33a057b44..0727cf5f0 100644 --- a/src/starter/cmp.c +++ b/src/starter/cmp.c @@ -66,6 +66,10 @@ starter_cmp_conn(starter_conn_t *c1, starter_conn_t *c2) VARCMP(policy); VARCMP(addr_family); VARCMP(tunnel_addr_family); + VARCMP(mark_in.value); + VARCMP(mark_in.mask); + VARCMP(mark_out.value); + VARCMP(mark_in.mask); if (!starter_cmp_end(&c1->left, &c2->left)) return FALSE; diff --git a/src/starter/confread.c b/src/starter/confread.c index e9b9028d5..399e17844 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -461,6 +461,41 @@ static void handle_firewall(const char *label, starter_end_t *end, } } +static bool handle_mark(char *value, mark_t *mark) +{ + char *pos, *endptr; + + pos = strchr(value, '/'); + if (pos) + { + *pos = '\0'; + mark->mask = strtoul(pos+1, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark mask: %s", pos+1); + return FALSE; + } + } + else + { + mark->mask = 0xffffffff; + } + if (value == '\0') + { + mark->value = 0; + } + else + { + mark->value = strtoul(value, &endptr, 0); + if (*endptr != '\0') + { + plog("# invalid mark value: %s", value); + return FALSE; + } + } + return TRUE; +} + /* * parse a conn section */ @@ -671,6 +706,26 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg } break; } + case KW_MARK: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + break; + } + conn->mark_out = conn->mark_in; + break; + case KW_MARK_IN: + if (!handle_mark(kw->value, &conn->mark_in)) + { + cfg->err++; + } + break; + case KW_MARK_OUT: + if (!handle_mark(kw->value, &conn->mark_out)) + { + cfg->err++; + } + break; case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 199fab642..5e4356ea3 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -95,6 +95,13 @@ struct also { also_t *next; }; +typedef struct mark_t mark_t; + +struct mark_t{ + u_int32_t value; + u_int32_t mask; +}; + typedef struct starter_conn starter_conn_t; struct starter_conn { @@ -110,6 +117,7 @@ struct starter_conn { u_int32_t eap_type; u_int32_t eap_vendor; char *eap_identity; + char *xauth_identity; lset_t policy; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; @@ -120,6 +128,9 @@ struct starter_conn { u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; + u_int32_t reqid; + mark_t mark_in; + mark_t mark_out; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/ipsec.conf.5 b/src/starter/ipsec.conf.5 index 4cb1cb0fc..b1ae15825 100644 --- a/src/starter/ipsec.conf.5 +++ b/src/starter/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "27 Jun 2007" +.TH IPSEC.CONF 5 "2010-05-30" "4.4.1rc3" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -7,9 +7,9 @@ The optional file specifies most configuration and control information for the strongSwan IPsec subsystem. -(The major exception is secrets for authentication; +The major exception is secrets for authentication; see -.IR ipsec.secrets (5).) +.IR ipsec.secrets (5). Its contents are not security-sensitive. .PP The file is a text file, consisting of one or more @@ -61,8 +61,8 @@ indicates what type of section follows, and .I name is an arbitrary name which distinguishes the section from others of the same type. -(Names must start with a letter and may contain only -letters, digits, periods, underscores, and hyphens.) +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. All subsequent non-empty lines which begin with white space are part of the section; comments within a section must begin with white space too. @@ -169,12 +169,12 @@ conn snt A note on terminology: There are two kinds of communications going on: transmission of user IP packets, and gateway-to-gateway negotiations for keying, rekeying, and general control. -The path to control the connection is called 'ISAKMP SA' in IKEv1 and -'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel -level data path, is called 'IPsec SA'. -strongSwan currently uses two separate keying daemons. Pluto handles -all IKEv1 connections, Charon is the new daemon supporting the IKEv2 protocol. -Charon does not support all keywords yet. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. .PP To avoid trivial editing of the configuration file to suit it to each system involved in a connection, @@ -189,7 +189,17 @@ Which participant is considered or .I right is arbitrary; -IPsec figures out which one it is being run on based on internal information. +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. This permits using identical connection specifications on both ends. There are cases where there is no symmetry; a good convention is to use @@ -230,7 +240,8 @@ acceptable values are .B esp (the default) and .BR ah . -The IKEv2 daemon currently supports only ESP. +.br +The IKEv2 daemon currently supports ESP only. .TP .B authby how the two security gateways should authenticate each other; @@ -255,6 +266,11 @@ and .B xauthrsasig that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). This parameter is deprecated for IKEv2 connections, as two peers do not need to agree on an authentication method. Use the .B leftauth @@ -263,13 +279,12 @@ parameter instead to define authentication methods in IKEv2. .B auto what operation, if any, should be done automatically at IPsec startup; currently-accepted values are -.B add -, -.B route -, +.BR add , +.BR route , .B start and -.BR ignore . +.B ignore +(the default). .B add loads a connection without starting it. .B route @@ -305,7 +320,6 @@ A value of .B no prevents IPsec from proposing compression; a proposal to compress will still be accepted. -IKEv2 does not support IP compression yet. .TP .B dpdaction controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where @@ -317,13 +331,12 @@ liveliness of the IPsec peer. The values and .B restart all activate DPD. If no activity is detected, all connections with a dead peer -are stopped and unrouted ( -.B clear -), put in the hold state ( -.B hold -) or restarted ( -.B restart -). +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). For IKEv1, the default is .B none which disables the active sending of R_U_THERE notifications. @@ -332,9 +345,8 @@ in order to signal the readiness to act passively as a responder if the peer wants to use DPD. For IKEv2, .B none does't make sense, since all messages are used to detect dead peers. If specified, -it has the same meaning as the default ( -.B clear -). +it has the same meaning as the default +.RB ( clear ). .TP .B dpddelay defines the period time interval with which R_U_THERE messages/INFORMATIONAL @@ -354,47 +366,70 @@ not send or receive any traffic. Currently supported in IKEv2 connections only. .TP .B eap defines the EAP type to propose as server if the client requests EAP -authentication. This parameter is deprecated in the favour of +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of .B leftauth. To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, set -.B eap=radius +.BR eap=radius . .TP .B eap_identity defines the identity the client uses to reply to a EAP Identity request. If defined on the EAP server, the defined identity will be used as peer identity during EAP authentication. The special value .B %identity -uses the EAP Identity method to ask the client for a EAP identity. If not +uses the EAP Identity method to ask the client for an EAP identity. If not defined, the IKEv2 identity will be used as EAP identity. .TP .B esp -ESP encryption/authentication algorithm to be used +comma-separated list of ESP encryption/authentication algorithms to be used for the connection, e.g. -.B 3des-md5 -(encryption-integrity-[dh-group]). If dh-group is specified, CHILD_SA setup -and rekeying include a separate diffe hellman exchange (IKEv2 only). +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). .TP .B forceencaps Force UDP encapsulation for ESP packets even if no NAT situation is detected. -This may help to hurdle restrictive firewalls. To enforce the peer to +This may help to surmount restrictive firewalls. In order to force the peer to encapsulate packets, NAT detection payloads are faked (IKEv2 only). .TP .B ike -IKE/ISAKMP SA encryption/authentication algorithm to be used, e.g. -.B aes128-sha1-modp2048 -(encryption-integrity-dhgroup). In IKEv2, multiple algorithms and proposals -may be included, such as +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as .B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. .TP .B ikelifetime -how long the keying channel of a connection ('ISAKMP/IKE SA') +how long the keying channel of a connection (ISAKMP or IKE SA) should last before being renegotiated. .TP .B installpolicy decides whether IPsec policies are installed in the kernel by the IKEv2 -charon daemon for a given connection. Allows peaceful co-existence e.g. with +charon daemon for a given connection. Allows peaceful cooperation e.g. with the Mobile IPv6 daemon mip6d who wants to control the kernel policies. Acceptable values are .B yes @@ -412,8 +447,8 @@ daemon, unaffected from the .B keyexchange setting. The default value .B ike -currently behaves exactly as -.B ikev1. +currently is a synonym for +.BR ikev1 . .TP .B keyingtries how many attempts (a whole number or \fB%forever\fP) should be made to @@ -430,35 +465,51 @@ synonym for .TP .B left (required) -the IP address of the left participant's public-network interface, -in any form accepted by -.IR ttoaddr (3) +the IP address of the left participant's public-network interface or one of several magic values. If it is .BR %defaultroute , .B left will be filled in automatically with the local address -of the default-route interface (as determined at IPsec startup time). -(Either +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either .B left or .B right may be .BR %defaultroute , -but not both.) -The value -.B %any -signifies an address to be filled in (by automatic keying) during -negotiation. The prefix +but not both. +The prefix .B % in front of a fully-qualified domain name or an IP address will implicitly set .B leftallowany=yes. -If the domain name cannot be resolved into an IP address at IPsec startup or update time -then +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then .B left=%any and .B leftallowany=no will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. .TP .B leftallowany a modifier for @@ -466,8 +517,8 @@ a modifier for , making it behave as .B %any although a concrete IP address has been assigned. -Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec startup or -update time. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. Acceptable values are .B yes and @@ -475,7 +526,8 @@ and (the default). .TP .B leftauth -Authentication method to use (local) or require (remote) in this connection. +Authentication method to use locally (left) or require from the remote (right) +side. This parameter is supported in IKEv2 only. Acceptable values are .B pubkey for public key authentication (RSA/ECDSA), @@ -486,19 +538,20 @@ to (require the) use of the Extensible Authentication Protocol. In the case of .B eap, an optional EAP method can be appended. Currently defined methods are -.B eap-aka, eap-sim, eap-gtc, eap-md5 +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 and -.B eap-mschapv2. +.BR eap-sim . Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific EAP methods are defined in the form .B eap-type-vendor -(e.g. -.B eap-7-12345 -). +.RB "(e.g. " eap-7-12345 ). .TP .B leftauth2 Same as -.B leftauth, +.BR leftauth , but defines an additional authentication exchange. IKEv2 supports multiple authentication rounds using "Multiple Authentication Exchanges" defined in RFC4739. This allows, for example, separated authentication @@ -515,8 +568,8 @@ Same as but for the second authentication round (IKEv2 only). .TP .B leftcert -the path to the left participant's X.509 certificate. The file can be coded either in -PEM or DER format. OpenPGP certificates are supported as well. +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP are accepted. By default .B leftcert @@ -571,9 +624,11 @@ a comma separated list of group names. If the .B leftgroups parameter is present then the peer must be a member of at least one of the groups defined by the parameter. Group membership must be certified -by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has been -issued to the peer by a trusted Authorization Authority stored in -\fI/etc/ipsec.d/aacerts/\fP. Attribute certificates are not supported in IKEv2 yet. +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. .TP .B lefthostaccess inserts a pair of INPUT and OUTPUT iptables rules using the default @@ -587,15 +642,10 @@ and (the default). .TP .B leftid -how -the left participant -should be identified for authentication; +how the left participant should be identified for authentication; defaults to .BR left . -Can be an IP address (in any -.IR ttoaddr (3) -syntax) -or a fully-qualified domain name preceded by +Can be an IP address or a fully-qualified domain name preceded by .B @ (which is used as a literal string and not resolved). .TP @@ -606,14 +656,18 @@ identity to use for a second authentication for the left participant .TP .B leftikeport UDP port the left participant uses for IKE communication. Currently supported in -IKEv2 connections only. If unspecified, port 500 is used with port floating to -4500 if NAT is detected or MOBIKE enabled. Specifying a local IKE port +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port different from the default additionally requires a socket implementation that listens to this port. .TP .B leftnexthop -this parameter is not needed any more because the NETKEY IPsec stack does -not require explicit routing entries for the traffic to be tunneled. +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. .TP .B leftprotoport restrict the traffic selector to a single protocol and/or port. @@ -656,35 +710,34 @@ or or .BR yes , and -.BR ifasked . +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. .TP .B leftsourceip The internal source IP to use in a tunnel, also known as virtual IP. If the -value is +value is one of the synonyms .BR %modeconfig , .BR %modecfg , .BR %config , or -.B %cfg, -an address is requested from the peer. In IKEv2, a defined address is requested, -but the server may change it. If the server does not support it, the address -is enforced. +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. .TP .B rightsourceip The internal source IP to use in a tunnel for the remote peer. If the value is .B %config -on the responder side, the initiator must propose a address which is then echoed -back. The IKEv2 daemon also supports address pools expressed as +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as \fInetwork\fB/\fInetmask\fR -or the use of an external IP address pool using %\fIpoolname\fR -, where \fIpoolname\fR is the name of the IP address pool used for the lookup. +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. .TP .B leftsubnet private subnet behind the left participant, expressed as -\fInetwork\fB/\fInetmask\fR -(actually, any form acceptable to -.IR ttosubnet (3)); +\fInetwork\fB/\fInetmask\fR; if omitted, essentially assumed to be \fIleft\fB/32\fR, signifying that the left end of the connection goes to the left participant only. When using IKEv2, the configured subnet of the peers may differ, the @@ -710,8 +763,8 @@ See .IR pluto (8) for details. Relevant only locally, other end need not agree on it. IKEv2 uses the updown -script to insert firewall rules only. Routing is not support and will be -implemented directly into Charon. +script to insert firewall rules only, since routing has been implemented +directly into charon. .TP .B lifebytes the number of bytes transmitted over an IPsec SA before it expires (IKEv2 @@ -768,6 +821,25 @@ begin; acceptable values as for .BR 9m ). Relevant only locally, other end need not agree on it. .TP +.B mark +sets an XFRM mark of the form [/] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form [/] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form [/] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP .B mobike enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are .B yes @@ -786,7 +858,9 @@ and .B pull (the default). Currently relevant for IKEv1 only since IKEv2 always uses the configuration -payload in pull mode. +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. .TP .B pfs whether Perfect Forward Secrecy of keys is desired on the connection's @@ -825,7 +899,7 @@ and .BR no . The two ends need not agree, but while a value of .B no -prevents Pluto/Charon from requesting renegotiation, +prevents pluto/charon from requesting renegotiation, it does not prevent responding to renegotiation requested from the other end, so .B no @@ -863,6 +937,9 @@ Relevant only locally, other end need not agree on it. synonym for .BR margintime . .TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP .B type the type of the connection; currently the accepted values are @@ -879,12 +956,12 @@ signifying that no IPsec processing should be done at all; signifying that packets should be discarded; and .BR reject , signifying that packets should be discarded and a diagnostic ICMP returned. -Charon currently supports +The IKEv2 daemon charon currently supports .BR tunnel , .BR transport , and .BR tunnel_proxy -connection types, only . +connection types, only. .TP .B xauth specifies the role in the XAUTH protocol if activated by @@ -928,8 +1005,7 @@ of this connection will be used as peer ID. .SH "CA SECTIONS" This are optional sections that can be used to assign special -parameters to a Certification Authority (CA). These parameters are not -supported in IKEv2 yet. +parameters to a Certification Authority (CA). .TP 10 .B auto currently can have either the value @@ -964,6 +1040,7 @@ synonym for .TP .B ocspuri2 defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP .B certuribase defines the base URI for the Hash and URL feature supported by IKEv2. Instead of exchanging complete certificates, IKEv2 allows to send an URI @@ -974,9 +1051,7 @@ At present, the only .B config section known to the IPsec software is the one named .BR setup , -which contains information used when the software is being started -(see -.IR starter (8)). +which contains information used when the software is being started. Here's an example: .PP .ne 8 @@ -1234,21 +1309,6 @@ must be used to denote no interfaces. .B overridemtu value that the MTU of the ipsec\fIn\fR interface(s) should be set to, overriding IPsec's (large) default. -.SH CHOOSING A CONNECTION -.PP -When choosing a connection to apply to an outbound packet caught with a -.BR %trap, -the system prefers the one with the most specific eroute that -includes the packet's source and destination IP addresses. -Source subnets are examined before destination subnets. -For initiating, only routed connections are considered. For responding, -unrouted but added connections are considered. -.PP -When choosing a connection to use to respond to a negotiation which -doesn't match an ordinary conn, an opportunistic connection -may be instantiated. Eventually, its instance will be /32 -> /32, but -for earlier stages of the negotiation, there will not be enough -information about the client subnets to complete the instantiation. .SH FILES .nf /etc/ipsec.conf @@ -1259,12 +1319,11 @@ information about the client subnets to complete the instantiation. /etc/ipsec.d/crls .SH SEE ALSO -ipsec(8), pluto(8), starter(8), ttoaddr(3), ttodata(3) +ipsec(8), pluto(8), starter(8) .SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -Extended for the strongSwan project - -by Andreas Steffen. IKEv2-specific features by Martin Willi. +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner, Andreas Steffen and Martin Willi. .SH BUGS .PP If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP diff --git a/src/starter/ipsec.conf.5.in b/src/starter/ipsec.conf.5.in new file mode 100644 index 000000000..3d2940a66 --- /dev/null +++ b/src/starter/ipsec.conf.5.in @@ -0,0 +1,1330 @@ +.TH IPSEC.CONF 5 "2010-05-30" "@IPSEC_VERSION@" "strongSwan" +.SH NAME +ipsec.conf \- IPsec configuration and connections +.SH DESCRIPTION +The optional +.I ipsec.conf +file +specifies most configuration and control information for the +strongSwan IPsec subsystem. +The major exception is secrets for authentication; +see +.IR ipsec.secrets (5). +Its contents are not security-sensitive. +.PP +The file is a text file, consisting of one or more +.IR sections . +White space followed by +.B # +followed by anything to the end of the line +is a comment and is ignored, +as are empty lines which are not within a section. +.PP +A line which contains +.B include +and a file name, separated by white space, +is replaced by the contents of that file, +preceded and followed by empty lines. +If the file name is not a full pathname, +it is considered to be relative to the directory containing the +including file. +Such inclusions can be nested. +Only a single filename may be supplied, and it may not contain white space, +but it may include shell wildcards (see +.IR sh (1)); +for example: +.PP +.B include +.B "ipsec.*.conf" +.PP +The intention of the include facility is mostly to permit keeping +information on connections, or sets of connections, +separate from the main configuration file. +This permits such connection descriptions to be changed, +copied to the other security gateways involved, etc., +without having to constantly extract them from the configuration +file and then insert them back into it. +Note also the +.B also +parameter (described below) which permits splitting a single logical +section (e.g. a connection description) into several actual sections. +.PP +A section +begins with a line of the form: +.PP +.I type +.I name +.PP +where +.I type +indicates what type of section follows, and +.I name +is an arbitrary name which distinguishes the section from others +of the same type. +Names must start with a letter and may contain only +letters, digits, periods, underscores, and hyphens. +All subsequent non-empty lines +which begin with white space are part of the section; +comments within a section must begin with white space too. +There may be only one section of a given type with a given name. +.PP +Lines within the section are generally of the form +.PP +\ \ \ \ \ \fIparameter\fB=\fIvalue\fR +.PP +(note the mandatory preceding white space). +There can be white space on either side of the +.BR = . +Parameter names follow the same syntax as section names, +and are specific to a section type. +Unless otherwise explicitly specified, +no parameter name may appear more than once in a section. +.PP +An empty +.I value +stands for the system default value (if any) of the parameter, +i.e. it is roughly equivalent to omitting the parameter line entirely. +A +.I value +may contain white space only if the entire +.I value +is enclosed in double quotes (\fB"\fR); +a +.I value +cannot itself contain a double quote, +nor may it be continued across more than one line. +.PP +Numeric values are specified to be either an ``integer'' +(a sequence of digits) or a ``decimal number'' +(sequence of digits optionally followed by `.' and another sequence of digits). +.PP +There is currently one parameter which is available in any type of +section: +.TP +.B also +the value is a section name; +the parameters of that section are appended to this section, +as if they had been written as part of it. +The specified section must exist, must follow the current one, +and must have the same section type. +(Nesting is permitted, +and there may be more than one +.B also +in a single section, +although it is forbidden to append the same section more than once.) +.PP +A section with name +.B %default +specifies defaults for sections of the same type. +For each parameter in it, +any section of that type which does not have a parameter of the same name +gets a copy of the one from the +.B %default +section. +There may be multiple +.B %default +sections of a given type, +but only one default may be supplied for any specific parameter name, +and all +.B %default +sections of a given type must precede all non-\c +.B %default +sections of that type. +.B %default +sections may not contain the +.B also +parameter. +.PP +Currently there are three types of sections: +a +.B config +section specifies general configuration information for IPsec, a +.B conn +section specifies an IPsec connection, while a +.B ca +section specifies special properties of a certification authority. +.SH "CONN SECTIONS" +A +.B conn +section contains a +.IR "connection specification" , +defining a network connection to be made using IPsec. +The name given is arbitrary, and is used to identify the connection. +Here's a simple example: +.PP +.ne 10 +.nf +.ft B +.ta 1c +conn snt + left=192.168.0.1 + leftsubnet=10.1.0.0/16 + right=192.168.0.2 + rightsubnet=10.1.0.0/16 + keyingtries=%forever + auto=add +.ft +.fi +.PP +A note on terminology: There are two kinds of communications going on: +transmission of user IP packets, and gateway-to-gateway negotiations for +keying, rekeying, and general control. +The path to control the connection is called 'ISAKMP SA' in IKEv1 +and 'IKE SA' in the IKEv2 protocol. That what is being negotiated, the kernel +level data path, is called 'IPsec SA' or 'Child SA'. +strongSwan currently uses two separate keying daemons. \fIpluto\fP handles +all IKEv1 connections, \fIcharon\fP is the daemon handling the IKEv2 +protocol. +.PP +To avoid trivial editing of the configuration file to suit it to each system +involved in a connection, +connection specifications are written in terms of +.I left +and +.I right +participants, +rather than in terms of local and remote. +Which participant is considered +.I left +or +.I right +is arbitrary; +for every connection description an attempt is made to figure out whether +the local endpoint should act as the +.I left +or +.I right +endpoint. This is done by matching the IP addresses defined for both endpoints +with the IP addresses assigned to local network interfaces. If a match is found +then the role (left or right) that matches is going to be considered local. +If no match is found during startup, +.I left +is considered local. +This permits using identical connection specifications on both ends. +There are cases where there is no symmetry; a good convention is to +use +.I left +for the local side and +.I right +for the remote side (the first letters are a good mnemonic). +.PP +Many of the parameters relate to one participant or the other; +only the ones for +.I left +are listed here, but every parameter whose name begins with +.B left +has a +.B right +counterpart, +whose description is the same but with +.B left +and +.B right +reversed. +.PP +Parameters are optional unless marked '(required)'. +.SS "CONN PARAMETERS" +Unless otherwise noted, for a connection to work, +in general it is necessary for the two ends to agree exactly +on the values of these parameters. +.TP 14 +.B ah +AH authentication algorithm to be used +for the connection, e.g. +.B hmac-md5. +.TP +.B auth +whether authentication should be done as part of +ESP encryption, or separately using the AH protocol; +acceptable values are +.B esp +(the default) and +.BR ah . +.br +The IKEv2 daemon currently supports ESP only. +.TP +.B authby +how the two security gateways should authenticate each other; +acceptable values are +.B secret +or +.B psk +for pre-shared secrets, +.B pubkey +(the default) for public key signatures as well as the synonyms +.B rsasig +for RSA digital signatures and +.B ecdsasig +for Elliptic Curve DSA signatures. +.B never +can be used if negotiation is never to be attempted or accepted (useful for +shunt-only conns). +Digital signatures are superior in every way to shared secrets. +IKEv1 additionally supports the values +.B xauthpsk +and +.B xauthrsasig +that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode +based on shared secrets or digital RSA signatures, respectively. +IKEv2 additionally supports the value +.BR eap , +which indicates an initiator to request EAP authentication. The EAP method +to use is selected by the server (see +.BR eap ). +This parameter is deprecated for IKEv2 connections, as two peers do not need +to agree on an authentication method. Use the +.B leftauth +parameter instead to define authentication methods in IKEv2. +.TP +.B auto +what operation, if any, should be done automatically at IPsec startup; +currently-accepted values are +.BR add , +.BR route , +.B start +and +.B ignore +(the default). +.B add +loads a connection without starting it. +.B route +loads a connection and installs kernel traps. If traffic is detected between +.B leftsubnet +and +.B rightsubnet +, a connection is established. +.B start +loads a connection and brings it up immediatly. +.B ignore +ignores the connection. This is equal to delete a connection from the config +file. +Relevant only locally, other end need not agree on it +(but in general, for an intended-to-be-permanent connection, +both ends should use +.B auto=start +to ensure that any reboot causes immediate renegotiation). +.TP +.B compress +whether IPComp compression of content is proposed on the connection +(link-level compression does not work on encrypted data, +so to be effective, compression must be done \fIbefore\fR encryption); +acceptable values are +.B yes +and +.B no +(the default). A value of +.B yes +causes IPsec to propose both compressed and uncompressed, +and prefer compressed. +A value of +.B no +prevents IPsec from proposing compression; +a proposal to compress will still be accepted. +.TP +.B dpdaction +controls the use of the Dead Peer Detection protocol (DPD, RFC 3706) where +R_U_THERE notification messages (IKEv1) or empty INFORMATIONAL messages (IKEv2) +are periodically sent in order to check the +liveliness of the IPsec peer. The values +.BR clear , +.BR hold , +and +.B restart +all activate DPD. If no activity is detected, all connections with a dead peer +are stopped and unrouted +.RB ( clear ), +put in the hold state +.RB ( hold ) +or restarted +.RB ( restart ). +For IKEv1, the default is +.B none +which disables the active sending of R_U_THERE notifications. +Nevertheless pluto will always send the DPD Vendor ID during connection set up +in order to signal the readiness to act passively as a responder if the peer +wants to use DPD. For IKEv2, +.B none +does't make sense, since all messages are used to detect dead peers. If specified, +it has the same meaning as the default +.RB ( clear ). +.TP +.B dpddelay +defines the period time interval with which R_U_THERE messages/INFORMATIONAL +exchanges are sent to the peer. These are only sent if no other traffic is +received. In IKEv2, a value of 0 sends no additional INFORMATIONAL +messages and uses only standard messages (such as those to rekey) to detect +dead peers. +.TP +.B dpdtimeout +defines the timeout interval, after which all connections to a peer are deleted +in case of inactivity. This only applies to IKEv1, in IKEv2 the default +retransmission timeout applies, as every exchange is used to detect dead peers. +.TP +.B inactivity +defines the timeout interval, after which a CHILD_SA is closed if it did +not send or receive any traffic. Currently supported in IKEv2 connections only. +.TP +.B eap +defines the EAP type to propose as server if the client requests EAP +authentication. Currently supported values are +.B aka +for EAP-AKA, +.B gtc +for EAP-GTC, +.B md5 +for EAP-MD5, +.B mschapv2 +for EAP-MS-CHAPv2, +.B radius +for the EAP-RADIUS proxy and +.B sim +for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a +definition in the form +.B eap=type-vendor +(e.g. eap=7-12345) can be used to specify vendor specific EAP types. +This parameter is deprecated in the favour of +.B leftauth. + +To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin, +set +.BR eap=radius . +.TP +.B eap_identity +defines the identity the client uses to reply to a EAP Identity request. +If defined on the EAP server, the defined identity will be used as peer +identity during EAP authentication. The special value +.B %identity +uses the EAP Identity method to ask the client for an EAP identity. If not +defined, the IKEv2 identity will be used as EAP identity. +.TP +.B esp +comma-separated list of ESP encryption/authentication algorithms to be used +for the connection, e.g. +.BR 3des-md5 . +The notation is +.BR encryption-integrity-[dh-group] . +.br +If +.B dh-group +is specified, CHILD_SA setup and rekeying include a separate diffe hellman +exchange (IKEv2 only). +.TP +.B forceencaps +Force UDP encapsulation for ESP packets even if no NAT situation is detected. +This may help to surmount restrictive firewalls. In order to force the peer to +encapsulate packets, NAT detection payloads are faked (IKEv2 only). +.TP +.B ike +comma-separated list of IKE/ISAKMP SA encryption/authentication algorithms +to be used, e.g. +.BR aes128-sha1-modp2048 . +The notation is +.BR encryption-integrity-dhgroup . +In IKEv2, multiple algorithms and proposals may be included, such as +.B aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024. +.TP +.B ikelifetime +how long the keying channel of a connection (ISAKMP or IKE SA) +should last before being renegotiated. +.TP +.B installpolicy +decides whether IPsec policies are installed in the kernel by the IKEv2 +charon daemon for a given connection. Allows peaceful cooperation e.g. with +the Mobile IPv6 daemon mip6d who wants to control the kernel policies. +Acceptable values are +.B yes +(the default) and +.BR no . +.TP +.B keyexchange +method of key exchange; +which protocol should be used to initialize the connection. Connections marked with +.B ikev1 +are initiated with pluto, those marked with +.B ikev2 +with charon. An incoming request from the remote peer is handled by the correct +daemon, unaffected from the +.B keyexchange +setting. The default value +.B ike +currently is a synonym for +.BR ikev1 . +.TP +.B keyingtries +how many attempts (a whole number or \fB%forever\fP) should be made to +negotiate a connection, or a replacement for one, before giving up +(default +.BR %forever ). +The value \fB%forever\fP +means 'never give up'. +Relevant only locally, other end need not agree on it. +.TP +.B keylife +synonym for +.BR lifetime . +.TP +.B left +(required) +the IP address of the left participant's public-network interface +or one of several magic values. +If it is +.BR %defaultroute , +.B left +will be filled in automatically with the local address +of the default-route interface (as determined at IPsec startup time and +during configuration update). +Either +.B left +or +.B right +may be +.BR %defaultroute , +but not both. +The prefix +.B % +in front of a fully-qualified domain name or an IP address will implicitly set +.B leftallowany=yes. +If the domain name cannot be resolved into an IP address at IPsec startup or +update time then +.B left=%any +and +.B leftallowany=no +will be assumed. + +In case of an IKEv2 connection, the value +.B %any +for the local endpoint signifies an address to be filled in (by automatic +keying) during negotiation. If the local peer initiates the connection setup +the routing table will be queried to determine the correct local IP address. +In case the local peer is responding to a connection setup then any IP address +that is assigned to a local interface will be accepted. +.br +Note that specifying +.B %any +for the local endpoint is not supported by the IKEv1 pluto daemon. + +If +.B %any +is used for the remote endpoint it literally means any IP address. + +Please note that with the usage of wildcards multiple connection descriptions +might match a given incoming connection attempt. The most specific description +is used in that case. +.TP +.B leftallowany +a modifier for +.B left +, making it behave as +.B %any +although a concrete IP address has been assigned. +Recommended for dynamic IP addresses that can be resolved by DynDNS at IPsec +startup or update time. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftauth +Authentication method to use locally (left) or require from the remote (right) +side. +This parameter is supported in IKEv2 only. Acceptable values are +.B pubkey +for public key authentication (RSA/ECDSA), +.B psk +for pre-shared key authentication and +.B eap +to (require the) use of the Extensible Authentication Protocol. In the case +of +.B eap, +an optional EAP method can be appended. Currently defined methods are +.BR eap-aka , +.BR eap-gtc , +.BR eap-md5 , +.B eap-mschapv2 +and +.BR eap-sim . +Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific +EAP methods are defined in the form +.B eap-type-vendor +.RB "(e.g. " eap-7-12345 ). +.TP +.B leftauth2 +Same as +.BR leftauth , +but defines an additional authentication exchange. IKEv2 supports multiple +authentication rounds using "Multiple Authentication Exchanges" defined +in RFC4739. This allows, for example, separated authentication +of host and user (IKEv2 only). +.TP +.B leftca +the distinguished name of a certificate authority which is required to +lie in the trust path going from the left participant's certificate up +to the root certification authority. +.TP +.B leftca2 +Same as +.B leftca, +but for the second authentication round (IKEv2 only). +.TP +.B leftcert +the path to the left participant's X.509 certificate. The file can be encoded +either in PEM or DER format. OpenPGP certificates are supported as well. +Both absolute paths or paths relative to \fI/etc/ipsec.d/certs\fP +are accepted. By default +.B leftcert +sets +.B leftid +to the distinguished name of the certificate's subject and +.B leftca +to the distinguished name of the certificate's issuer. +The left participant's ID can be overriden by specifying a +.B leftid +value which must be certified by the certificate, though. +.TP +.B leftcert2 +Same as +.B leftcert, +but for the second authentication round (IKEv2 only). +.TP +.B leftfirewall +whether the left participant is doing forwarding-firewalling +(including masquerading) using iptables for traffic from \fIleftsubnet\fR, +which should be turned off (for traffic to the other subnet) +once the connection is established; +acceptable values are +.B yes +and +.B no +(the default). +May not be used in the same connection description with +.BR leftupdown . +Implemented as a parameter to the default \fBipsec _updown\fR script. +See notes below. +Relevant only locally, other end need not agree on it. + +If one or both security gateways are doing forwarding firewalling +(possibly including masquerading), +and this is specified using the firewall parameters, +tunnels established with IPsec are exempted from it +so that packets can flow unchanged through the tunnels. +(This means that all subnets connected in this manner must have +distinct, non-overlapping subnet address blocks.) +This is done by the default \fBipsec _updown\fR script (see +.IR pluto (8)). + +In situations calling for more control, +it may be preferable for the user to supply his own +.I updown +script, +which makes the appropriate adjustments for his system. +.TP +.B leftgroups +a comma separated list of group names. If the +.B leftgroups +parameter is present then the peer must be a member of at least one +of the groups defined by the parameter. Group membership must be certified +by a valid attribute certificate stored in \fI/etc/ipsec.d/acerts/\fP thas has +been issued to the peer by a trusted Authorization Authority stored in +\fI/etc/ipsec.d/aacerts/\fP. +.br +Attribute certificates are not supported in IKEv2 yet. +.TP +.B lefthostaccess +inserts a pair of INPUT and OUTPUT iptables rules using the default +\fBipsec _updown\fR script, thus allowing access to the host itself +in the case where the host's internal interface is part of the +negotiated client subnet. +Acceptable values are +.B yes +and +.B no +(the default). +.TP +.B leftid +how the left participant should be identified for authentication; +defaults to +.BR left . +Can be an IP address or a fully-qualified domain name preceded by +.B @ +(which is used as a literal string and not resolved). +.TP +.B leftid2 +identity to use for a second authentication for the left participant +(IKEv2 only); defaults to +.BR leftid . +.TP +.B leftikeport +UDP port the left participant uses for IKE communication. Currently supported in +IKEv2 connections only. If unspecified, port 500 is used with the port floating +to 4500 if a NAT is detected or MOBIKE is enabled. Specifying a local IKE port +different from the default additionally requires a socket implementation that +listens to this port. +.TP +.B leftnexthop +this parameter is usually not needed any more because the NETKEY IPsec stack +does not require explicit routing entries for the traffic to be tunneled. If +.B leftsourceip +is used with IKEv1 then +.B leftnexthop +must still be set in order for the source routes to work properly. +.TP +.B leftprotoport +restrict the traffic selector to a single protocol and/or port. +Examples: +.B leftprotoport=tcp/http +or +.B leftprotoport=6/80 +or +.B leftprotoport=udp +.TP +.B leftrsasigkey +the left participant's +public key for RSA signature authentication, +in RFC 2537 format using +.IR ttodata (3) +encoding. +The magic value +.B %none +means the same as not specifying a value (useful to override a default). +The value +.B %cert +(the default) +means that the key is extracted from a certificate. +The identity used for the left participant +must be a specific host, not +.B %any +or another magic value. +.B Caution: +if two connection descriptions +specify different public keys for the same +.BR leftid , +confusion and madness will ensue. +.TP +.B leftsendcert +Accepted values are +.B never +or +.BR no , +.B always +or +.BR yes , +and +.BR ifasked , +the latter meaning that the peer must send a certificate request payload in +order to get a certificate in return. +.TP +.B leftsourceip +The internal source IP to use in a tunnel, also known as virtual IP. If the +value is one of the synonyms +.BR %modeconfig , +.BR %modecfg , +.BR %config , +or +.BR %cfg , +an address is requested from the peer. In IKEv2, a statically defined address +is also requested, since the server may change it. +.TP +.B rightsourceip +The internal source IP to use in a tunnel for the remote peer. If the +value is +.B %config +on the responder side, the initiator must propose an address which is then +echoed back. Also supported are address pools expressed as +\fInetwork\fB/\fInetmask\fR +or the use of an external IP address pool using %\fIpoolname\fR, +where \fIpoolname\fR is the name of the IP address pool used for the lookup. +.TP +.B leftsubnet +private subnet behind the left participant, expressed as +\fInetwork\fB/\fInetmask\fR; +if omitted, essentially assumed to be \fIleft\fB/32\fR, +signifying that the left end of the connection goes to the left participant +only. When using IKEv2, the configured subnet of the peers may differ, the +protocol narrows it to the greatest common subnet. Further, IKEv2 supports +multiple subnets separated by commas. IKEv1 only interprets the first subnet +of such a definition. +.TP +.B leftsubnetwithin +the peer can propose any subnet or single IP address that fits within the +range defined by +.BR leftsubnetwithin. +Not relevant for IKEv2, as subnets are narrowed. +.TP +.B leftupdown +what ``updown'' script to run to adjust routing and/or firewalling +when the status of the connection +changes (default +.BR "ipsec _updown" ). +May include positional parameters separated by white space +(although this requires enclosing the whole string in quotes); +including shell metacharacters is unwise. +See +.IR pluto (8) +for details. +Relevant only locally, other end need not agree on it. IKEv2 uses the updown +script to insert firewall rules only, since routing has been implemented +directly into charon. +.TP +.B lifebytes +the number of bytes transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifepackets +the number of packets transmitted over an IPsec SA before it expires (IKEv2 +only). +.TP +.B lifetime +how long a particular instance of a connection +(a set of encryption/authentication keys for user packets) should last, +from successful negotiation to expiry; +acceptable values are an integer optionally followed by +.BR s +(a time in seconds) +or a decimal number followed by +.BR m , +.BR h , +or +.B d +(a time +in minutes, hours, or days respectively) +(default +.BR 1h , +maximum +.BR 24h ). +Normally, the connection is renegotiated (via the keying channel) +before it expires (see +.BR margintime ). +The two ends need not exactly agree on +.BR lifetime , +although if they do not, +there will be some clutter of superseded connections on the end +which thinks the lifetime is longer. +.TP +.B marginbytes +how many bytes before IPsec SA expiry (see +.BR lifebytes ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B marginpackets +how many packets before IPsec SA expiry (see +.BR lifepackets ) +should attempts to negotiate a replacement begin (IKEv2 only). +.TP +.B margintime +how long before connection expiry or keying-channel expiry +should attempts to +negotiate a replacement +begin; acceptable values as for +.B lifetime +(default +.BR 9m ). +Relevant only locally, other end need not agree on it. +.TP +.B mark +sets an XFRM mark of the form [/] in the inbound and outbound +IPsec SAs and policies (IKEv2 only). If the mask is missing then a default +mask of +.B 0xffffffff +is assumed. +.TP +.B mark_in +sets an XFRM mark of the form [/] in the inbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mark_out +sets an XFRM mark of the form [/] in the outbound IPsec SA and policy +(IKEv2 only). If the mask is missing then a default mask of +.B 0xffffffff +is assumed. +.TP +.B mobike +enables the IKEv2 MOBIKE protocol defined by RFC 4555. Accepted values are +.B yes +(the default) and +.BR no . +If set to +.BR no , +the IKEv2 charon daemon will not actively propose MOBIKE as initiator and +ignore the MOBIKE_SUPPORTED notify as responder. +.TP +.B modeconfig +defines which mode is used to assign a virtual IP. +Accepted values are +.B push +and +.B pull +(the default). +Currently relevant for IKEv1 only since IKEv2 always uses the configuration +payload in pull mode. Cisco VPN gateways usually operate in +.B push +mode. +.TP +.B pfs +whether Perfect Forward Secrecy of keys is desired on the connection's +keying channel +(with PFS, penetration of the key-exchange protocol +does not compromise keys negotiated earlier); +acceptable values are +.B yes +(the default) +and +.BR no. +IKEv2 always uses PFS for IKE_SA rekeying whereas for CHILD_SA rekeying +PFS is enforced by defining a Diffie-Hellman modp group in the +.B esp +parameter. +.TP +.B pfsgroup +defines a Diffie-Hellman group for perfect forward secrecy in IKEv1 Quick Mode +differing from the DH group used for IKEv1 Main Mode (IKEv1 only). +.TP +.B reauth +whether rekeying of an IKE_SA should also reauthenticate the peer. In IKEv1, +reauthentication is always done. In IKEv2, a value of +.B no +rekeys without uninstalling the IPsec SAs, a value of +.B yes +(the default) creates a new IKE_SA from scratch and tries to recreate +all IPsec SAs. +.TP +.B rekey +whether a connection should be renegotiated when it is about to expire; +acceptable values are +.B yes +(the default) +and +.BR no . +The two ends need not agree, but while a value of +.B no +prevents pluto/charon from requesting renegotiation, +it does not prevent responding to renegotiation requested from the other end, +so +.B no +will be largely ineffective unless both ends agree on it. +.TP +.B rekeyfuzz +maximum percentage by which +.BR marginbytes , +.B marginpackets +and +.B margintime +should be randomly increased to randomize rekeying intervals +(important for hosts with many connections); +acceptable values are an integer, +which may exceed 100, +followed by a `%' +(defaults to +.BR 100% ). +The value of +.BR marginTYPE , +after this random increase, +must not exceed +.B lifeTYPE +(where TYPE is one of +.IR bytes , +.I packets +or +.IR time ). +The value +.B 0% +will suppress randomization. +Relevant only locally, other end need not agree on it. +.TP +.B rekeymargin +synonym for +.BR margintime . +.TP +.B reqid +sets the reqid for a given connection to a pre-configured fixed value (IKEv2 only). +.TP +.B type +the type of the connection; currently the accepted values +are +.B tunnel +(the default) +signifying a host-to-host, host-to-subnet, or subnet-to-subnet tunnel; +.BR transport , +signifying host-to-host transport mode; +.BR transport_proxy , +signifying the special Mobile IPv6 transport proxy mode; +.BR passthrough , +signifying that no IPsec processing should be done at all; +.BR drop , +signifying that packets should be discarded; and +.BR reject , +signifying that packets should be discarded and a diagnostic ICMP returned. +The IKEv2 daemon charon currently supports +.BR tunnel , +.BR transport , +and +.BR tunnel_proxy +connection types, only. +.TP +.B xauth +specifies the role in the XAUTH protocol if activated by +.B authby=xauthpsk +or +.B authby=xauthrsasig. +Accepted values are +.B server +and +.B client +(the default). + +.SS "CONN PARAMETERS: IKEv2 MEDIATION EXTENSION" +The following parameters are relevant to IKEv2 Mediation Extension +operation only. +.TP 14 +.B mediation +whether this connection is a mediation connection, ie. whether this +connection is used to mediate other connections. Mediation connections +create no child SA. Acceptable values are +.B no +(the default) and +.BR yes . +.TP +.B mediated_by +the name of the connection to mediate this connection through. If given, +the connection will be mediated through the named mediation connection. +The mediation connection must set +.BR mediation=yes . +.TP +.B me_peerid +ID as which the peer is known to the mediation server, ie. which the other +end of this connection uses as its +.B leftid +on its connection to the mediation server. This is the ID we request the +mediation server to mediate us with. If +.B me_peerid +is not given, the +.B rightid +of this connection will be used as peer ID. + +.SH "CA SECTIONS" +This are optional sections that can be used to assign special +parameters to a Certification Authority (CA). +.TP 10 +.B auto +currently can have either the value +.B ignore +or +.B add +. +.TP +.B cacert +defines a path to the CA certificate either relative to +\fI/etc/ipsec.d/cacerts\fP or as an absolute path. +.TP +.B crluri +defines a CRL distribution point (ldap, http, or file URI) +.TP +.B crluri1 +synonym for +.B crluri. +.TP +.B crluri2 +defines an alternative CRL distribution point (ldap, http, or file URI) +.TP +.B ldaphost +defines an ldap host. Currently used by IKEv1 only. +.TP +.B ocspuri +defines an OCSP URI. +.TP +.B ocspuri1 +synonym for +.B ocspuri. +.TP +.B ocspuri2 +defines an alternative OCSP URI. Currently used by IKEv2 only. +.TP +.B certuribase +defines the base URI for the Hash and URL feature supported by IKEv2. +Instead of exchanging complete certificates, IKEv2 allows to send an URI +that resolves to the DER encoded certificate. The certificate URIs are built +by appending the SHA1 hash of the DER encoded certificates to this base URI. +.SH "CONFIG SECTIONS" +At present, the only +.B config +section known to the IPsec software is the one named +.BR setup , +which contains information used when the software is being started. +Here's an example: +.PP +.ne 8 +.nf +.ft B +.ta 1c +config setup + plutodebug=all + crlcheckinterval=10m + strictcrlpolicy=yes +.ft +.fi +.PP +Parameters are optional unless marked ``(required)''. +The currently-accepted +.I parameter +names in a +.B config +.B setup +section affecting both daemons are: +.TP 14 +.B cachecrls +certificate revocation lists (CRLs) fetched via http or ldap will be cached in +\fI/etc/ipsec.d/crls/\fR under a unique file name derived from the certification +authority's public key. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B charonstart +whether to start the IKEv2 Charon daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv2 support. +.TP +.B dumpdir +in what directory should things started by \fBipsec starter\fR +(notably the Pluto and Charon daemons) be allowed to dump core? +The empty value (the default) means they are not +allowed to. +This feature is currently not yet supported by \fBipsec starter\fR. +.TP +.B plutostart +whether to start the IKEv1 Pluto daemon or not. +Accepted values are +.B yes +or +.BR no . +The default is +.B yes +if starter was compiled with IKEv1 support. +.TP +.B strictcrlpolicy +defines if a fresh CRL must be available in order for the peer authentication based +on RSA signatures to succeed. +Accepted values are +.B yes +and +.B no +(the default). +IKEv2 additionally recognizes +.B ifuri +which reverts to +.B yes +if at least one CRL URI is defined and to +.B no +if no URI is known. +.TP +.B uniqueids +whether a particular participant ID should be kept unique, +with any new (automatically keyed) +connection using an ID from a different IP address +deemed to replace all old ones using that ID; +acceptable values are +.B yes +(the default) +and +.BR no . +Participant IDs normally \fIare\fR unique, +so a new (automatically-keyed) connection using the same ID is +almost invariably intended to replace an old one. +The IKEv2 daemon also accepts the value +.B replace +wich is identical to +.B yes +and the value +.B keep +to reject new IKE_SA setups and keep the duplicate established earlier. +.PP +The following +.B config section +parameters are used by the IKEv1 Pluto daemon only: +.TP +.B crlcheckinterval +interval in seconds. CRL fetching is enabled if the value is greater than zero. +Asynchronous, periodic checking for fresh CRLs is currently done by the +IKEv1 Pluto daemon only. +.TP +.B keep_alive +interval in seconds between NAT keep alive packets, the default being 20 seconds. +.TP +.B nat_traversal +activates NAT traversal by accepting source ISAKMP ports different from udp/500 and +being able of floating to udp/4500 if a NAT situation is detected. +Accepted values are +.B yes +and +.B no +(the default). +Used by IKEv1 only, NAT traversal always being active in IKEv2. +.TP +.B nocrsend +no certificate request payloads will be sent. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11initargs +non-standard argument string for PKCS#11 C_Initialize() function; +required by NSS softoken. +.TP +.B pkcs11module +defines the path to a dynamically loadable PKCS #11 library. +.TP +.B pkcs11keepstate +PKCS #11 login sessions will be kept during the whole lifetime of the keying +daemon. Useful with pin-pad smart card readers. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B pkcs11proxy +Pluto will act as a PKCS #11 proxy accessible via the whack interface. +Accepted values are +.B yes +and +.B no +(the default). +.TP +.B plutodebug +how much Pluto debugging output should be logged. +An empty value, +or the magic value +.BR none , +means no debugging output (the default). +The magic value +.B all +means full output. +Otherwise only the specified types of output +(a quoted list, names without the +.B \-\-debug\- +prefix, +separated by white space) are enabled; +for details on available debugging types, see +.IR pluto (8). +.TP +.B plutostderrlog +Pluto will not use syslog, but rather log to stderr, and redirect stderr +to the argument file. +.TP +.B postpluto +shell command to run after starting Pluto +(e.g., to remove a decrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B prepluto +shell command to run before starting Pluto +(e.g., to decrypt an encrypted copy of the +.I ipsec.secrets +file). +It's run in a very simple way; +complexities like I/O redirection are best hidden within a script. +Any output is redirected for logging, +so running interactive commands is difficult unless they use +.I /dev/tty +or equivalent for their interaction. +Default is none. +.TP +.B virtual_private +defines private networks using a wildcard notation. +.PP +The following +.B config section +parameters are used by the IKEv2 Charon daemon only: +.TP +.B charondebug +how much Charon debugging output should be logged. +A comma separated list containing type level/pairs may +be specified, e.g: +.B dmn 3, ike 1, net -1. +Acceptable values for types are +.B dmn, mgr, ike, chd, job, cfg, knl, net, enc, lib +and the level is one of +.B -1, 0, 1, 2, 3, 4 +(for silent, audit, control, controlmore, raw, private). +.PP +The following +.B config section +parameters only make sense if the KLIPS IPsec stack +is used instead of the default NETKEY stack of the Linux 2.6 kernel: +.TP +.B fragicmp +whether a tunnel's need to fragment a packet should be reported +back with an ICMP message, +in an attempt to make the sender lower his PMTU estimate; +acceptable values are +.B yes +(the default) +and +.BR no . +.TP +.B hidetos +whether a tunnel packet's TOS field should be set to +.B 0 +rather than copied from the user packet inside; +acceptable values are +.B yes +(the default) +and +.BR no +.TP +.B interfaces +virtual and physical interfaces for IPsec to use: +a single +\fIvirtual\fB=\fIphysical\fR pair, a (quoted!) list of pairs separated +by white space, or +.BR %none . +One of the pairs may be written as +.BR %defaultroute , +which means: find the interface \fId\fR that the default route points to, +and then act as if the value was ``\fBipsec0=\fId\fR''. +.B %defaultroute +is the default; +.B %none +must be used to denote no interfaces. +.TP +.B overridemtu +value that the MTU of the ipsec\fIn\fR interface(s) should be set to, +overriding IPsec's (large) default. +.SH FILES +.nf +/etc/ipsec.conf +/etc/ipsec.d/aacerts +/etc/ipsec.d/acerts +/etc/ipsec.d/cacerts +/etc/ipsec.d/certs +/etc/ipsec.d/crls + +.SH SEE ALSO +ipsec(8), pluto(8), starter(8) +.SH HISTORY +Originally written for the FreeS/WAN project by Henry Spencer. +Updated and extended for the strongSwan project by +Tobias Brunner, Andreas Steffen and Martin Willi. +.SH BUGS +.PP +If conns are to be added before DNS is available, \fBleft=\fP\fIFQDN\fP +will fail. diff --git a/src/starter/keywords.c b/src/starter/keywords.c index df39f0dc7..1d7cae00b 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 121 +#define TOTAL_KEYWORDS 126 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 11 -#define MAX_HASH_VALUE 230 -/* maximum key range = 220, duplicates = 0 */ +#define MIN_HASH_VALUE 20 +#define MAX_HASH_VALUE 220 +/* maximum key range = 201, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 26, - 75, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 2, 231, 25, 231, 40, - 61, 2, 114, 24, 3, 2, 231, 101, 2, 96, - 48, 35, 23, 231, 4, 10, 3, 69, 25, 231, - 2, 18, 16, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 231 + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 35, + 77, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 8, 221, 31, 221, 20, + 28, 5, 75, 26, 88, 5, 221, 97, 5, 50, + 39, 67, 29, 221, 7, 13, 6, 89, 15, 221, + 5, 24, 7, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221, 221, 221, 221, 221, + 221, 221, 221, 221, 221, 221 }; register int hval = len; @@ -128,7 +128,6 @@ static const struct kw_entry wordlist[] = {"right", KW_RIGHT}, {"lifetime", KW_KEYLIFE}, {"leftcert", KW_LEFTCERT,}, - {"reauth", KW_REAUTH}, {"leftfirewall", KW_LEFTFIREWALL}, {"leftsendcert", KW_LEFTSENDCERT}, {"rightikeport", KW_RIGHTIKEPORT}, @@ -137,142 +136,147 @@ static const struct kw_entry wordlist[] = {"leftgroups", KW_LEFTGROUPS}, {"rekey", KW_REKEY}, {"rightsubnet", KW_RIGHTSUBNET}, + {"crluri", KW_CRLURI}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"xauth", KW_XAUTH}, - {"leftallowany", KW_LEFTALLOWANY}, + {"reqid", KW_REQID}, + {"rightcert", KW_RIGHTCERT}, + {"certuribase", KW_CERTURIBASE}, {"esp", KW_ESP}, + {"leftallowany", KW_LEFTALLOWANY}, + {"rightid", KW_RIGHTID}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"leftnexthop", KW_LEFTNEXTHOP}, {"lifebytes", KW_LIFEBYTES}, {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"rightauth", KW_RIGHTAUTH}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, {"rightprotoport", KW_RIGHTPROTOPORT}, + {"rightgroups", KW_RIGHTGROUPS}, {"plutostart", KW_PLUTOSTART}, {"strictcrlpolicy", KW_STRICTCRLPOLICY}, {"lifepackets", KW_LIFEPACKETS}, - {"rightgroups", KW_RIGHTGROUPS}, {"rightsourceip", KW_RIGHTSOURCEIP}, {"eap", KW_EAP}, - {"crluri", KW_CRLURI}, - {"hidetos", KW_HIDETOS}, - {"rightcert", KW_RIGHTCERT}, - {"certuribase", KW_CERTURIBASE}, - {"leftca", KW_LEFTCA}, - {"leftnatip", KW_LEFTNATIP}, - {"rightallowany", KW_RIGHTALLOWANY}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, - {"also", KW_ALSO}, - {"packetdefault", KW_PACKETDEFAULT}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"leftsourceip", KW_LEFTSOURCEIP}, - {"rightid", KW_RIGHTID}, {"cacert", KW_CACERT}, {"rightca", KW_RIGHTCA}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftid", KW_LEFTID}, {"crluri1", KW_CRLURI}, - {"inactivity", KW_INACTIVITY}, + {"ldapbase", KW_LDAPBASE}, + {"leftca", KW_LEFTCA}, + {"leftnatip", KW_LEFTNATIP}, + {"rightallowany", KW_RIGHTALLOWANY}, {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"xauth_identity", KW_XAUTH_IDENTITY}, + {"inactivity", KW_INACTIVITY}, + {"packetdefault", KW_PACKETDEFAULT}, {"installpolicy", KW_INSTALLPOLICY}, - {"leftauth", KW_LEFTAUTH}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, {"leftupdown", KW_LEFTUPDOWN}, - {"leftsubnet", KW_LEFTSUBNET}, {"rightnatip", KW_RIGHTNATIP}, - {"ocspuri", KW_OCSPURI}, {"rightnexthop", KW_RIGHTNEXTHOP}, + {"cachecrls", KW_CACHECRLS}, + {"dpddelay", KW_DPDDELAY}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"mediated_by", KW_MEDIATED_BY}, + {"me_peerid", KW_ME_PEERID}, + {"plutodebug", KW_PLUTODEBUG}, + {"eap_identity", KW_EAP_IDENTITY}, {"leftcert2", KW_LEFTCERT2,}, {"rightid2", KW_RIGHTID2}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"compress", KW_COMPRESS}, - {"ldapbase", KW_LDAPBASE}, - {"auth", KW_AUTH}, - {"postpluto", KW_POSTPLUTO}, - {"charonstart", KW_CHARONSTART}, + {"rekeyfuzz", KW_REKEYFUZZ}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"rightfirewall", KW_RIGHTFIREWALL}, + {"ocspuri", KW_OCSPURI}, + {"also", KW_ALSO}, + {"mediation", KW_MEDIATION}, {"ike", KW_IKE}, + {"dpdaction", KW_DPDACTION}, + {"rekeymargin", KW_REKEYMARGIN}, + {"compress", KW_COMPRESS}, {"ldaphost", KW_LDAPHOST}, - {"leftca2", KW_LEFTCA2}, - {"dpddelay", KW_DPDDELAY}, - {"ocspuri1", KW_OCSPURI}, - {"rightauth2", KW_RIGHTAUTH2}, - {"eap_identity", KW_EAP_IDENTITY}, - {"leftikeport", KW_LEFTIKEPORT}, - {"plutodebug", KW_PLUTODEBUG}, - {"cachecrls", KW_CACHECRLS}, - {"charondebug", KW_CHARONDEBUG}, + {"leftsubnet", KW_LEFTSUBNET}, {"crluri2", KW_CRLURI2}, {"rightca2", KW_RIGHTCA2}, - {"mediated_by", KW_MEDIATED_BY}, + {"leftsourceip", KW_LEFTSOURCEIP}, {"rightcert2", KW_RIGHTCERT2}, - {"leftid", KW_LEFTID}, - {"auto", KW_AUTO}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"rightfirewall", KW_RIGHTFIREWALL}, - {"authby", KW_AUTHBY}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"uniqueids", KW_UNIQUEIDS}, - {"prepluto", KW_PREPLUTO}, - {"keep_alive", KW_KEEP_ALIVE}, + {"pfs", KW_PFS}, + {"leftid2", KW_LEFTID2}, + {"dpdtimeout", KW_DPDTIMEOUT}, + {"leftikeport", KW_LEFTIKEPORT}, + {"leftca2", KW_LEFTCA2}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"xauth", KW_XAUTH}, + {"rightauth2", KW_RIGHTAUTH2}, + {"mark_in", KW_MARK_IN}, {"mobike", KW_MOBIKE}, - {"overridemtu", KW_OVERRIDEMTU}, + {"margintime", KW_REKEYMARGIN}, {"dumpdir", KW_DUMPDIR}, - {"dpdaction", KW_DPDACTION}, - {"rekeyfuzz", KW_REKEYFUZZ}, - {"leftid2", KW_LEFTID2}, - {"keyingtries", KW_KEYINGTRIES}, - {"pfs", KW_PFS}, - {"nocrsend", KW_NOCRSEND}, + {"ocspuri1", KW_OCSPURI}, {"keyexchange", KW_KEYEXCHANGE}, - {"leftauth2", KW_LEFTAUTH2}, - {"mediation", KW_MEDIATION}, - {"rekeymargin", KW_REKEYMARGIN}, - {"ocspuri2", KW_OCSPURI2}, - {"pkcs11module", KW_PKCS11MODULE}, - {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"me_peerid", KW_ME_PEERID}, - {"forceencaps", KW_FORCEENCAPS}, - {"pkcs11initargs", KW_PKCS11INITARGS}, - {"pkcs11proxy", KW_PKCS11PROXY}, - {"margintime", KW_REKEYMARGIN}, - {"interfaces", KW_INTERFACES}, {"fragicmp", KW_FRAGICMP}, + {"rightauth", KW_RIGHTAUTH}, + {"interfaces", KW_INTERFACES}, {"marginbytes", KW_MARGINBYTES}, {"marginpackets", KW_MARGINPACKETS}, - {"dpdtimeout", KW_DPDTIMEOUT}, + {"nocrsend", KW_NOCRSEND}, + {"keep_alive", KW_KEEP_ALIVE}, + {"rightupdown", KW_RIGHTUPDOWN}, + {"keyingtries", KW_KEYINGTRIES}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, + {"uniqueids", KW_UNIQUEIDS}, + {"mark_out", KW_MARK_OUT}, + {"charonstart", KW_CHARONSTART}, {"klipsdebug", KW_KLIPSDEBUG}, - {"modeconfig", KW_MODECONFIG}, - {"pfsgroup", KW_PFSGROUP}, + {"force_keepalive", KW_FORCE_KEEPALIVE}, + {"forceencaps", KW_FORCEENCAPS}, + {"authby", KW_AUTHBY}, + {"postpluto", KW_POSTPLUTO}, + {"pkcs11module", KW_PKCS11MODULE}, + {"ocspuri2", KW_OCSPURI2}, + {"hidetos", KW_HIDETOS}, + {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, + {"mark", KW_MARK}, + {"charondebug", KW_CHARONDEBUG}, + {"leftauth2", KW_LEFTAUTH2}, + {"overridemtu", KW_OVERRIDEMTU}, + {"pkcs11initargs", KW_PKCS11INITARGS}, {"keylife", KW_KEYLIFE}, - {"ikelifetime", KW_IKELIFETIME} + {"auto", KW_AUTO}, + {"ikelifetime", KW_IKELIFETIME}, + {"reauth", KW_REAUTH}, + {"leftauth", KW_LEFTAUTH}, + {"pkcs11proxy", KW_PKCS11PROXY}, + {"prepluto", KW_PREPLUTO}, + {"pfsgroup", KW_PFSGROUP}, + {"auth", KW_AUTH}, + {"modeconfig", KW_MODECONFIG} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, 0, -1, -1, 1, -1, 2, 3, 4, -1, - 5, 6, -1, 7, 8, -1, -1, 9, 10, 11, - 12, -1, 13, -1, 14, 15, 16, -1, 17, -1, - 18, 19, 20, 21, -1, 22, 23, -1, 24, 25, - 26, 27, 28, 29, 30, -1, -1, 31, 32, 33, - 34, 35, 36, 37, 38, -1, 39, 40, -1, 41, - -1, -1, -1, 42, 43, -1, 44, 45, 46, 47, - 48, 49, -1, 50, 51, 52, 53, 54, 55, 56, - 57, 58, 59, -1, -1, 60, -1, -1, 61, -1, - -1, 62, -1, -1, 63, 64, -1, -1, 65, 66, - -1, 67, 68, 69, -1, -1, 70, -1, 71, 72, - 73, -1, -1, -1, 74, -1, 75, -1, 76, 77, - 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, - 88, 89, 90, 91, 92, 93, -1, 94, 95, -1, - 96, -1, -1, -1, 97, -1, 98, 99, 100, -1, - -1, 101, 102, -1, 103, -1, -1, 104, 105, -1, - 106, -1, 107, -1, 108, -1, -1, -1, -1, 109, - -1, 110, -1, -1, 111, -1, -1, -1, -1, 112, - 113, -1, 114, 115, -1, -1, -1, -1, 116, -1, - 117, -1, -1, 118, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, 119, -1, -1, -1, - 120 + 0, -1, -1, 1, -1, -1, -1, -1, 2, 3, + -1, -1, 4, 5, -1, 6, 7, -1, -1, 8, + 9, 10, 11, 12, 13, 14, -1, 15, 16, -1, + 17, 18, 19, 20, -1, 21, 22, 23, -1, -1, + 24, 25, 26, 27, 28, 29, -1, 30, 31, 32, + 33, 34, 35, -1, 36, -1, -1, 37, 38, 39, + 40, 41, 42, 43, -1, 44, 45, 46, 47, -1, + 48, -1, 49, 50, 51, 52, 53, 54, 55, -1, + 56, 57, 58, 59, 60, 61, 62, 63, -1, 64, + 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, + 75, -1, 76, 77, 78, 79, -1, -1, 80, 81, + 82, -1, 83, 84, -1, 85, 86, 87, 88, 89, + 90, -1, 91, -1, 92, -1, 93, 94, 95, -1, + -1, 96, 97, -1, 98, 99, -1, -1, -1, -1, + -1, -1, 100, -1, 101, -1, 102, -1, -1, -1, + 103, 104, -1, -1, 105, -1, -1, 106, 107, 108, + 109, 110, 111, -1, 112, 113, -1, 114, 115, 116, + -1, 117, -1, 118, 119, 120, 121, -1, -1, -1, + 122, -1, -1, -1, -1, -1, -1, -1, 123, -1, + -1, -1, 124, -1, -1, -1, -1, -1, -1, -1, + 125 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 6c3907a6a..25d2ce4b9 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -93,12 +93,17 @@ typedef enum { KW_INACTIVITY, KW_MODECONFIG, KW_XAUTH, + KW_XAUTH_IDENTITY, KW_MEDIATION, KW_MEDIATED_BY, KW_ME_PEERID, + KW_REQID, + KW_MARK, + KW_MARK_IN, + KW_MARK_OUT, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_ME_PEERID +#define KW_CONN_LAST KW_MARK_OUT /* ca section keywords */ KW_CA_NAME, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 12037a685..fcdc60cff 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -84,9 +84,14 @@ dpdaction, KW_DPDACTION inactivity, KW_INACTIVITY modeconfig, KW_MODECONFIG xauth, KW_XAUTH +xauth_identity, KW_XAUTH_IDENTITY mediation, KW_MEDIATION mediated_by, KW_MEDIATED_BY me_peerid, KW_ME_PEERID +reqid, KW_REQID +mark, KW_MARK +mark_in, KW_MARK_IN +mark_out, KW_MARK_OUT cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE diff --git a/src/starter/starter.c b/src/starter/starter.c index 50ef9c07b..c3ba54f1d 100644 --- a/src/starter/starter.c +++ b/src/starter/starter.c @@ -241,6 +241,7 @@ int main (int argc, char **argv) time_t last_reload; bool no_fork = FALSE; bool attach_gdb = FALSE; + bool load_warning = FALSE; /* global variables defined in log.h */ log_to_stderr = TRUE; @@ -300,6 +301,21 @@ int main (int argc, char **argv) plog("Starting strongSwan "VERSION" IPsec [starter]..."); +#ifdef LOAD_WARNING + load_warning = TRUE; +#endif + + if (lib->settings->get_bool(lib->settings, "starter.load_warning", load_warning)) + { + if (lib->settings->get_str(lib->settings, "charon.load", NULL) || + lib->settings->get_str(lib->settings, "pluto.load", NULL)) + { + plog("!! Your strongswan.conf contains manual plugin load options for"); + plog("!! pluto and/or charon. This is recommended for experts only, see"); + plog("!! http://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad"); + } + } + /* verify that we can start */ if (getuid() != 0) { diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index d877661ec..9c69ab9e5 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -269,6 +269,11 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.ikeme.mediation = conn->me_mediation; msg.add_conn.ikeme.mediated_by = push_string(&msg, conn->me_mediated_by); msg.add_conn.ikeme.peerid = push_string(&msg, conn->me_peerid); + msg.add_conn.reqid = conn->reqid; + msg.add_conn.mark_in.value = conn->mark_in.value; + msg.add_conn.mark_in.mask = conn->mark_in.mask; + msg.add_conn.mark_out.value = conn->mark_out.value; + msg.add_conn.mark_out.mask = conn->mark_out.mask; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/starter/starterwhack.c b/src/starter/starterwhack.c index 527142a4e..58034d96b 100644 --- a/src/starter/starterwhack.c +++ b/src/starter/starterwhack.c @@ -93,6 +93,7 @@ static int send_whack_msg (whack_message_t *msg) || !pack_str(&msg->sc_data, &str_next, &str_roof) || !pack_str(&msg->whack_lease_ip, &str_next, &str_roof) || !pack_str(&msg->whack_lease_id, &str_next, &str_roof) + || !pack_str(&msg->xauth_identity, &str_next, &str_roof) || (str_roof - str_next < msg->keyval.len)) { plog("send_wack_msg(): can't pack strings"); @@ -285,6 +286,12 @@ int starter_whack_add_conn(starter_conn_t *conn) msg.sa_rekey_fuzz = conn->sa_rekey_fuzz; msg.sa_keying_tries = conn->sa_keying_tries; msg.policy = conn->policy; + msg.xauth_identity = conn->xauth_identity; + msg.reqid = conn->reqid; + msg.mark_in.value = conn->mark_in.value; + msg.mark_in.mask = conn->mark_in.mask; + msg.mark_out.value = conn->mark_out.value; + msg.mark_out.mask = conn->mark_out.mask; /* * Make sure the IKEv2-only policy bits are unset for IKEv1 connections diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index 4353928b5..c7f264730 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index ffc67039e..a36cc9038 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -227,6 +227,7 @@ struct stroke_msg_t { time_t inactivity; int proxy_mode; int install_policy; + u_int32_t reqid; crl_policy_t crl_policy; int unique; @@ -255,6 +256,10 @@ struct stroke_msg_t { char *mediated_by; char *peerid; } ikeme; + struct { + u_int32_t value; + u_int32_t mask; + } mark_in, mark_out; stroke_end_t me, other; } add_conn; diff --git a/src/strongswan.conf b/src/strongswan.conf index 0ec4ae9ef..0d82dedfa 100644 --- a/src/strongswan.conf +++ b/src/strongswan.conf @@ -4,30 +4,27 @@ charon { # number of worker threads in charon threads = 16 - - # plugins to load in charon - # load = aes des sha1 md5 sha2 hmac gmp random pubkey xcbc x509 stroke - + + # send strongswan vendor ID? + # send_vendor_id = yes + plugins { sql { # loglevel to log into sql database loglevel = -1 - + # URI to the database # database = sqlite:///path/to/file.db # database = mysql://user:password@localhost/database } } - + # ... } pluto { - # plugins to load in pluto - # load = aes des sha1 md5 sha2 hmac gmp random pubkey - } libstrongswan { diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 098e5110e..d163f2b58 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/src/whack/whack.c b/src/whack/whack.c index 5f986108b..643e4be04 100644 --- a/src/whack/whack.c +++ b/src/whack/whack.c @@ -1804,6 +1804,7 @@ int main(int argc, char **argv) || !pack_str(&msg.sc_data) /* string 26 */ || !pack_str(&msg.whack_lease_ip) /* string 27 */ || !pack_str(&msg.whack_lease_id) /* string 28 */ + || !pack_str(&msg.xauth_identity) /* string 29 */ || str_roof - next_str < (ptrdiff_t)msg.keyval.len) diag("too many bytes of strings to fit in message to pluto"); diff --git a/src/whack/whack.h b/src/whack/whack.h index b495d3489..f8e6a9a88 100644 --- a/src/whack/whack.h +++ b/src/whack/whack.h @@ -48,7 +48,7 @@ typedef enum { */ #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24) -#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26) +#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 30) typedef struct whack_end whack_end_t; @@ -129,6 +129,14 @@ struct whack_message { time_t dpd_timeout; dpd_action_t dpd_action; + + /* Assign optional fixed reqid and xfrm marks to IPsec SA */ + u_int32_t reqid; + struct { + u_int32_t value; + u_int32_t mask; + } mark_in, mark_out; + /* note that each end contains string 2/5.id, string 3/6 cert, * and string 4/7 updown */ @@ -214,30 +222,40 @@ struct whack_message { int inbase, outbase; char *sc_data; + /* XAUTH user identity */ + char *xauth_identity; + /* space for strings (hope there is enough room): * Note that pointers don't travel on wire. - * 1 connection name [name_len] - * 2 left's name [left.host.name.len] + * 1 connection name + * 2 left's id * 3 left's cert * 4 left's ca * 5 left's groups * 6 left's updown - * 7 right's name [left.host.name.len] - * 8 right's cert - * 9 right's ca - * 10 right's groups - * 11 right's updown - * 12 keyid - * 13 myid - * 14 cacert - * 15 ldaphost - * 16 ldapbase - * 17 crluri - * 18 crluri2 - * 19 ocspuri - * 20 ike - " 21 esp - * 22 rsa_data + * 7 left's source ip + * 8 left's virtual ip ranges + * 9 right's id + * 10 right's cert + * 11 right's ca + * 12 right's groups + * 13 right's updown + * 14 right's source ip + * 15 right's virtual ip ranges + * 16 keyid + * 17 myid + * 18 cacert + * 19 ldaphost + * 20 ldapbase + * 21 crluri + * 22 crluri2 + * 23 ocspuri + * 24 ike + * 25 esp + * 26 smartcard data + * 27 whack leases ip argument + * 28 whack leases id argument + * 29 xauth identity * plus keyval (limit: 8K bits + overhead), a chunk. */ size_t str_size; diff --git a/testing/INSTALL b/testing/INSTALL index 68e13d84a..27db50013 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,14 +53,15 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.31.5.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.33.3.tar.bz2 - * The Linux kernel 2.6.31 does not require any patches for the uml guest kernel - to successfully start up. + * The Linux kernel 2.6.33.3 does not require any patches for the uml guest kernel + to successfully start up but the aes_gmac patch must be applied for + ESP AES-GMAC support. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.31 + http://download.strongswan.org/uml/.config-2.6.33 * A gentoo-based UML file system (compressed size 130 MBytes) found at @@ -68,7 +69,7 @@ are required for the strongSwan testing environment: * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.3.6.tar.bz2 + http://download.strongswan.org/strongswan-4.4.1.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index c60f9b2ea..010f4c81b 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -1,4 +1,4 @@ -# Makefile.in generated by automake 1.11 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index 0e880826d..eb41533cb 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -17,7 +17,7 @@ CREATE TABLE child_configs ( jitter INTEGER NOT NULL DEFAULT '180', updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', - mode INTEGER NOT NULL DEFAULT '1', + mode INTEGER NOT NULL DEFAULT '2', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', ipcomp INTEGER NOT NULL DEFAULT '0' @@ -183,12 +183,28 @@ CREATE TABLE leases ( released INTEGER NOT NULL ); +DROP TABLE IF EXISTS attribute_pools; +CREATE TABLE attribute_pools ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + name TEXT NOT NULL +); + DROP TABLE IF EXISTS attributes; CREATE TABLE attributes ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + identity INTEGER NOT NULL DEFAULT 0, + pool INTEGER NOT NULL DEFAULT 0, type INTEGER NOT NULL, value BLOB NOT NULL ); +DROP INDEX IF EXISTS attributes_identity; +CREATE INDEX attributes_identity ON attributes ( + identity +); +DROP INDEX IF EXISTS attributes_pool; +CREATE INDEX attributes_pool ON attributes ( + pool +); DROP TABLE IF EXISTS ike_sas; CREATE TABLE ike_sas ( diff --git a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem b/testing/hosts/winnetou/etc/openssl/research/carolReq.pem deleted file mode 100644 index f2a6b5c22..000000000 --- a/testing/hosts/winnetou/etc/openssl/research/carolReq.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICnzCCAYcCAQAwWjELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9u -Z1N3YW4xETAPBgNVBAsTCFJlc2VhcmNoMR0wGwYDVQQDFBRjYXJvbEBzdHJvbmdz -d2FuLm9yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+oTiV7lCh1 -ID41edDUgUjRdZwEMPBAM1xDqoxJxIJpug8UIuuUL0TvQnZ4Z5fa/9QNNCkQ7FDh -8ZcR+TT8x0mOdYYA73mMQic0n4O57F+s/lESKvIoN+vIDR3rGJBv9rYztS4ODE+D -Jl9XK9TtId5u57jfXu/k3IYl5GeQ3f+ic2l2Ola70t70Op6cFDZIhOCjs2xWw2yq -GdPWODaN/Enw5fOLv/om+7HHB4KgPGv4p4ohWIUCo2XK597Ii+jB2MdOUlG83/1a -X7+M+IeYVwjIhzWjwRQfMz0AQha0HYN4cvrZ7stUluMxewsCROCBzcGQYTZxYU4F -jR8nhH4ApYMCAwEAAaAAMA0GCSqGSIb3DQEBBAUAA4IBAQA9OKM8HKu5Fp/HRsdS -3Z/tuLVjwijVq/OIge1PnoW7Ri2hnTpWeaWcU2wIexsxPJR6kYwqp9NfxM73uUUU -e/ROCU+kZxSuzfV3SMMI8bsjufuldxKUXs1B8Nit1Qkhhj1/4uN6FRzQ5E9vz0Yf -OuVVJxMIEgQRdBTcZ8Cuf23Mcq+sBa/2OXD/y6WTUNrXvjTjmGWv1LnryB6Ro8se -ndI7bIiMZ/sSOrhOWrii/655bpUSYIb0RCzOnbdNAevbn/bLMEpj0qiDSam88Y/6 -FIY5sDCsdlpHsI2vkIrvPo4PUE+yzBhezmrLbVoiHjVoZhr1h091777Bomg/oUxv -beEk ------END CERTIFICATE REQUEST----- diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt b/testing/hosts/winnetou/etc/openssl/research/index.txt index 98aa9e3e4..844e001c7 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt @@ -1,6 +1,7 @@ R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +V 150702151839Z 07 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA diff --git a/testing/hosts/winnetou/etc/openssl/research/index.txt.old b/testing/hosts/winnetou/etc/openssl/research/index.txt.old index 2a68119f8..3ebf4b191 100644 --- a/testing/hosts/winnetou/etc/openssl/research/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/research/index.txt.old @@ -1,5 +1,6 @@ -R 100322070423Z 100407091025Z 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org -V 100615195710Z 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +R 100322070423Z 100407091025Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org +R 100615195710Z 100703145747Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 120323210330Z 03 unknown /C=CH/O=Linux strongSwan/OU=Research OCSP Signing Authority/CN=ocsp.research.strongswan.org V 140323203747Z 04 unknown /C=CH/O=Linux strongSwan/OU=Research no CDP/CN=carol@strongswan.org V 151103161503Z 05 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Duck Research CA +V 150406092057Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=carol@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem new file mode 100644 index 000000000..8eaa6c6b7 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/research/newcerts/07.pem @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA + Validity + Not Before: Jul 3 15:18:39 2010 GMT + Not After : Jul 2 15:18:39 2015 GMT + Subject: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:c2:4e:4d:26:99:8c:37:b9:51:1f:a1:25:ba:1d: + 70:4e:34:58:1c:56:9b:ea:f4:16:20:fe:14:b7:36: + 73:48:47:fd:07:16:9b:55:df:aa:77:3d:a9:a3:cf: + 1a:8c:4e:d8:17:f0:5e:01:44:1d:f3:9d:43:31:c6: + ba:d8:61:b2:f7:4c:3e:49:96:3f:56:77:b8:3a:f0: + b1:ca:ab:98:bc:aa:e0:92:3c:ed:ec:52:7a:7d:60: + 82:60:95:12:26:f9:e5:3e:1f:37:1a:d3:20:62:5a: + a1:ee:89:9f:db:fd:67:01:b6:07:e5:2b:de:71:40: + ff:07:5c:91:27:6a:27:17:3a:5c:bf:43:29:c4:64: + dd:3c:59:b6:ff:52:b8:37:ed:13:d1:bb:f3:b3:ba: + 3c:94:b2:7f:25:18:86:57:73:d4:46:5e:e4:f4:ec: + 52:80:1b:04:9d:03:0d:72:71:df:9e:b6:90:3b:5f: + 41:dc:1e:cd:ab:74:2c:0c:8e:b1:56:9b:62:af:f4: + 1b:f7:c1:67:02:cb:7a:be:2a:18:5d:be:dc:2b:2f: + 3f:b8:cd:5e:78:51:61:e4:af:db:ee:22:da:60:23: + 81:b0:51:23:50:37:8a:aa:14:dc:da:b5:bc:f0:2a: + ce:b7:a4:38:8f:d1:57:d1:eb:7b:d2:f5:af:c5:f5: + 74:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + 5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28 + X509v3 Authority Key Identifier: + keyid:E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20 + DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA + serial:20 + + X509v3 CRL Distribution Points: + URI:http://crl.strongswan.org/research.crl + + Signature Algorithm: sha256WithRSAEncryption + 33:e2:05:f4:db:4e:41:f0:45:da:6d:e2:20:18:ff:0c:74:00: + a2:b0:9c:5e:b7:eb:ed:44:fa:6f:1d:1e:7d:47:85:35:3c:15: + 99:22:44:2b:11:49:17:71:aa:9c:e9:ac:c8:1a:ea:fe:e4:b1: + 5d:bd:08:82:69:4d:c8:9a:0f:8f:12:db:35:8d:b2:24:36:bd: + f3:41:e1:47:a7:1b:8c:0a:54:6f:3b:e3:60:90:6a:40:b3:66: + 4f:fb:32:b1:ee:b6:4f:95:0d:c3:77:a0:67:2e:e2:01:44:08: + fc:eb:66:26:0f:4d:5b:fb:e0:f0:85:45:f7:77:ed:26:25:5e: + 63:74:28:5d:08:bf:38:2e:d8:33:70:24:d3:03:01:ae:ac:1e: + cf:bf:f0:7f:fb:05:bc:c7:c5:46:64:4f:bc:eb:4e:ec:b8:33: + 91:46:20:a9:65:40:1c:40:2e:9f:fc:37:f2:cd:e2:fc:f4:65: + b2:e0:6c:d5:3b:12:8d:7a:12:29:1b:10:04:94:b3:74:9c:9a: + 76:be:74:50:52:7d:ec:5f:d0:6f:68:aa:f1:ef:c6:35:8f:89: + 94:70:e9:9a:d2:e5:36:64:00:4d:43:99:da:8b:5b:04:cd:ab: + f1:68:69:e0:d6:b2:59:60:01:da:8c:03:67:cb:ee:2f:6d:b0: + 51:d9:55:89 +-----BEGIN CERTIFICATE----- +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH +/QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq +4JI87exSen1ggmCVEib55T4fNxrTIGJaoe6Jn9v9ZwG2B+Ur3nFA/wdckSdqJxc6 +XL9DKcRk3TxZtv9SuDftE9G787O6PJSyfyUYhldz1EZe5PTsUoAbBJ0DDXJx3562 +kDtfQdwezat0LAyOsVabYq/0G/fBZwLLer4qGF2+3CsvP7jNXnhRYeSv2+4i2mAj +gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 +p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/research/serial b/testing/hosts/winnetou/etc/openssl/research/serial index 2c7456e3e..adb9de8ee 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial +++ b/testing/hosts/winnetou/etc/openssl/research/serial @@ -1 +1 @@ -07 +08 diff --git a/testing/hosts/winnetou/etc/openssl/research/serial.old b/testing/hosts/winnetou/etc/openssl/research/serial.old index cd672a533..2c7456e3e 100644 --- a/testing/hosts/winnetou/etc/openssl/research/serial.old +++ b/testing/hosts/winnetou/etc/openssl/research/serial.old @@ -1 +1 @@ -06 +07 diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt b/testing/hosts/winnetou/etc/openssl/sales/index.txt index c4e05f253..314acd784 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt @@ -1,5 +1,6 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org -V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +R 100615195536Z 100703150410Z,superseded 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org +V 150702152829Z 06 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA diff --git a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old index f377c3588..fd5485026 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/sales/index.txt.old @@ -1,4 +1,5 @@ R 100322071017Z 100407093948Z,superseded 01 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org -V 100615195536Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA +R 100615195536Z 100703150410Z 02 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 120323211811Z 03 unknown /C=CH/O=Linux strongSwan/OU=Sales OCSP Signing Authority/CN=ocsp.sales.strongswan.org V 140323211053Z 04 unknown /C=CH/O=Linux strongSwan/OU=Sales no CDP/CN=dave@strongswan.org +V 150406094241Z 05 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=dave@strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem new file mode 100644 index 000000000..3a40e2829 --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/sales/newcerts/06.pem @@ -0,0 +1,88 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA + Validity + Not Before: Jul 3 15:28:29 2010 GMT + Not After : Jul 2 15:28:29 2015 GMT + Subject: C=CH, O=Linux strongSwan, OU=Research, CN=Research CA + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + RSA Public Key: (2048 bit) + Modulus (2048 bit): + 00:b6:39:b2:3a:a6:e0:07:5b:58:a7:3f:4f:b2:5a: + 85:6a:72:f7:1b:5d:3d:b1:e7:80:13:7a:95:b9:e9: + 61:a1:df:af:19:c6:b2:f9:83:14:21:59:1c:27:7b: + 7a:04:6a:43:f0:2e:24:71:dc:12:fd:c3:51:d7:c9: + 59:60:32:a5:59:d4:bd:d9:5c:a7:9f:21:06:3a:71: + 7d:33:d7:3f:d2:03:07:1c:d0:69:0c:94:ce:c1:31: + 20:65:8e:55:46:36:7b:bc:49:e4:12:81:9d:75:64: + a2:4d:e1:b5:8e:07:af:51:9d:a8:d8:7e:dc:b1:26: + 6d:e8:09:06:78:13:45:24:71:e0:f2:89:e7:81:4e: + fd:be:fc:2d:4c:c1:fa:b3:31:af:3c:70:fe:59:c8: + f2:31:26:02:d2:a5:ba:04:3b:73:d6:ae:31:e1:42: + cf:e3:66:95:27:e7:4a:85:a1:1c:de:6a:9b:ed:22: + 34:ac:b4:0b:ed:b9:22:e1:3c:36:af:a2:de:3b:41: + 88:8f:01:c0:1a:87:63:7b:b6:22:e7:e5:52:1f:4d: + 73:d7:7f:47:ab:c6:b1:13:cc:1e:cd:f4:5f:51:da: + fe:6d:14:83:8f:78:fb:0c:2a:c1:f1:01:65:18:f3: + c4:c9:8c:17:fd:52:1b:82:35:13:74:c3:38:9d:ec: + ae:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: critical + CA:TRUE + X509v3 Key Usage: + Certificate Sign, CRL Sign + X509v3 Subject Key Identifier: + E7:75:F0:A0:F2:AD:20:CD:CD:60:23:CC:C7:C8:0F:29:F3:DD:54:20 + X509v3 Authority Key Identifier: + keyid:5F:9B:13:46:F9:20:72:C8:00:D5:88:B5:A7:4C:2E:97:EA:0B:93:28 + DirName:/C=CH/O=Linux strongSwan/CN=strongSwan Root CA + serial:21 + + X509v3 CRL Distribution Points: + URI:http://crl.strongswan.org/sales.crl + + Signature Algorithm: sha256WithRSAEncryption + b4:53:55:44:bc:6e:96:f7:36:bc:16:57:f6:88:13:a2:bd:32: + fb:57:d6:43:f3:31:46:d9:83:29:30:3a:6e:20:d6:37:c3:9a: + a6:cf:c3:6f:17:e9:86:44:49:0d:81:6c:6d:50:46:1d:d2:52: + 94:a8:4f:9b:e9:94:f7:03:e0:e0:af:dc:e4:4a:00:2c:c6:87: + 1e:31:7a:67:7b:4e:96:0f:f1:d9:e9:b5:f9:3a:e9:c7:c5:08: + ff:88:b7:4b:78:84:fe:39:06:a9:60:55:97:dd:e5:90:0e:fe: + 88:11:43:ed:ac:ef:d3:9b:73:95:cf:ab:f4:a1:1a:f0:a8:9c: + 65:4e:3c:3b:aa:91:6a:cf:fc:84:88:31:d0:57:14:7a:a4:5b: + 25:b6:e1:ef:ca:ce:ae:e9:3c:c1:b5:f0:47:2d:ec:d0:38:81: + 15:d2:89:6c:74:53:7d:e5:85:63:5a:b0:fb:d2:2a:d2:a0:0b: + a7:5c:99:13:6a:8f:24:c7:42:81:72:d3:61:4b:80:a3:f5:a7: + 6d:78:4e:12:e4:4a:bf:5d:80:74:fa:7b:af:51:ec:44:bd:56: + 29:f7:0d:48:0f:b8:97:65:5d:c6:b1:fc:15:a6:ea:02:ee:82: + a1:dc:5d:51:85:ca:e5:4f:90:34:a0:3d:db:3a:9b:42:90:70: + 45:67:b9:a5 +-----BEGIN CERTIFICATE----- +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL +MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT +CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB +BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf +rxnGsvmDFCFZHCd7egRqQ/AuJHHcEv3DUdfJWWAypVnUvdlcp58hBjpxfTPXP9ID +BxzQaQyUzsExIGWOVUY2e7xJ5BKBnXVkok3htY4Hr1GdqNh+3LEmbegJBngTRSRx +4PKJ54FO/b78LUzB+rMxrzxw/lnI8jEmAtKlugQ7c9auMeFCz+NmlSfnSoWhHN5q +m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha +/m0Ug494+wwqwfEBZRjzxMmMF/1SG4I1E3TDOJ3srjkCAwEAAaOB5TCB4jAPBgNV +HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM +x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx +CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial b/testing/hosts/winnetou/etc/openssl/sales/serial index cd672a533..2c7456e3e 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial +++ b/testing/hosts/winnetou/etc/openssl/sales/serial @@ -1 +1 @@ -06 +07 diff --git a/testing/hosts/winnetou/etc/openssl/sales/serial.old b/testing/hosts/winnetou/etc/openssl/sales/serial.old index eeee65ec4..cd672a533 100644 --- a/testing/hosts/winnetou/etc/openssl/sales/serial.old +++ b/testing/hosts/winnetou/etc/openssl/sales/serial.old @@ -1 +1 @@ -05 +06 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index 16dd843b9..8a083e2ec 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -241,6 +241,11 @@ then echo -n " --enable-farp" >> $INSTALLSHELL fi +if [ "$USE_ADDRBLOCK" = "yes" ] +then + echo -n " --enable-addrblock" >> $INSTALLSHELL +fi + echo "" >> $INSTALLSHELL echo "make" >> $INSTALLSHELL echo "make install" >> $INSTALLSHELL diff --git a/testing/testing.conf b/testing/testing.conf index c7852d28f..55716ebaa 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -31,7 +31,7 @@ KERNELCONFIG=$UMLTESTDIR/.config-2.6.33 UMLPATCH=$UMLTESTDIR/aes_gmac.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.4.0.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.4.1.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -56,6 +56,7 @@ USE_SOCKET_DEFAULT="yes" USE_SOCKET_DYNAMIC="yes" USE_DHCP="yes" USE_FARP="yes" +USE_ADDRBLOCK="yes" # Gentoo linux root filesystem ROOTFS=$UMLTESTDIR/gentoo-fs-20090615.tar.bz2 diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 48b36cec7..dafa85bd1 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 48b36cec7..dafa85bd1 100644 --- a/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 gcrypt x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 gcrypt x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index 0113aa780..f0e57e827 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 6fcefc56a..208f1c36d 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index 0113aa780..f0e57e827 100644 --- a/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/gcrypt-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 gcrypt x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 gcrypt x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf index 774042329..3545a5734 100644 --- a/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } libstrongswan { diff --git a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf index 1f442a7dd..d84d916a5 100644 --- a/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw } pluto { diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf index 831790f1e..38db1e4fc 100644 --- a/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ike/rw_v1-net_v2/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 xcbc stroke kernel-netlink socket-raw + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random hmac x509 revocation xcbc stroke kernel-netlink socket-raw } pluto { diff --git a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ike/rw_v1-net_v2/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ike2/description.txt b/testing/tests/ike2/description.txt deleted file mode 100644 index 31d24cda6..000000000 --- a/testing/tests/ike2/description.txt +++ /dev/null @@ -1,6 +0,0 @@ -The router moon sets up a connection to gateway sun in order -to reach the subnet hidden behind sun. The gateway sun assigns a -virtual IP address to router moon. A special updown script on moon -specified by leftupdown=/etc/nat_updown dynamically inserts a source NAT rule -which maps the IP address of client alice to the virtual IP of moon. -This allows alice to access client bob via the established IPsec tunnel. diff --git a/testing/tests/ike2/evaltest.dat b/testing/tests/ike2/evaltest.dat deleted file mode 100644 index 75d5ffbd3..000000000 --- a/testing/tests/ike2/evaltest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec statusall::net-net.*ESTABLISHED::YES -sun::ipsec statusall::net-net.*ESTABLISHED::YES -moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES -alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES -sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES -sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES -bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES -bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES diff --git a/testing/tests/ike2/hosts/bob/etc/hosts b/testing/tests/ike2/hosts/bob/etc/hosts deleted file mode 100644 index ee854da09..000000000 --- a/testing/tests/ike2/hosts/bob/etc/hosts +++ /dev/null @@ -1,70 +0,0 @@ -# /etc/hosts: This file describes a number of hostname-to-address -# mappings for the TCP/IP subsystem. It is mostly -# used at boot time, when no name servers are running. -# On small systems, this file can be used instead of a -# "named" name server. Just add the names, addresses -# and any aliases to this file... -# - -127.0.0.1 localhost - -192.168.0.254 uml0.strongswan.org uml0 -10.1.0.254 uml1.strongswan.org uml1 -10.2.0.254 uml1.strongswan.org uml2 - -10.1.0.10 alice.strongswan.org alice -10.1.0.20 venus.strongswan.org venus -10.1.0.1 moon1.strongswan.org moon1 -192.168.0.1 moon.strongswan.org moon -192.168.0.50 alice1.strongswan.org alice1 -192.168.0.100 carol.strongswan.org carol -10.3.0.1 carol1.strongswan.org carol1 -192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org -192.168.0.200 dave.strongswan.org dave -10.3.0.2 dave1.strongswan.org dave1 -192.168.0.2 sun.strongswan.org sun -10.2.0.1 sun1.strongswan.org sun1 -10.2.0.10 bob.strongswan.org bob -10.4.0.1 alice2.strongswan.org alice2 - -# IPv6 versions of localhost and co -::1 ip6-localhost ip6-loopback -fe00::0 ip6-localnet -ff00::0 ip6-mcastprefix -ff02::1 ip6-allnodes -ff02::2 ip6-allrouters -ff02::3 ip6-allhosts - -# IPv6 solicited-node multicast addresses -ff02::1:ff00:1 ip6-mcast-1 -ff02::1:ff00:2 ip6-mcast-2 -ff02::1:ff00:10 ip6-mcast-10 -ff02::1:ff00:15 ip6-mcast-15 -ff02::1:ff00:20 ip6-mcast-20 - -# IPv6 site-local addresses -fec0::5 ip6-alice1.strongswan.org ip6-alice1 -fec1::10 ip6-alice.strongswan.org ip6-alice -fec1::20 ip6-venus.strongswan.org ip6-venus -fec1::1 ip6-moon1.strongswan.org ip6-moon1 -fec0::1 ip6-moon.strongswan.org ip6-moon -fec0::10 ip6-carol.strongswan.org ip6-carol -fec3::1 ip6-carol1.strongswan.org ip6-carol1 -fec0::15 ip6-winnetou.strongswan.org ip6-winnetou -fec0::20 ip6-dave.strongswan.org ip6-dave -fec3::2 ip6-dave1.strongswan.org ip6-dave1 -fec0::2 ip6-sun.strongswan.org ip6-sun -fec2::1 ip6-sun1.strongswan.org ip6-sun1 -fec2::10 ip6-bob.strongswan.org ip6-bob - -# IPv6 link-local HW derived addresses -fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus -fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice -fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 -fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon -fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol -fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou -fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave -fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun -fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 -fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ike2/hosts/moon/etc/ipsec.conf b/testing/tests/ike2/hosts/moon/etc/ipsec.conf deleted file mode 100755 index e43e0d785..000000000 --- a/testing/tests/ike2/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftsourceip=%config - leftupdown=/etc/nat_updown - right=PH_IP_SUN - rightid=@sun.strongswan.org - rightsubnet=10.2.0.0/16 - auto=add diff --git a/testing/tests/ike2/hosts/moon/etc/nat_updown b/testing/tests/ike2/hosts/moon/etc/nat_updown deleted file mode 100755 index aab1df687..000000000 --- a/testing/tests/ike2/hosts/moon/etc/nat_updown +++ /dev/null @@ -1,152 +0,0 @@ -#! /bin/sh -# NAT updown script -# -# Copyright (C) 2010 Andreas Steffen -# -# This program is free software; you can redistribute it and/or modify it -# under the terms of the GNU General Public License as published by the -# Free Software Foundation; either version 2 of the License, or (at your -# option) any later version. See . -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY -# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -# for more details. - -# things that this script gets (from ipsec_pluto(8) man page) -# -# PLUTO_VERSION -# indicates what version of this interface is being -# used. This document describes version 1.1. This -# is upwardly compatible with version 1.0. -# -# PLUTO_VERB -# specifies the name of the operation to be performed -# (prepare-host, prepare-client, up-host, up-client, -# down-host, or down-client). If the address family -# for security gateway to security gateway communica- -# tions is IPv6, then a suffix of -v6 is added to the -# verb. -# -# PLUTO_CONNECTION -# is the name of the connection for which we are -# routing. -# -# PLUTO_NEXT_HOP -# is the next hop to which packets bound for the peer -# must be sent. -# -# PLUTO_INTERFACE -# is the name of the ipsec interface to be used. -# -# PLUTO_REQID -# is the requid of the ESP policy -# -# PLUTO_ME -# is the IP address of our host. -# -# PLUTO_MY_ID -# is the ID of our host. -# -# PLUTO_MY_CLIENT -# is the IP address / count of our client subnet. If -# the client is just the host, this will be the -# host's own IP address / max (where max is 32 for -# IPv4 and 128 for IPv6). -# -# PLUTO_MY_CLIENT_NET -# is the IP address of our client net. If the client -# is just the host, this will be the host's own IP -# address. -# -# PLUTO_MY_CLIENT_MASK -# is the mask for our client net. If the client is -# just the host, this will be 255.255.255.255. -# -# PLUTO_MY_SOURCEIP -# if non-empty, then the source address for the route will be -# set to this IP address. -# -# PLUTO_MY_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_MY_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on our side. -# -# PLUTO_PEER -# is the IP address of our peer. -# -# PLUTO_PEER_ID -# is the ID of our peer. -# -# PLUTO_PEER_CA -# is the CA which issued the cert of our peer. -# -# PLUTO_PEER_CLIENT -# is the IP address / count of the peer's client sub- -# net. If the client is just the peer, this will be -# the peer's own IP address / max (where max is 32 -# for IPv4 and 128 for IPv6). -# -# PLUTO_PEER_CLIENT_NET -# is the IP address of the peer's client net. If the -# client is just the peer, this will be the peer's -# own IP address. -# -# PLUTO_PEER_CLIENT_MASK -# is the mask for the peer's client net. If the -# client is just the peer, this will be -# 255.255.255.255. -# -# PLUTO_PEER_PROTOCOL -# is the IP protocol that will be transported. -# -# PLUTO_PEER_PORT -# is the UDP/TCP port to which the IPsec SA is -# restricted on the peer side. -# - -# define a minimum PATH environment in case it is not set -PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" -export PATH - -# resolve octal escape sequences -PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` -PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` - -case "$PLUTO_VERB:$1" in -up-host:) - # connection to me coming up - # If you are doing a custom version, firewall commands go here. - ;; -down-host:) - # connection to me going down - # If you are doing a custom version, firewall commands go here. - ;; -up-client:) - # connection to my client subnet coming up - # If you are doing a custom version, firewall commands go here. - iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 - ;; -down-client:) - # connection to my client subnet going down - # If you are doing a custom version, firewall commands go here. - iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j ACCEPT - iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ - -s $PLUTO_PEER_CLIENT -j ACCEPT - iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ - -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP - echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 - ;; -*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 - exit 1 - ;; -esac diff --git a/testing/tests/ike2/hosts/moon/etc/strongswan.conf b/testing/tests/ike2/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 161934454..000000000 --- a/testing/tests/ike2/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown - multiple_authentication = no -} diff --git a/testing/tests/ike2/hosts/sun/etc/ipsec.conf b/testing/tests/ike2/hosts/sun/etc/ipsec.conf deleted file mode 100755 index 9cede8d56..000000000 --- a/testing/tests/ike2/hosts/sun/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - crlcheckinterval=180 - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - mobike=no - -conn net-net - left=PH_IP_SUN - leftcert=sunCert.pem - leftid=@sun.strongswan.org - leftsubnet=10.2.0.0/16 - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsourceip=10.4.0.0/24 - auto=add diff --git a/testing/tests/ike2/hosts/sun/etc/strongswan.conf b/testing/tests/ike2/hosts/sun/etc/strongswan.conf deleted file mode 100644 index 161934454..000000000 --- a/testing/tests/ike2/hosts/sun/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-raw updown - multiple_authentication = no -} diff --git a/testing/tests/ike2/posttest.dat b/testing/tests/ike2/posttest.dat deleted file mode 100644 index b121de27d..000000000 --- a/testing/tests/ike2/posttest.dat +++ /dev/null @@ -1,5 +0,0 @@ -moon::ipsec stop -sun::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -sun::/etc/init.d/iptables stop 2> /dev/null -moon::conntrack -F diff --git a/testing/tests/ike2/pretest.dat b/testing/tests/ike2/pretest.dat deleted file mode 100644 index abbca90d7..000000000 --- a/testing/tests/ike2/pretest.dat +++ /dev/null @@ -1,9 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -sun::/etc/init.d/iptables start 2> /dev/null -moon::conntrack -F -moon::echo 1 > /proc/sys/net/ipv4/ip_forward -moon::ipsec start -sun::ipsec start -moon::sleep 1 -moon::ipsec up net-net -moon::sleep 1 diff --git a/testing/tests/ike2/test.conf b/testing/tests/ike2/test.conf deleted file mode 100644 index 1971a33ab..000000000 --- a/testing/tests/ike2/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon winnetou sun bob" - -# Corresponding block diagram -# -DIAGRAM="a-m-w-s-b.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="sun bob" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat index 14d576909..9c17ae903 100644 --- a/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-ccm/evaltest.dat @@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_CCM_12_128::YES carol::ipsec statusall::AES_CCM_12_128::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat index e1fbe4653..da5d7c604 100644 --- a/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gcm/evaltest.dat @@ -3,5 +3,7 @@ moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_GCM_16_256::YES carol::ipsec statusall::AES_GCM_16_256::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat index 3ec271cf1..4678155ee 100644 --- a/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev1/esp-alg-aes-gmac/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*IPsec SA established::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::ESP proposal: AES_GMAC_256::YES carol::ipsec statusall::ESP proposal: AES_GMAC_256::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat index 92ef9fc55..9a5c5c7ee 100644 --- a/testing/tests/ikev1/ip-pool-db-push/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db-push/evaltest.dat @@ -1,14 +1,11 @@ -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES carol::ipsec status::home.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES dave::ip addr list dev eth0::PH_IP_DAVE1::YES dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db-push/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db-push/pretest.dat b/testing/tests/ikev1/ip-pool-db-push/pretest.dat index 332280acd..4a2add194 100644 --- a/testing/tests/ikev1/ip-pool-db-push/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db-push/pretest.dat @@ -1,9 +1,9 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev1/ip-pool-db/evaltest.dat b/testing/tests/ikev1/ip-pool-db/evaltest.dat index 357e01b2d..566bab972 100644 --- a/testing/tests/ikev1/ip-pool-db/evaltest.dat +++ b/testing/tests/ikev1/ip-pool-db/evaltest.dat @@ -1,14 +1,11 @@ -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -carol::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES +carol::cat /var/log/auth.log::handling INTERNAL_IP4_NBNS attribute failed::YES carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES carol::ip addr list dev eth0::PH_IP_CAROL1::YES carol::ip route list table 220::10.1.0.0/16.*src PH_IP_CAROL1::YES carol::ipsec status::home.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -dave::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_VENUS::YES -dave::cat /var/log/auth.log::received IPv4 NBNS server address PH_IP_VENUS::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES dave::ip addr list dev eth0::PH_IP_DAVE1::YES dave::ip route list table 220::10.1.0.0/16.*src PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf index d6460a291..c93224ae5 100644 --- a/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,11 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no } diff --git a/testing/tests/ikev1/ip-pool-db/pretest.dat b/testing/tests/ikev1/ip-pool-db/pretest.dat index 332280acd..190672652 100644 --- a/testing/tests/ikev1/ip-pool-db/pretest.dat +++ b/testing/tests/ikev1/ip-pool-db/pretest.dat @@ -1,9 +1,10 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --statusattr moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf index 2f772cfdd..ce760a473 100755 --- a/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-multiple/hosts/moon/etc/ipsec.conf @@ -20,30 +20,32 @@ conn %default conn carol-alice also=carol leftsubnet=10.1.0.10/32 + rightsourceip=10.3.0.1 auto=add conn carol-venus also=carol leftsubnet=10.1.0.20/32 + rightsourceip=%carol-alice auto=add conn carol right=%any rightid=carol@strongswan.org - rightsourceip=10.3.0.1 conn dave-alice also=dave leftsubnet=10.1.0.10/32 + rightsourceip=10.3.0.2 auto=add conn dave-venus also=dave leftsubnet=10.1.0.20/32 + rightsourceip=%dave-alice auto=add conn dave right=%any rightid=dave@strongswan.org - rightsourceip=10.3.0.2 diff --git a/testing/tests/ikev1/mode-config-push/evaltest.dat b/testing/tests/ikev1/mode-config-push/evaltest.dat index 7de32d681..3135a18fb 100644 --- a/testing/tests/ikev1/mode-config-push/evaltest.dat +++ b/testing/tests/ikev1/mode-config-push/evaltest.dat @@ -1,4 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.1::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to 10.3.0.2::YES diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf index 36a4e2fb1..594f2c59b 100755 --- a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/ipsec.conf @@ -10,6 +10,7 @@ conn %default ikelifetime=60m keylife=20m rekeymargin=3m + rekey=no keyingtries=1 conn home diff --git a/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..797025c4d --- /dev/null +++ b/testing/tests/ikev1/mode-config-push/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr + dns1 = PH_IP_WINNETOU + dns2 = PH_IP_VENUS +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/evaltest.dat b/testing/tests/ikev1/mode-config/evaltest.dat index 69f77946e..7355a0560 100644 --- a/testing/tests/ikev1/mode-config/evaltest.dat +++ b/testing/tests/ikev1/mode-config/evaltest.dat @@ -1,6 +1,6 @@ carol::cat /var/log/auth.log::setting virtual IP source address to PH_IP_CAROL1::YES -carol::cat /var/log/auth.log::received IPv4 DNS server address PH_IP_WINNETOU::YES -carol::cat /var/log/auth.log::received IPv6 DNS server address fec1\:\:20::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_WINNETOU .*from moon.strongswan.org::YES +carol::cat /etc/resolv.conf::nameserver PH_IP_VENUS .*from moon.strongswan.org::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES dave::cat /var/log/auth.log::setting virtual IP source address to PH_IP_DAVE1::YES diff --git a/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c93224ae5 --- /dev/null +++ b/testing/tests/ikev1/mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl resolve +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf index 10ae2261b..ce26fc5e9 100755 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/ipsec.conf @@ -11,6 +11,7 @@ conn %default keylife=20m rekeymargin=3m keyingtries=1 + rekey=no left=PH_IP_MOON leftsubnet=10.1.0.0/16 leftsourceip=PH_IP_MOON1 diff --git a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf index 21493adc3..797025c4d 100644 --- a/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/mode-config/hosts/moon/etc/strongswan.conf @@ -3,7 +3,7 @@ pluto { load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl attr dns1 = PH_IP_WINNETOU - dns2 = PH_IP6_VENUS + dns2 = PH_IP_VENUS } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem index efb939e3a..37ef9c665 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf @@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB -AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr -Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup -Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg -pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL -rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S -uaJ2yDwEhOHn3ihb1bqlanM= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem index 90e207c4b..0a435b90d 100644 --- a/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem +++ b/testing/tests/ikev1/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx -MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq @@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD -ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO -clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB -b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI -koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf -Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA -/szZoxwnE2iHtIoMAhfHZpRvOkg= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= -----END CERTIFICATE----- diff --git a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf index c2d2b14ac..72ff765c3 100644 --- a/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 3ec745baa..72ff765c3 100644 --- a/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 x509 gmp random curl + load = test-vectors sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt new file mode 100644 index 000000000..191011747 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. Next carol and dave request a +virtual IP via the IKE Mode Config protocol by using the leftsourceip=%modeconfig +parameter. The virtual IP addresses are registered under the users' XAUTH identity. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat new file mode 100644 index 000000000..4552cfe61 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/evaltest.dat @@ -0,0 +1,16 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::ipsec leases rw 10.3.0.1::carol::YES +moon::ipsec leases rw 10.3.0.2::dave::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES +alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES +alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES +alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..aa0ae1289 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftsourceip=%modeconfig + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + xauth_identity=carol + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..e5adf3e8e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,9 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq + +carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5 + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..0243f5afb --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftsourceip=%modeconfig + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..25e8c2796 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..4206f8916 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + xauth=server + +conn rw + left=PH_IP_MOON + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + rightsourceip=10.3.0.0/24 + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..20d8e0269 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat new file mode 100644 index 000000000..42fa8359b --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +carol::ip addr del PH_IP_CAROL1/32 dev eth0 +dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat new file mode 100644 index 000000000..95a6be131 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/pretest.dat @@ -0,0 +1,12 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf new file mode 100644 index 000000000..75510b295 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk-mode-config/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="alice moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-psk/description.txt b/testing/tests/ikev1/xauth-id-psk/description.txt new file mode 100644 index 000000000..0ac2043c2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on Pre-Shared Keys (PSK) +followed by extended authentication (XAUTH) of carol and dave +based on user names and passwords. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-psk/evaltest.dat b/testing/tests/ikev1/xauth-id-psk/evaltest.dat new file mode 100644 index 000000000..b019f8d76 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol::YES +moon::cat /var/log/auth.log::xauth user name is .*dave::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..48015ad4c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_CAROL + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + xauth_identity=carol + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..7a272a371 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..baa85e32c --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + +conn home + left=PH_IP_DAVE + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..25e8c2796 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..c92ad8748 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthpsk + xauth=server + +conn rw + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..3f86fa594 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..dbd431cc2 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac gmp random xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-psk/posttest.dat b/testing/tests/ikev1/xauth-id-psk/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-psk/pretest.dat b/testing/tests/ikev1/xauth-id-psk/pretest.dat new file mode 100644 index 000000000..95a6be131 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/pretest.dat @@ -0,0 +1,12 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-psk/test.conf b/testing/tests/ikev1/xauth-id-psk/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-psk/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-id-rsa/description.txt b/testing/tests/ikev1/xauth-id-rsa/description.txt new file mode 100644 index 000000000..9483c8f39 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection to gateway moon. +The authentication is based on RSA signatures (RSASIG) using X.509 certificates +followed by extended authentication (XAUTH) of carol and dave +based on user names defined by the xauth_identity parameter (carol and dave, +respectively) and corresponding user passwords defined and stored in ipsec.secrets. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, carol and dave ping the client +alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-id-rsa/evaltest.dat b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat new file mode 100644 index 000000000..b019f8d76 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/auth.log::extended authentication was successful::YES +dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol::YES +moon::cat /var/log/auth.log::xauth user name is .*dave::YES +moon::cat /var/log/auth.log::extended authentication was successful::YES +carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES +moon::ipsec status::rw.*STATE_QUICK_R2.*IPsec SA established::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf new file mode 100644 index 000000000..32b1227bb --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + xauth_identity=carol + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..29492b5f9 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA carolKey.pem "nH5ZQEWtku0RJEZ6" + +carol : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf new file mode 100644 index 000000000..090deac77 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightid=@moon.strongswan.org + xauth_identity=dave + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..8cf7db530 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,5 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA daveKey.pem + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..f79a81a6f --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutodebug=control + crlcheckinterval=180 + strictcrlpolicy=no + charonstart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + authby=xauthrsasig + xauth=server + +conn rw + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + auto=add diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..fef50218a --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol : XAUTH "4iChxLT3" + +dave : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-id-rsa/posttest.dat b/testing/tests/ikev1/xauth-id-rsa/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev1/xauth-id-rsa/pretest.dat b/testing/tests/ikev1/xauth-id-rsa/pretest.dat new file mode 100644 index 000000000..78e2d57f8 --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 2 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-id-rsa/test.conf b/testing/tests/ikev1/xauth-id-rsa/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/ikev1/xauth-id-rsa/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/description.txt b/testing/tests/ikev1/xauth-psk-mode-config/description.txt deleted file mode 100644 index 9abe6298c..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave set up a connection to gateway moon. -The authentication is based on Pre-Shared Keys (PSK) -followed by extended authentication (XAUTH) of carol and dave -based on user names and passwords. Next carol and dave request a -virtual IP via the IKE Mode Config protocol by using the -leftsourceip=%modeconfig parameter. -

-Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically -inserts iptables-based firewall rules that let pass the tunneled traffic. -In order to test both tunnel and firewall, carol and dave ping the client -alice behind the gateway moon. diff --git a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat b/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat deleted file mode 100644 index 15dd054a0..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/evaltest.dat +++ /dev/null @@ -1,18 +0,0 @@ -carol::cat /var/log/auth.log::extended authentication was successful::YES -dave::cat /var/log/auth.log::extended authentication was successful::YES -moon::cat /var/log/auth.log::carol.*extended authentication was successful::YES -moon::cat /var/log/auth.log::dave.*extended authentication was successful::YES -carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES -moon::ipsec status::carol.*STATE_QUICK_R2.*IPsec SA established::YES -moon::ipsec status::dave.*STATE_QUICK_R2.*IPsec SA established::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES -moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES -moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES -alice::tcpdump::IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply::YES -alice::tcpdump::IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request::YES -alice::tcpdump::IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf deleted file mode 100644 index 747f4b6bf..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=xauthpsk - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftsourceip=%modeconfig - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index d2bba2f4c..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,9 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org @dave.strongswan.org : PSK 0sqc1FhzwoUSbpjYUSp8I6qUdxDacxLCTq - -carol@strongswan.org @moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -carol@strongswan.org @sun.strongswan.org : PSK 0sR64pR6y0S5d6d8rNhUIM7aPbdjND4st5 - -: XAUTH carol "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf deleted file mode 100644 index 85e5f1aee..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf deleted file mode 100644 index 0193c0512..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=xauthpsk - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftsourceip=%modeconfig - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 0690d9cde..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,5 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf deleted file mode 100644 index 85e5f1aee..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf deleted file mode 100644 index 98598b04c..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,29 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutodebug=control - crlcheckinterval=180 - strictcrlpolicy=no - charonstart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - authby=xauthpsk - xauth=server - left=PH_IP_MOON - leftid=@moon.strongswan.org - leftsubnet=10.1.0.0/16 - leftfirewall=yes - right=%any - auto=add - -conn carol - rightid=carol@strongswan.org - rightsourceip=PH_IP_CAROL1 - -conn dave - rightid=dave@strongswan.org - rightsourceip=PH_IP_DAVE1 diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 1ea69f998..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,7 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -@moon.strongswan.org : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL - -: XAUTH carol "4iChxLT3" - -: XAUTH dave "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 85e5f1aee..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,11 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -pluto { - load = sha1 sha2 md5 aes des hmac gmp random -} - -# pluto uses optimized DH exponent sizes (RFC 3526) - -libstrongswan { - dh_exponent_ansi_x9_42 = no -} diff --git a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat b/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat deleted file mode 100644 index 42fa8359b..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null -carol::ip addr del PH_IP_CAROL1/32 dev eth0 -dave::ip addr del PH_IP_DAVE1/32 dev eth0 diff --git a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat b/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat deleted file mode 100644 index 95a6be131..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/pretest.dat +++ /dev/null @@ -1,12 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::rm /etc/ipsec.d/cacerts/* -carol::rm /etc/ipsec.d/cacerts/* -dave::rm /etc/ipsec.d/cacerts/* -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 2 -carol::ipsec up home -dave::ipsec up home diff --git a/testing/tests/ikev1/xauth-psk-mode-config/test.conf b/testing/tests/ikev1/xauth-psk-mode-config/test.conf deleted file mode 100644 index 75510b295..000000000 --- a/testing/tests/ikev1/xauth-psk-mode-config/test.conf +++ /dev/null @@ -1,21 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="alice moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" diff --git a/testing/tests/ikev1/xauth-psk/evaltest.dat b/testing/tests/ikev1/xauth-psk/evaltest.dat index e1dc6b5b0..786043065 100644 --- a/testing/tests/ikev1/xauth-psk/evaltest.dat +++ b/testing/tests/ikev1/xauth-psk/evaltest.dat @@ -1,5 +1,7 @@ carol::cat /var/log/auth.log::extended authentication was successful::YES dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES +moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES moon::cat /var/log/auth.log::extended authentication was successful::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf index b5ec4c4af..684ace0d3 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.conf @@ -15,7 +15,9 @@ conn %default conn home left=PH_IP_CAROL + leftid=carol@strongswan.org leftfirewall=yes right=PH_IP_MOON + rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets index 70ea1dab6..a899783bd 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf index a353e3f12..14307a7f0 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.conf @@ -15,7 +15,9 @@ conn %default conn home left=PH_IP_DAVE + leftid=dave@strongswan.org leftfirewall=yes right=PH_IP_MOON + rightid=moon.strongswan.org rightsubnet=10.1.0.0/16 auto=add diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets index 0690d9cde..1c8506152 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf index c92ad8748..a4e01b564 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.conf @@ -16,6 +16,7 @@ conn %default conn rw left=PH_IP_MOON + leftid=moon.strongswan.org leftsubnet=10.1.0.0/16 leftfirewall=yes right=%any diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets index 047d6c235..ae45ea03e 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/ipsec.secrets @@ -1,7 +1,7 @@ # /etc/ipsec.secrets - strongSwan IPsec secrets file -PH_IP_MOON %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL +moon.strongswan.org %any : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf index 85e5f1aee..dbd431cc2 100644 --- a/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev1/xauth-psk/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = sha1 sha2 md5 aes des hmac gmp random + load = sha1 sha2 md5 aes des hmac gmp random xauth } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets index 24506be09..13e6e0656 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT8" +carol@strongswan.org : XAUTH "4iChxLT8" diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets index a18e885f8..2586f5f39 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-fail/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets index 48fd260c1..4a77c3b97 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets index 14f088501..1c0248b84 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA daveKey.pem -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets index 8d41919fc..1ba66971a 100644 --- a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/ipsec.secrets @@ -2,6 +2,6 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-mode-config/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf index 47bf1dafc..1e21fbb97 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control controlmore" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf index f79a81a6f..94cc6819d 100755 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug=control + plutodebug="control controlmore" crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets index a18e885f8..2586f5f39 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa-nosecret/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/description.txt b/testing/tests/ikev1/xauth-rsa/description.txt index 0cdaba1c5..a9b76b618 100644 --- a/testing/tests/ikev1/xauth-rsa/description.txt +++ b/testing/tests/ikev1/xauth-rsa/description.txt @@ -1,7 +1,9 @@ The roadwarriors carol and dave set up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) of carol and dave -based on user names and passwords. +based on user names equal to the IKEv1 identity (carol@strongswan.org and +dave@strongswan.org, respectively) and corresponding user passwords defined and +stored in ipsec.secrets.

Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically inserts iptables-based firewall rules that let pass the tunneled traffic. diff --git a/testing/tests/ikev1/xauth-rsa/evaltest.dat b/testing/tests/ikev1/xauth-rsa/evaltest.dat index e1dc6b5b0..786043065 100644 --- a/testing/tests/ikev1/xauth-rsa/evaltest.dat +++ b/testing/tests/ikev1/xauth-rsa/evaltest.dat @@ -1,5 +1,7 @@ carol::cat /var/log/auth.log::extended authentication was successful::YES dave::cat /var/log/auth.log::extended authentication was successful::YES +moon::cat /var/log/auth.log::xauth user name is .*carol@strongswan.org::YES +moon::cat /var/log/auth.log::xauth user name is .*dave@strongswan.org::YES moon::cat /var/log/auth.log::extended authentication was successful::YES carol::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES dave::ipsec status::home.*STATE_QUICK_I2.*IPsec SA established::YES diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets index 48fd260c1..4a77c3b97 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA carolKey.pem "nH5ZQEWtku0RJEZ6" -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets index 14f088501..1c0248b84 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/ipsec.secrets @@ -2,4 +2,4 @@ : RSA daveKey.pem -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf index ffbb13ec5..f79a81a6f 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.conf @@ -1,7 +1,7 @@ # /etc/ipsec.conf - strongSwan IPsec configuration file config setup - plutodebug="control" + plutodebug=control crlcheckinterval=180 strictcrlpolicy=no charonstart=no diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets index 8d41919fc..1ba66971a 100644 --- a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/ipsec.secrets @@ -2,6 +2,6 @@ : RSA moonKey.pem -: XAUTH carol "4iChxLT3" +carol@strongswan.org : XAUTH "4iChxLT3" -: XAUTH dave "ryftzG4A" +dave@strongswan.org : XAUTH "ryftzG4A" diff --git a/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..556f76c74 --- /dev/null +++ b/testing/tests/ikev1/xauth-rsa/hosts/moon/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +pluto { + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random curl xauth +} + +# pluto uses optimized DH exponent sizes (RFC 3526) + +libstrongswan { + dh_exponent_ansi_x9_42 = no +} diff --git a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/after-2038-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-3des-md5/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index 336227af7..fed4f5ece 100644 --- a/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { dh_exponent_ansi_x9_42 = no - load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 hmac stroke kernel-netlink socket-default updown + load = aes des blowfish md5 sha1 sha2 pem pkcs1 gmp curl random x509 revocation hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-modp-subgroup/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf index 06304115b..53061a59b 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf index 06304115b..53061a59b 100644 --- a/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256-96/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha256/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/alg-sha512/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/alice/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/bob/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf index 3fbdad4f9..cb1485446 100644 --- a/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/any-interface/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default multiple_authentication = no } diff --git a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/compress/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf index 223ed67a3..f763e3ef1 100644 --- a/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/config-payload/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-from-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/crl-to-cache/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf index 4890be7cc..eabe265ca 100644 --- a/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/carol/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random } diff --git a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf index 4890be7cc..eabe265ca 100644 --- a/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/default-keys/hosts/moon/etc/strongswan.conf @@ -1,9 +1,9 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } scepclient { - load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 gmp random + load = sha1 sha2 md5 aes des hmac pem pkcs1 x509 revocation gmp random } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf index 146c81f48..317e4ddc0 100644 --- a/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-dynamic/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf index 146c81f48..317e4ddc0 100644 --- a/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-client-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf index 40c3c2418..ecfc51d44 100644 --- a/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dhcp-static-mac/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dhcp plugins { dhcp { server = 10.1.255.255 diff --git a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat-net/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf +++ b/testing/tests/ikev2/double-nat/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-clear/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-hold/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/dpd-restart/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat index 86ef872c0..f7959d129 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-ccm/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_CCM_12_128::YES carol::ipsec statusall::AES_CCM_12_128::YES +carol::ip xfrm state::aead rfc4309(ccm(aes))::YES +moon::ip xfrm state::aead rfc4309(ccm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 180::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 180::YES diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ccm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-ctr/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat index 9805c654c..7434cc156 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gcm/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::AES_GCM_16_256::YES carol::ipsec statusall::AES_GCM_16_256::YES +carol::ip xfrm state::aead rfc4106(gcm(aes))::YES +moon::ip xfrm state::aead rfc4106(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gcm/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat index 534f6d452..9377d9fd2 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat +++ b/testing/tests/ikev2/esp-alg-aes-gmac/evaltest.dat @@ -3,5 +3,7 @@ carol::ipsec statusall::home.*INSTALLED::YES carol::ping -c 1 -s 120 -p deadbeef PH_IP_ALICE::128 bytes from PH_IP_ALICE: icmp_seq=1::YES moon::ipsec statusall::NULL_AES_GMAC_256::YES carol::ipsec statusall::NULL_AES_GMAC_256::YES +carol::ip xfrm state::aead rfc4543(gcm(aes))::YES +moon::ip xfrm state::aead rfc4543(gcm(aes))::YES moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP.*length 184::YES moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP.*length 184::YES diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-aes-gmac/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf index 4585d928a..379edeefc 100644 --- a/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/farp/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown attr farp + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown attr farp dns1 = PH_IP_WINNETOU dns2 = PH_IP_VENUS } diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/force-udp-encaps/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-cert/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-swapped/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/inactivity-timeout/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf index 5af37dc90..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf index 626bec3ed..e907021ce 100644 --- a/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-pool-db/pretest.dat b/testing/tests/ikev2/ip-pool-db/pretest.dat index 332280acd..4a2add194 100644 --- a/testing/tests/ikev2/ip-pool-db/pretest.dat +++ b/testing/tests/ikev2/ip-pool-db/pretest.dat @@ -1,9 +1,9 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add bigpool --start 10.3.0.1 --end 10.3.3.232 --timeout 0 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_WINNETOU 2> /dev/null -moon::ipsec pool --add dns --server PH_IP_VENUS 2> /dev/null -moon::ipsec pool --add nbns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS 2> /dev/null +moon::ipsec pool --addattr nbns --server PH_IP_VENUS 2> /dev/null moon::/etc/init.d/iptables start 2> /dev/null carol::/etc/init.d/iptables start 2> /dev/null dave::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool-wish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-pool/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf index 626bec3ed..e907021ce 100644 --- a/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default sqlite attr-sql updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat index c2bd87c58..ba2b07a10 100644 --- a/testing/tests/ikev2/ip-two-pools-db/evaltest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/evaltest.dat @@ -16,6 +16,10 @@ carol::cat /var/log/daemon.log::installing new virtual IP 10.3.0.1::YES dave::cat /var/log/daemon.log::installing new virtual IP 10.3.0.2::YES alice::cat /var/log/daemon.log::installing new virtual IP 10.4.0.1::YES venus::cat /var/log/daemon.log::installing new virtual IP 10.4.0.2::YES +carol::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +dave::cat /var/log/daemon.log::installing DNS server PH_IP_WINNETOU to /etc/resolv.conf::YES +alice::cat /var/log/daemon.log::installing DNS server PH_IP_ALICE to /etc/resolv.conf::YES +venus::cat /var/log/daemon.log::installing DNS server PH_IP_VENUS to /etc/resolv.conf::YES alice::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES dave::ping -c 1 PH_IP_CAROL1::64 bytes from PH_IP_CAROL1: icmp_seq=1::YES alice::ping -c 1 10.4.0.2::64 bytes from 10.4.0.2: icmp_seq=1::YES diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf index 70d66b20b..e44a3e251 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf index de9ae45cc..cb5f6406b 100644 --- a/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-db/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown resolve } diff --git a/testing/tests/ikev2/ip-two-pools-db/posttest.dat b/testing/tests/ikev2/ip-two-pools-db/posttest.dat index 17901fa15..83052889c 100644 --- a/testing/tests/ikev2/ip-two-pools-db/posttest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/posttest.dat @@ -13,4 +13,7 @@ moon::ip route del 10.4.0.0/16 via PH_IP_MOON1 moon::conntrack -F moon::ipsec pool --del extpool 2> /dev/null moon::ipsec pool --del intpool 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --delattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null moon::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/ikev2/ip-two-pools-db/pretest.dat b/testing/tests/ikev2/ip-two-pools-db/pretest.dat index fa7c122d9..e4eb8b0b9 100644 --- a/testing/tests/ikev2/ip-two-pools-db/pretest.dat +++ b/testing/tests/ikev2/ip-two-pools-db/pretest.dat @@ -2,6 +2,10 @@ moon::cat /etc/ipsec.d/tables.sql > /etc/ipsec.d/ipsec.sql moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db moon::ipsec pool --add extpool --start 10.3.0.1 --end 10.3.1.244 --timeout 48 2> /dev/null moon::ipsec pool --add intpool --start 10.4.0.1 --end 10.4.1.244 --timeout 0 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_VENUS --pool intpool --identity venus.strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_ALICE --pool intpool --identity alice@strongswan.org 2> /dev/null +moon::ipsec pool --addattr dns --server PH_IP_WINNETOU --pool extpool 2> /dev/null +moon::ipsec pool --statusattr 2> /dev/null moon::ip route add 10.3.0.0/16 via PH_IP_MOON moon::ip route add 10.4.0.0/16 via PH_IP_MOON1 alice::/etc/init.d/iptables start 2> /dev/null diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf index 70d66b20b..e44a3e251 100644 --- a/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools-mixed/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke sqlite attr-sql kernel-netlink socket-default updown } libhydra { diff --git a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ip-two-pools/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-nat/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike-virtual-ip/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/mobike/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/mult-auth-rsa-eap-sim-id/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-init/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-cr-resp/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf index 908f85ac5..bbe0d3aa7 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf index 908f85ac5..bbe0d3aa7 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf index bb4af2c75..cccd6ae27 100644 --- a/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-ldap/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = ldap aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem index efb939e3a..37ef9c665 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/research_by_salesCert.pem @@ -1,7 +1,7 @@ -----BEGIN CERTIFICATE----- -MIID/TCCAuWgAwIBAgIBAjANBgkqhkiG9w0BAQUFADBLMQswCQYDVQQGEwJDSDEZ +MIID/TCCAuWgAwIBAgIBBjANBgkqhkiG9w0BAQsFADBLMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEOMAwGA1UECxMFU2FsZXMxETAPBgNV -BAMTCFNhbGVzIENBMB4XDTA1MDYxNjE5NTUzNloXDTEwMDYxNTE5NTUzNlowUTEL +BAMTCFNhbGVzIENBMB4XDTEwMDcwMzE1MjgyOVoXDTE1MDcwMjE1MjgyOVowUTEL MAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xETAPBgNVBAsT CFJlc2VhcmNoMRQwEgYDVQQDEwtSZXNlYXJjaCBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBALY5sjqm4AdbWKc/T7JahWpy9xtdPbHngBN6lbnpYaHf @@ -13,12 +13,12 @@ m+0iNKy0C+25IuE8Nq+i3jtBiI8BwBqHY3u2IuflUh9Nc9d/R6vGsRPMHs30X1Ha HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU53XwoPKtIM3NYCPM x8gPKfPdVCAwbQYDVR0jBGYwZIAUX5sTRvkgcsgA1Yi1p0wul+oLkyihSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQ0wNAYDVR0fBC0wKzApoCegJYYjaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQEFBQADggEB -AJ2EkXnpgdJpsBIMcH+3oTUks8gAT5bR+LdVQSMHqvjgfaCq5fuZY15niLm5QeFr -Yhv2KtfHfF+tZgE+qWcqS33Y2U/jwUMO45Wqi5HXQDk8AM/gcvQZ8+PINkGdVdup -Wyw3MM08S/fp8UUl/3QrDr+CBGqZCSx3LEIFILm2hvdXK1/okAtkwlKV4YiOEemg -pZURzA2M29FeGDS8snfiVYFBkydT9QrrHnx8IwyVGykfOA4tnjRsjTvcs0qhtLcL -rjK2FSmzBTCVl6/lBOYmB765KUHev6WF4hdMKHf7lsH2nhYb97jxoT54y73jVd1S -uaJ2yDwEhOHn3ihb1bqlanM= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASEwNAYDVR0fBC0wKzApoCegJYYjaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9zYWxlcy5jcmwwDQYJKoZIhvcNAQELBQADggEB +ALRTVUS8bpb3NrwWV/aIE6K9MvtX1kPzMUbZgykwOm4g1jfDmqbPw28X6YZESQ2B +bG1QRh3SUpSoT5vplPcD4OCv3ORKACzGhx4xemd7TpYP8dnptfk66cfFCP+It0t4 +hP45BqlgVZfd5ZAO/ogRQ+2s79Obc5XPq/ShGvConGVOPDuqkWrP/ISIMdBXFHqk +WyW24e/Kzq7pPMG18Ect7NA4gRXSiWx0U33lhWNasPvSKtKgC6dcmRNqjyTHQoFy +02FLgKP1p214ThLkSr9dgHT6e69R7ES9Vin3DUgPuJdlXcax/BWm6gLugqHcXVGF +yuVPkDSgPds6m0KQcEVnuaU= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem index 90e207c4b..0a435b90d 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/ipsec.d/cacerts/sales_by_researchCert.pem @@ -1,8 +1,8 @@ -----BEGIN CERTIFICATE----- -MIIEADCCAuigAwIBAgIBAjANBgkqhkiG9w0BAQUFADBRMQswCQYDVQQGEwJDSDEZ +MIIEADCCAuigAwIBAgIBBzANBgkqhkiG9w0BAQsFADBRMQswCQYDVQQGEwJDSDEZ MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjERMA8GA1UECxMIUmVzZWFyY2gxFDAS -BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTA1MDYxNjE5NTcxMFoXDTEwMDYxNTE5NTcx -MFowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM +BgNVBAMTC1Jlc2VhcmNoIENBMB4XDTEwMDcwMzE1MTgzOVoXDTE1MDcwMjE1MTgz +OVowSzELMAkGA1UEBhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xDjAM BgNVBAsTBVNhbGVzMREwDwYDVQQDEwhTYWxlcyBDQTCCASIwDQYJKoZIhvcNAQEB BQADggEPADCCAQoCggEBAMJOTSaZjDe5UR+hJbodcE40WBxWm+r0FiD+FLc2c0hH /QcWm1Xfqnc9qaPPGoxO2BfwXgFEHfOdQzHGuthhsvdMPkmWP1Z3uDrwscqrmLyq @@ -13,12 +13,12 @@ gbBRI1A3iqoU3Nq1vPAqzrekOI/RV9Hre9L1r8X1dIECAwEAAaOB6DCB5TAPBgNV HRMBAf8EBTADAQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQUX5sTRvkgcsgA1Yi1 p0wul+oLkygwbQYDVR0jBGYwZIAU53XwoPKtIM3NYCPMx8gPKfPdVCChSaRHMEUx CzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2FuMRswGQYDVQQD -ExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQwwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov -L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQEFBQAD -ggEBAJW0/z17JK38rsn8zh0Ta+9Ql5fcA9UIUGcN/KfCvdGwrYaym8Dy6Pz+sZkO -clOv5t+3R1zKDiiLGQ4m8jYW6NcxeJZyyPhGtKaafanXZsQuMpaTpvkRr62jx/NB -b3c/HS3dqz2dTMvFJ6CC65vOnnGgzF1szhrrWymGI/NuHUge748WYPNw+OsLmBQI -koXJsMURGtPWXtJE98Rre+r/6O5kzZNv7V8LGoBkWf1Z6g1q2VvCcnJPxANcQoxf -Is+E+aqBhGJ6XlnQIlQB1SjoMhOnJ282JK9Hk3NmQYb/zvIzIfo3FCrjj1JI/XoA -/szZoxwnE2iHtIoMAhfHZpRvOkg= +ExJzdHJvbmdTd2FuIFJvb3QgQ0GCASAwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDov +L2NybC5zdHJvbmdzd2FuLm9yZy9yZXNlYXJjaC5jcmwwDQYJKoZIhvcNAQELBQAD +ggEBADPiBfTbTkHwRdpt4iAY/wx0AKKwnF636+1E+m8dHn1HhTU8FZkiRCsRSRdx +qpzprMga6v7ksV29CIJpTciaD48S2zWNsiQ2vfNB4UenG4wKVG8742CQakCzZk/7 +MrHutk+VDcN3oGcu4gFECPzrZiYPTVv74PCFRfd37SYlXmN0KF0Ivzgu2DNwJNMD +Aa6sHs+/8H/7BbzHxUZkT7zrTuy4M5FGIKllQBxALp/8N/LN4vz0ZbLgbNU7Eo16 +EikbEASUs3Scmna+dFBSfexf0G9oqvHvxjWPiZRw6ZrS5TZkAE1DmdqLWwTNq/Fo +aeDWsllgAdqMA2fL7i9tsFHZVYk= -----END CERTIFICATE----- diff --git a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-loop/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-strict/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf index 79348686d..6d9e62e1d 100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-one-rw/hosts/alice/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { keep_alive = 1d - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-one-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw-mark/description.txt b/testing/tests/ikev2/nat-two-rw-mark/description.txt new file mode 100644 index 000000000..2a93d11d8 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/description.txt @@ -0,0 +1,16 @@ +The roadwarriors alice and venus sitting behind the NAT router moon set up +tunnels to gateway sun. UDP encapsulation is used to traverse the NAT router. +Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT +after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively. +

+In order to differentiate between the tunnels to alice and venus, respectively, +XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using +the mark parameter in ipsec.conf. +

+iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to +and from alice and venus, respectively. +

+The script designated by leftupdown=/etc/mark_updown automatically inserts +iptables mangle rules that mark the inbound ESP_IN_UDP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the NAT-ed hosts alice +and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat new file mode 100644 index 000000000..74ba178d9 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/evaltest.dat @@ -0,0 +1,16 @@ +alice::ipsec statusall::nat-t.*INSTALLED::YES +venus::ipsec statusall::nat-t.*INSTALLED::YES +sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES +sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP moon.strongswan.org.4510.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP moon.strongswan.org.4520.* > sun.strongswan.org.ipsec-nat-t: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4510.*: UDP::YES +moon::tcpdump::IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.4520.*: UDP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..0f7c23845 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..ae4644c4b --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightid=alice@strongswan.org + mark=10/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark=20 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..442233f32 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..c82c3e978 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn nat-t + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/nat-two-rw-mark/posttest.dat b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat new file mode 100644 index 000000000..89d5f534b --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/posttest.dat @@ -0,0 +1,11 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::iptables -t nat -F +moon::conntrack -F +sun::conntrack -F +sun::rm /etc/mark_updown diff --git a/testing/tests/ikev2/nat-two-rw-mark/pretest.dat b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat new file mode 100644 index 000000000..105968f45 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/pretest.dat @@ -0,0 +1,21 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 500 -j SNAT --to PH_IP_MOON:510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 500 -j SNAT --to PH_IP_MOON:520 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_ALICE -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4510 +moon::iptables -t nat -A POSTROUTING -o eth0 -s PH_IP_VENUS -p udp --sport 4500 -j SNAT --to PH_IP_MOON:4520 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 20 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up nat-t +venus::sleep 2 +venus::ipsec up nat-t +venus::sleep 2 diff --git a/testing/tests/ikev2/nat-two-rw-mark/test.conf b/testing/tests/ikev2/nat-two-rw-mark/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev2/nat-two-rw-mark/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/ikev2/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/nat-virtual-ip/description.txt b/testing/tests/ikev2/nat-virtual-ip/description.txt new file mode 100644 index 000000000..31d24cda6 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/description.txt @@ -0,0 +1,6 @@ +The router moon sets up a connection to gateway sun in order +to reach the subnet hidden behind sun. The gateway sun assigns a +virtual IP address to router moon. A special updown script on moon +specified by leftupdown=/etc/nat_updown dynamically inserts a source NAT rule +which maps the IP address of client alice to the virtual IP of moon. +This allows alice to access client bob via the established IPsec tunnel. diff --git a/testing/tests/ikev2/nat-virtual-ip/evaltest.dat b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat new file mode 100644 index 000000000..75d5ffbd3 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/evaltest.dat @@ -0,0 +1,8 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +moon::cat /var/log/daemon.log::inserted NAT rule mapping PH_IP_ALICE to virtual IP::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP alice2.strongswan.org > bob.strongswan.org: ICMP::YES +bob::tcpdump::IP bob.strongswan.org > alice2.strongswan.org: ICMP::YES diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts new file mode 100644 index 000000000..ee854da09 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/bob/etc/hosts @@ -0,0 +1,70 @@ +# /etc/hosts: This file describes a number of hostname-to-address +# mappings for the TCP/IP subsystem. It is mostly +# used at boot time, when no name servers are running. +# On small systems, this file can be used instead of a +# "named" name server. Just add the names, addresses +# and any aliases to this file... +# + +127.0.0.1 localhost + +192.168.0.254 uml0.strongswan.org uml0 +10.1.0.254 uml1.strongswan.org uml1 +10.2.0.254 uml1.strongswan.org uml2 + +10.1.0.10 alice.strongswan.org alice +10.1.0.20 venus.strongswan.org venus +10.1.0.1 moon1.strongswan.org moon1 +192.168.0.1 moon.strongswan.org moon +192.168.0.50 alice1.strongswan.org alice1 +192.168.0.100 carol.strongswan.org carol +10.3.0.1 carol1.strongswan.org carol1 +192.168.0.150 winnetou.strongswan.org winnetou crl.strongswan.org ocsp.strongswan.org ldap.strongswan.org +192.168.0.200 dave.strongswan.org dave +10.3.0.2 dave1.strongswan.org dave1 +192.168.0.2 sun.strongswan.org sun +10.2.0.1 sun1.strongswan.org sun1 +10.2.0.10 bob.strongswan.org bob +10.4.0.1 alice2.strongswan.org alice2 + +# IPv6 versions of localhost and co +::1 ip6-localhost ip6-loopback +fe00::0 ip6-localnet +ff00::0 ip6-mcastprefix +ff02::1 ip6-allnodes +ff02::2 ip6-allrouters +ff02::3 ip6-allhosts + +# IPv6 solicited-node multicast addresses +ff02::1:ff00:1 ip6-mcast-1 +ff02::1:ff00:2 ip6-mcast-2 +ff02::1:ff00:10 ip6-mcast-10 +ff02::1:ff00:15 ip6-mcast-15 +ff02::1:ff00:20 ip6-mcast-20 + +# IPv6 site-local addresses +fec0::5 ip6-alice1.strongswan.org ip6-alice1 +fec1::10 ip6-alice.strongswan.org ip6-alice +fec1::20 ip6-venus.strongswan.org ip6-venus +fec1::1 ip6-moon1.strongswan.org ip6-moon1 +fec0::1 ip6-moon.strongswan.org ip6-moon +fec0::10 ip6-carol.strongswan.org ip6-carol +fec3::1 ip6-carol1.strongswan.org ip6-carol1 +fec0::15 ip6-winnetou.strongswan.org ip6-winnetou +fec0::20 ip6-dave.strongswan.org ip6-dave +fec3::2 ip6-dave1.strongswan.org ip6-dave1 +fec0::2 ip6-sun.strongswan.org ip6-sun +fec2::1 ip6-sun1.strongswan.org ip6-sun1 +fec2::10 ip6-bob.strongswan.org ip6-bob + +# IPv6 link-local HW derived addresses +fe80::fcfd:0aff:fe01:14 ip6-hw-venus.strongswan.org ip6-hw-venus +fe80::fcfd:0aff:fe01:0a ip6-hw-alice.strongswan.org ip6-hw-alice +fe80::fcfd:0aff:fe01:01 ip6-hw-moon1.strongswan.org ip6-hw-moon1 +fe80::fcfd:c0ff:fea8:01 ip6-hw-moon.strongswan.org ip6-hw-moon +fe80::fcfd:c0ff:fea8:64 ip6-hw-carol.strongswan.org ip6-hw-carol +fe80::fcfd:c0ff:fea8:96 ip6-hw-winnetou.strongswan.org ip6-hw-winnetou +fe80::fcfd:c0ff:fea8:c8 ip6-hw-dave.strongswan.org ip6-hw-dave +fe80::fcfd:c0ff:fea8:02 ip6-hw-sun.strongswan.org ip6-hw-sun +fe80::fcfd:0aff:fe02:01 ip6-hw-sun1.strongswan.org ip6-hw-sun1 +fe80::fcfd:0aff:fe02:0a ip6-hw-bob.strongswan.org ip6-hw-bob diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..e43e0d785 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsourceip=%config + leftupdown=/etc/nat_updown + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown new file mode 100755 index 000000000..aab1df687 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/nat_updown @@ -0,0 +1,152 @@ +#! /bin/sh +# NAT updown script +# +# Copyright (C) 2010 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin" +export PATH + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +case "$PLUTO_VERB:$1" in +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + iptables -A FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -A FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "inserted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + iptables -D FORWARD -i eth1 -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j ACCEPT + iptables -D FORWARD -o eth1 -i $PLUTO_INTERFACE -d PH_IP_ALICE \ + -s $PLUTO_PEER_CLIENT -j ACCEPT + iptables -t nat -D POSTROUTING -o $PLUTO_INTERFACE -s PH_IP_ALICE \ + -d $PLUTO_PEER_CLIENT -j SNAT --to-source $PLUTO_MY_SOURCEIP + echo "deleted NAT rule mapping PH_IP_ALICE to virtual IP $PLUTO_MY_SOURCEIP" >&2 + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cb3d46293 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9cede8d56 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsourceip=10.4.0.0/24 + auto=add diff --git a/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb3d46293 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-raw updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/nat-virtual-ip/posttest.dat b/testing/tests/ikev2/nat-virtual-ip/posttest.dat new file mode 100644 index 000000000..ee30e2c59 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::conntrack -F +moon::rm /etc/nat_updown diff --git a/testing/tests/ikev2/nat-virtual-ip/pretest.dat b/testing/tests/ikev2/nat-virtual-ip/pretest.dat new file mode 100644 index 000000000..abbca90d7 --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/pretest.dat @@ -0,0 +1,9 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::conntrack -F +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net +moon::sleep 1 diff --git a/testing/tests/ikev2/nat-virtual-ip/test.conf b/testing/tests/ikev2/nat-virtual-ip/test.conf new file mode 100644 index 000000000..1971a33ab --- /dev/null +++ b/testing/tests/ikev2/nat-virtual-ip/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-cert/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-psk-dscp/description.txt b/testing/tests/ikev2/net2net-psk-dscp/description.txt new file mode 100644 index 000000000..d4aefd5ce --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/description.txt @@ -0,0 +1,13 @@ +In order to support Differentiated Services (DiffServ), two parallel IPsec +connections between the subnets behind the gateways moon and sun are +set up. Using XFRM marks one IPsec SA is designated for Best Effort (BE) +traffic and the second SA for Expedited Forwarding (EF) traffic. +

+The authentication is based on a pre-shared key (PSK). In order to guarantee that +the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is +bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK. +

+Upon the successful establishment of the IPsec tunnel, leftfirewall=yes automatically +inserts iptables-based firewall rules that let pass the tunneled traffic. +In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun. diff --git a/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat new file mode 100644 index 000000000..5881d9246 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/evaltest.dat @@ -0,0 +1,8 @@ +moon::ipsec statusall::dscp-be.*ESTABLISHED::YES +moon::ipsec statusall::dscp-ef.*ESTABLISHED::YES +sun::ipsec statusall::dscp-be.*ESTABLISHED::YES +sun::ipsec statusall::dscp-ef.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..d78d27c1a --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.conf @@ -0,0 +1,38 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn dscp-be + leftid=@sun-be + rightid=@moon-be + mark=10 + also=net-net + auto=add + +conn dscp-ef + leftid=@sun-ef + rightid=@moon-ef + mark=20 + also=net-net + auto=add + +conn net-net + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftfirewall=yes + leftauth=psk + right=PH_IP_SUN + rightsubnet=10.2.0.0/16 + rightauth=psk diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..9079b520b --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@moon-be @moon-ef @sun-be @sun-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..5e8f49b17 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..9d2ef7471 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.conf @@ -0,0 +1,38 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn dscp-be + leftid=@moon-be + rightid=@sun-be + mark=10 + also=net-net + auto=add + +conn dscp-ef + leftid=@moon-ef + rightid=@sun-ef + mark=20 + also=net-net + auto=add + +conn net-net + left=PH_IP_SUN + leftsubnet=10.2.0.0/16 + leftfirewall=yes + leftauth=psk + right=PH_IP_MOON + rightsubnet=10.1.0.0/16 + rightauth=psk diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..1d4ea790a --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,7 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +@sun-be @sun-ef @moon-be @moon-ef : PSK 0sv+NkxY9LLZvwj4qCC2o/gGrWDF2d21jL + + + + diff --git a/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..5e8f49b17 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 gmp random hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-psk-dscp/posttest.dat b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat new file mode 100644 index 000000000..d070c1443 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +alice::iptables -t mangle -F OUTPUT +venus::iptables -t mangle -F OUTPUT +bob::iptables -t mangle -F OUTPUT + diff --git a/testing/tests/ikev2/net2net-psk-dscp/pretest.dat b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat new file mode 100644 index 000000000..058c24f8f --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/pretest.dat @@ -0,0 +1,17 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +alice::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE +venus::iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class EF +moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 +moon::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +bob::iptables -t mangle -A OUTPUT -d PH_IP_ALICE -p icmp -j DSCP --set-dscp-class BE +bob::iptables -t mangle -A OUTPUT -d PH_IP_VENUS -p icmp -j DSCP --set-dscp-class EF +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 +sun::iptables -t mangle -A PREROUTING -m dscp --dscp-class EF -j MARK --set-mark 20 +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up dscp-be +moon::ipsec up dscp-ef diff --git a/testing/tests/ikev2/net2net-psk-dscp/test.conf b/testing/tests/ikev2/net2net-psk-dscp/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/ikev2/net2net-psk-dscp/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf index 291f08db1..025e1c222 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf index 291f08db1..025e1c222 100644 --- a/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-rfc3779/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-same-nets/description.txt b/testing/tests/ikev2/net2net-same-nets/description.txt new file mode 100644 index 000000000..d0eb3374f --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/description.txt @@ -0,0 +1,15 @@ +A connection between two identical 10.0.0.0/14 networks behind the gateways moon +and sun is set up. In order to make network routing work, the subnet behind moon +sees the subnet behind sun as 10.4.0.0/14 whereas the subnet behind sun +sees the subnet behind moon as 10.8.0.0/14. The necessary network mappings are +done on gateway sun using the iptables MARK and NETMAP targets. +

+Upon the successful establishment of the IPsec tunnel, on gateway moon the directive +leftfirewall=yes automatically inserts iptables-based firewall rules that let pass +the tunneled traffic whereas on gateway sun the script indicated by +leftupdown=/etc/mark_updown inserts iptables rules that set marks defined in the +connection definition of ipsec.conf both on the inbound and outbound traffic, create +the necessary NETMAP operations and forward the tunneled traffic. +

+In order to test both tunnel and firewall, client alice behind gateway moon +pings client bob located behind gateway sun and vice versa. diff --git a/testing/tests/ikev2/net2net-same-nets/evaltest.dat b/testing/tests/ikev2/net2net-same-nets/evaltest.dat new file mode 100644 index 000000000..bf99bb278 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/evaltest.dat @@ -0,0 +1,10 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 10.6.0.10::64 bytes from 10.6.0.10: icmp_seq=1::YES +bob::ping -c 1 10.9.0.10::64 bytes from 10.9.0.10: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo reply::YES +bob::tcpdump::IP bob.strongswan.org > 10.9.0.10: ICMP echo request::YES +bob::tcpdump::IP 10.9.0.10 > bob.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..8f43a4f6e --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftsubnet=10.0.0.0/14 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.4.0.0/14 + auto=add diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/moon/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..33e1e6656 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/ipsec.conf @@ -0,0 +1,27 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.4.0.0/14 + leftupdown=/etc/mark_updown + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.0.0.0/14 + mark_in=8 + mark_out=4 + auto=add diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..d7b68956c --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown @@ -0,0 +1,224 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# define NETMAP +SAME_NET=$PLUTO_PEER_CLIENT +IN_NET=$PLUTO_MY_CLIENT +OUT_NET="10.8.0.0/14" + +# define internal interface +INT_INTERFACE="eth1" + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK_IN="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK_IN="-p esp" + fi + SET_MARK_IN="$SET_MARK_IN -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# is there an outbound mark to be set? +if [ -n "$PLUTO_MARK_OUT" ] +then + SET_MARK_OUT="-i $INT_INTERFACE -s $SAME_NET -d $OUT_NET -j MARK --set-mark $PLUTO_MARK_OUT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_IN + iptables -t nat -A PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -A POSTROUTING -o $INT_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -A PREROUTING $SET_MARK_OUT + iptables -t nat -A PREROUTING -i $INT_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -d $OUT_NET -j NETMAP --to $SAME_NET + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + iptables -t nat -A POSTROUTING -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT \ + -s $SAME_NET -j NETMAP --to $IN_NET + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_IN + iptables -t nat -D PREROUTING -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN \ + -d $IN_NET -j NETMAP --to $SAME_NET + iptables -D FORWARD -i $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_IN -j ACCEPT + iptables -t nat -D POSTROUTING -o eth1 -m mark --mark $PLUTO_MARK_IN \ + -s $SAME_NET -j NETMAP --to $OUT_NET + fi + if [ -n "$PLUTO_MARK_OUT" ] + then + iptables -t mangle -D PREROUTING $SET_MARK_OUT + iptables -D FORWARD -o $PLUTO_INTERFACE -m mark --mark $PLUTO_MARK_OUT -j ACCEPT + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/net2net-same-nets/posttest.dat b/testing/tests/ikev2/net2net-same-nets/posttest.dat new file mode 100644 index 000000000..e75e66650 --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/posttest.dat @@ -0,0 +1,7 @@ +sun::iptables -t mangle -n -v -L PREROUTING +sun::iptables -t nat -n -v -L +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::conntrack -F diff --git a/testing/tests/ikev2/net2net-same-nets/pretest.dat b/testing/tests/ikev2/net2net-same-nets/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/net2net-same-nets/test.conf b/testing/tests/ikev2/net2net-same-nets/test.conf new file mode 100644 index 000000000..1971a33ab --- /dev/null +++ b/testing/tests/ikev2/net2net-same-nets/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf index 291f08db1..cb17a9e07 100644 --- a/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ikev2/net2net-start/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown multiple_authentication = no } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-local-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-multi-level/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-no-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-revoked/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-root-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-signer-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-strict-ifuri/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-good/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-timeouts-unknown/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/ocsp-untrusted-cert/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/protoport-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-early/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/reauth-late/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf index ee0e454da..6d762c970 100644 --- a/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf index df11f5ea3..ccf446f79 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf index df11f5ea3..ccf446f79 100644 --- a/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index eef03e3b4..5821bc12d 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index eef03e3b4..5821bc12d 100644 --- a/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-aka eap-aka-3gpp2 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf index 6609a2115..fe067d344 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf index a7f7b99ec..f21745bcd 100644 --- a/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf index 6fcf5999e..57bd6cceb 100644 --- a/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-md5-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-md5 updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf index 8d2f57828..fd717317c 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf index 8d2f57828..fd717317c 100644 --- a/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-mschapv2-id-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown + load = curl aes des sha1 sha2 md4 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-mschapv2 eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf index 2435403a4..7b4ab49e4 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file eap-identity updown } diff --git a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf index f0e7da85e..2a18af887 100644 --- a/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-id-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius eap-identity updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf index e4ef757fb..9f82ffa2f 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/carol/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf index e4ef757fb..9f82ffa2f 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/dave/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown send_vendor_id = yes } diff --git a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf index d77218b77..8250ae1ab 100644 --- a/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-only-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown send_vendor_id = yes plugins { eap-radius { diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf index a7f7b99ec..f21745bcd 100644 --- a/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-radius/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-radius updown plugins { eap-radius { secret = gv6URkSs diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf index 6e1818c9e..e468cd4f9 100644 --- a/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-eap-sim-rsa/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default fips-prf eap-sim eap-sim-file updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-hash-and-url/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-mark-in-out/description.txt b/testing/tests/ikev2/rw-mark-in-out/description.txt new file mode 100644 index 000000000..4c35081b1 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/description.txt @@ -0,0 +1,16 @@ +The roadwarriors alice and venus sitting behind the router moon set up +tunnels to gateway sun. Since both roadwarriors possess the same 10.1.0.0/25 subnet, +gateway sun uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 +and 10.3.0.20, respectively. +

+In order to differentiate between the tunnels to alice and venus, respectively, +XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using +the mark_in and mark_out parameters in ipsec.conf. +

+iptables -t mangle rules are then used in the PREROUTING chain to mark the traffic to +and from alice and venus, respectively. +

+The script designated by leftupdown=/etc/mark_updown automatically inserts +iptables mangle rules that mark the inbound ESP packets as well as iptables IPsec-policy rules +that let pass the tunneled traffic. In order to test the tunnel, the hosts alice +and venus ping the client bob behind the gateway sun. diff --git a/testing/tests/ikev2/rw-mark-in-out/evaltest.dat b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat new file mode 100644 index 000000000..c248a508a --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/evaltest.dat @@ -0,0 +1,16 @@ +alice::ipsec statusall::home.*INSTALLED::YES +venus::ipsec statusall::home.*INSTALLED::YES +sun::ipsec statusall::alice.*ESTABLISHED.*alice@strongswan.org::YES +sun::ipsec statusall::venus.*ESTABLISHED.*venus.strongswan.org::YES +sun::ipsec statusall::alice.*10.2.0.0/16 === 10.1.0.0/25::YES +sun::ipsec statusall::venus.*10.2.0.0/16 === 10.1.0.0/25::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +venus::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +moon::tcpdump::IP alice.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP venus.strongswan.org > sun.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > alice.strongswan.org: ESP::YES +moon::tcpdump::IP sun.strongswan.org > venus.strongswan.org: ESP::YES +bob::tcpdump::10.3.0.10 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::10.3.0.20 > bob.strongswan.org: ICMP echo request::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.10: ICMP echo reply::YES +bob::tcpdump::bob.strongswan.org > 10.3.0.20: ICMP echo reply::YES diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..dd0240b07 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=aliceCert.pem + leftid=alice@strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/alice/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..5fa211c2a --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/ipsec.conf @@ -0,0 +1,37 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + charondebug="knl 2" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn alice + rightid=alice@strongswan.org + mark_in=10/0xffffffff + mark_out=11/0xffffffff + also=sun + auto=add + +conn venus + rightid=@venus.strongswan.org + mark_in=20 #0xffffffff is used by default + mark_out=21 #0xffffffff is used by default + also=sun + auto=add + +conn sun + left=PH_IP_SUN + leftcert=sunCert.pem + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftupdown=/etc/mark_updown + right=%any + rightsubnet=0.0.0.0/0 diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown new file mode 100755 index 000000000..442233f32 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/mark_updown @@ -0,0 +1,527 @@ +#! /bin/sh +# updown script setting inbound marks on ESP traffic in the mangle chain +# +# Copyright (C) 2003-2004 Nigel Meteringham +# Copyright (C) 2003-2004 Tuomo Soini +# Copyright (C) 2002-2004 Michael Richardson +# Copyright (C) 2005-2010 Andreas Steffen +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. See . +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY +# or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# for more details. + +# CAUTION: Installing a new version of strongSwan will install a new +# copy of this script, wiping out any custom changes you make. If +# you need changes, make a copy of this under another name, and customize +# that, and use the (left/right)updown parameters in ipsec.conf to make +# strongSwan use yours instead of this default one. + +# things that this script gets (from ipsec_pluto(8) man page) +# +# PLUTO_VERSION +# indicates what version of this interface is being +# used. This document describes version 1.1. This +# is upwardly compatible with version 1.0. +# +# PLUTO_VERB +# specifies the name of the operation to be performed +# (prepare-host, prepare-client, up-host, up-client, +# down-host, or down-client). If the address family +# for security gateway to security gateway communica- +# tions is IPv6, then a suffix of -v6 is added to the +# verb. +# +# PLUTO_CONNECTION +# is the name of the connection for which we are +# routing. +# +# PLUTO_NEXT_HOP +# is the next hop to which packets bound for the peer +# must be sent. +# +# PLUTO_INTERFACE +# is the name of the ipsec interface to be used. +# +# PLUTO_REQID +# is the requid of the ESP policy +# +# PLUTO_ME +# is the IP address of our host. +# +# PLUTO_MY_ID +# is the ID of our host. +# +# PLUTO_MY_CLIENT +# is the IP address / count of our client subnet. If +# the client is just the host, this will be the +# host's own IP address / max (where max is 32 for +# IPv4 and 128 for IPv6). +# +# PLUTO_MY_CLIENT_NET +# is the IP address of our client net. If the client +# is just the host, this will be the host's own IP +# address. +# +# PLUTO_MY_CLIENT_MASK +# is the mask for our client net. If the client is +# just the host, this will be 255.255.255.255. +# +# PLUTO_MY_SOURCEIP +# if non-empty, then the source address for the route will be +# set to this IP address. +# +# PLUTO_MY_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_MY_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on our side. +# +# PLUTO_PEER +# is the IP address of our peer. +# +# PLUTO_PEER_ID +# is the ID of our peer. +# +# PLUTO_PEER_CA +# is the CA which issued the cert of our peer. +# +# PLUTO_PEER_CLIENT +# is the IP address / count of the peer's client sub- +# net. If the client is just the peer, this will be +# the peer's own IP address / max (where max is 32 +# for IPv4 and 128 for IPv6). +# +# PLUTO_PEER_CLIENT_NET +# is the IP address of the peer's client net. If the +# client is just the peer, this will be the peer's +# own IP address. +# +# PLUTO_PEER_CLIENT_MASK +# is the mask for the peer's client net. If the +# client is just the peer, this will be +# 255.255.255.255. +# +# PLUTO_PEER_PROTOCOL +# is the IP protocol that will be transported. +# +# PLUTO_PEER_PORT +# is the UDP/TCP port to which the IPsec SA is +# restricted on the peer side. +# +# PLUTO_XAUTH_ID +# is an optional user ID employed by the XAUTH protocol +# +# PLUTO_MARK_IN +# is an optional XFRM mark set on the inbound IPsec SA +# +# PLUTO_MARK_OUT +# is an optional XFRM mark set on the outbound IPsec SA +# +# PLUTO_ESP_ENC +# contains the remote UDP port in the case of ESP_IN_UDP +# encapsulation +# + +# define a minimum PATH environment in case it is not set +PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/sbin" +export PATH + +# uncomment to log VPN connections +VPN_LOGGING=1 +# +# tag put in front of each log entry: +TAG=vpn +# +# syslog facility and priority used: +FAC_PRIO=local0.notice +# +# to create a special vpn logging file, put the following line into +# the syslog configuration file /etc/syslog.conf: +# +# local0.notice -/var/log/vpn + +# in order to use source IP routing the Linux kernel options +# CONFIG_IP_ADVANCED_ROUTER and CONFIG_IP_MULTIPLE_TABLES +# must be enabled +# +# special routing table for sourceip routes +SOURCEIP_ROUTING_TABLE=220 +# +# priority of the sourceip routing table +SOURCEIP_ROUTING_TABLE_PRIO=220 + +# check interface version +case "$PLUTO_VERSION" in +1.[0|1]) # Older Pluto?!? Play it safe, script may be using new features. + echo "$0: obsolete interface version \`$PLUTO_VERSION'," >&2 + echo "$0: called by obsolete Pluto?" >&2 + exit 2 + ;; +1.*) ;; +*) echo "$0: unknown interface version \`$PLUTO_VERSION'" >&2 + exit 2 + ;; +esac + +# check parameter(s) +case "$1:$*" in +':') # no parameters + ;; +iptables:iptables) # due to (left/right)firewall; for default script only + ;; +custom:*) # custom parameters (see above CAUTION comment) + ;; +*) echo "$0: unknown parameters \`$*'" >&2 + exit 2 + ;; +esac + +# utility functions for route manipulation +# Meddling with this stuff should not be necessary and requires great care. +uproute() { + doroute add + ip route flush cache +} +downroute() { + doroute delete + ip route flush cache +} + +addsource() { + st=0 + if ! ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local + then + it="ip addr add ${PLUTO_MY_SOURCEIP%/*}/32 dev $PLUTO_INTERFACE" + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: addsource \`$it' failed ($oops)" >&2 + fi + fi + return $st +} + +doroute() { + st=0 + + if [ -z "$PLUTO_MY_SOURCEIP" ] + then + for dir in /etc/sysconfig /etc/conf.d; do + if [ -f "$dir/defaultsource" ] + then + . "$dir/defaultsource" + fi + done + + if [ -n "$DEFAULTSOURCE" ] + then + PLUTO_MY_SOURCEIP=$DEFAULTSOURCE + fi + fi + + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # leave because no route entry is required + return $st + fi + + parms1="$PLUTO_PEER_CLIENT" + + if [ -n "$PLUTO_NEXT_HOP" ] + then + parms2="via $PLUTO_NEXT_HOP" + else + parms2="via $PLUTO_PEER" + fi + parms2="$parms2 dev $PLUTO_INTERFACE" + + parms3= + if [ -n "$PLUTO_MY_SOURCEIP" ] + then + if test "$1" = "add" + then + addsource + if ! ip rule list | grep -q "lookup $SOURCEIP_ROUTING_TABLE" + then + ip rule add pref $SOURCEIP_ROUTING_TABLE_PRIO table $SOURCEIP_ROUTING_TABLE + fi + fi + parms3="$parms3 src ${PLUTO_MY_SOURCEIP%/*} table $SOURCEIP_ROUTING_TABLE" + fi + + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # opportunistic encryption work around + # need to provide route that eclipses default, without + # replacing it. + it="ip route $1 0.0.0.0/1 $parms2 $parms3 && + ip route $1 128.0.0.0/1 $parms2 $parms3" + ;; + *) it="ip route $1 $parms1 $parms2 $parms3" + ;; + esac + oops="`eval $it 2>&1`" + st=$? + if test " $oops" = " " -a " $st" != " 0" + then + oops="silent error, exit status $st" + fi + if test " $oops" != " " -o " $st" != " 0" + then + echo "$0: doroute \`$it' failed ($oops)" >&2 + fi + return $st +} + +# in the presence of KLIPS and ipsecN interfaces do not use IPSEC_POLICY +if [ `echo "$PLUTO_INTERFACE" | grep "ipsec"` ] +then + KLIPS=1 + IPSEC_POLICY_IN="" + IPSEC_POLICY_OUT="" +else + KLIPS= + IPSEC_POLICY="-m policy --pol ipsec --proto esp --reqid $PLUTO_REQID" + IPSEC_POLICY_IN="$IPSEC_POLICY --dir in" + IPSEC_POLICY_OUT="$IPSEC_POLICY --dir out" +fi + +# is there an inbound mark to be set? +if [ -n "$PLUTO_MARK_IN" ] +then + if [ -n "$PLUTO_UDP_ENC" ] + then + SET_MARK="-p udp --sport $PLUTO_UDP_ENC" + else + SET_MARK="-p esp" + fi + SET_MARK="$SET_MARK -s $PLUTO_PEER -j MARK --set-mark $PLUTO_MARK_IN" +fi + +# are there port numbers? +if [ "$PLUTO_MY_PORT" != 0 ] +then + S_MY_PORT="--sport $PLUTO_MY_PORT" + D_MY_PORT="--dport $PLUTO_MY_PORT" +fi +if [ "$PLUTO_PEER_PORT" != 0 ] +then + S_PEER_PORT="--sport $PLUTO_PEER_PORT" + D_PEER_PORT="--dport $PLUTO_PEER_PORT" +fi + +# resolve octal escape sequences +PLUTO_MY_ID=`printf "$PLUTO_MY_ID"` +PLUTO_PEER_ID=`printf "$PLUTO_PEER_ID"` + +# the big choice +case "$PLUTO_VERB:$1" in +prepare-host:*|prepare-client:*) + if [ -z "$KLIPS" -a -z "$PLUTO_MY_SOURCEIP" ] + then + # exit because no route will be added, + # so that existing routes can stay + exit 0 + fi + + # delete possibly-existing route (preliminary to adding a route) + case "$PLUTO_PEER_CLIENT_NET/$PLUTO_PEER_CLIENT_MASK" in + "0.0.0.0/0.0.0.0") + # need to provide route that eclipses default, without + # replacing it. + parms1="0.0.0.0/1" + parms2="128.0.0.0/1" + it="ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1" + oops="`ip route delete $parms1 2>&1 ; ip route delete $parms2 2>&1`" + ;; + *) + parms="$PLUTO_PEER_CLIENT" + it="ip route delete $parms 2>&1" + oops="`ip route delete $parms 2>&1`" + ;; + esac + status="$?" + if test " $oops" = " " -a " $status" != " 0" + then + oops="silent error, exit status $status" + fi + case "$oops" in + *'RTNETLINK answers: No such process'*) + # This is what route (currently -- not documented!) gives + # for "could not find such a route". + oops= + status=0 + ;; + esac + if test " $oops" != " " -o " $status" != " 0" + then + echo "$0: \`$it' failed ($oops)" >&2 + fi + exit $status + ;; +route-host:*|route-client:*) + # connection to me or my client subnet being routed + uproute + ;; +unroute-host:*|unroute-client:*) + # connection to me or my client subnet being unrouted + downroute + ;; +up-host:) + # connection to me coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +down-host:) + # connection to me going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_ME $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_ME $S_MY_PORT $IPSEC_POLICY_OUT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT -j ACCEPT + # + # log IPsec host connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME" + fi + fi + ;; +up-client:) + # connection to my client subnet coming up + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -A PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -I FORWARD 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + iptables -I FORWARD 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -I INPUT 1 -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT $IPSEC_POLICY_IN -j ACCEPT + iptables -I OUTPUT 1 -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection setup + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO \ + "+ $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +down-client:) + # connection to my client subnet going down + # If you are doing a custom version, firewall commands go here. + if [ -n "$PLUTO_MARK_IN" ] + then + iptables -t mangle -D PREROUTING $SET_MARK + fi + if [ "$PLUTO_PEER_CLIENT" != "$PLUTO_MY_SOURCEIP/32" ] + then + iptables -D FORWARD -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + iptables -D FORWARD -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + fi + # + # a virtual IP requires an INPUT and OUTPUT rule on the host + # or sometimes host access via the internal IP is needed + if [ -n "$PLUTO_MY_SOURCEIP" -o -n "$PLUTO_HOST_ACCESS" ] + then + iptables -D INPUT -i $PLUTO_INTERFACE -p $PLUTO_MY_PROTOCOL \ + -s $PLUTO_PEER_CLIENT $S_PEER_PORT \ + -d $PLUTO_MY_CLIENT $D_MY_PORT \ + $IPSEC_POLICY_IN -j ACCEPT + iptables -D OUTPUT -o $PLUTO_INTERFACE -p $PLUTO_PEER_PROTOCOL \ + -s $PLUTO_MY_CLIENT $S_MY_PORT \ + -d $PLUTO_PEER_CLIENT $D_PEER_PORT \ + $IPSEC_POLICY_OUT -j ACCEPT + fi + # + # log IPsec client connection teardown + if [ $VPN_LOGGING ] + then + if [ "$PLUTO_PEER_CLIENT" = "$PLUTO_PEER/32" ] + then + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + else + logger -t $TAG -p $FAC_PRIO -- \ + "- $PLUTO_PEER_ID $PLUTO_PEER_CLIENT == $PLUTO_PEER -- $PLUTO_ME == $PLUTO_MY_CLIENT" + fi + fi + ;; +*) echo "$0: unknown verb \`$PLUTO_VERB' or parameter \`$1'" >&2 + exit 1 + ;; +esac diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/sun/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables new file mode 100755 index 000000000..5594bbf52 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/init.d/iptables @@ -0,0 +1,77 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow ESP + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MOBIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf new file mode 100755 index 000000000..4af93df8d --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=%defaultroute + leftsubnet=10.1.0.0/25 + leftcert=venusCert.pem + leftid=@venus.strongswan.org + leftfirewall=yes + lefthostaccess=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf new file mode 100644 index 000000000..339b56987 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/hosts/venus/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ikev2/rw-mark-in-out/posttest.dat b/testing/tests/ikev2/rw-mark-in-out/posttest.dat new file mode 100644 index 000000000..fae79271b --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/posttest.dat @@ -0,0 +1,12 @@ +sun::iptables -t mangle -v -n -L PREROUTING +sun::ipsec stop +alice::ipsec stop +venus::ipsec stop +alice::/etc/init.d/iptables stop 2> /dev/null +venus::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +sun::ip route del 10.1.0.0/16 via PH_IP_MOON +sun::conntrack -F +sun::rm /etc/mark_updown +moon::iptables -t nat -F +moon::conntrack -F diff --git a/testing/tests/ikev2/rw-mark-in-out/pretest.dat b/testing/tests/ikev2/rw-mark-in-out/pretest.dat new file mode 100644 index 000000000..3d9a5f340 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/pretest.dat @@ -0,0 +1,18 @@ +alice::/etc/init.d/iptables start 2> /dev/null +venus::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::echo 1 > /proc/sys/net/ipv4/ip_forward +moon::iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to PH_IP_MOON +sun::ip route add 10.1.0.0/16 via PH_IP_MOON +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 10 -j SNAT --to 10.3.0.10 +sun::iptables -t nat -A POSTROUTING -o eth1 -m mark --mark 20 -j SNAT --to 10.3.0.20 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.10 -j MARK --set-mark 11 +sun::iptables -t mangle -A PREROUTING -d 10.3.0.20 -j MARK --set-mark 21 +alice::ipsec start +venus::ipsec start +sun::ipsec start +alice::sleep 2 +alice::ipsec up home +venus::sleep 2 +venus::ipsec up home +venus::sleep 2 diff --git a/testing/tests/ikev2/rw-mark-in-out/test.conf b/testing/tests/ikev2/rw-mark-in-out/test.conf new file mode 100644 index 000000000..ae3c190b8 --- /dev/null +++ b/testing/tests/ikev2/rw-mark-in-out/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon bob" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice venus sun" diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-mixed/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/strong-keys-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/two-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip-override/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/virtual-ip/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf index dd2df0670..88f162098 100644 --- a/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/wildcards/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/host2host-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip4-in-ip6-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf index 29132e757..393ea64f9 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/moon/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown install_routes = no } diff --git a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf index 73d687a0c..014b5d935 100644 --- a/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-ip6-in-ip4-ikev2/hosts/sun/etc/strongswan.conf @@ -1,6 +1,6 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown install_routes=no } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/net2net-rfc3779-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/carol/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/dave/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..94873ddeb 100644 --- a/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/rw-rfc3779-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation addrblock hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/moon/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf index b71db18dd..d9349846c 100644 --- a/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf +++ b/testing/tests/ipv6/transport-ikev2/hosts/sun/etc/strongswan.conf @@ -2,5 +2,5 @@ charon { hash_and_url = yes - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt index b8efbe87e..f2b26fd7c 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-high/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for +plugin based on the OpenSSL library for all cryptographical and X.509 certificate +functions whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt index 4f043e7d9..5b0241433 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev1/alg-ecp-low/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for +plugin based on the OpenSSL library for all cryptographical and X.509 certificate +functions whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp x509 plus the openssl plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf index 2247496db..63892fd33 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf index 2247496db..63892fd33 100644 --- a/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt index 2c098d898..4f855eb1a 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev1/ecdsa-certs/description.txt @@ -1,5 +1,5 @@ The hosts carol, dave, and moon use the openssl plugin -based on the OpenSSL library for all cryptographical functions. +based on the OpenSSL library for all cryptographical and X.509 certificate functions.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf index 3562ddc67..a96b54446 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = aes des sha1 sha2 md5 pem pkcs1 x509 gmp pem pkcs1 openssl random hmac curl + load = pem pkcs1 pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf index 85684b1c9..4ccc387bd 100644 --- a/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = pem pkcs1 x509 openssl random hmac curl + load = pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/rw-cert/description.txt b/testing/tests/openssl-ikev1/rw-cert/description.txt index 0f721c52b..5185b5216 100644 --- a/testing/tests/openssl-ikev1/rw-cert/description.txt +++ b/testing/tests/openssl-ikev1/rw-cert/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp. +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp and x509.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf index e4d41df39..1029b8536 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors pem pkcs1 x509 openssl random hmac curl + load = test-vectors pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf index 1531d9933..edc6dbed4 100644 --- a/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev1/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file pluto { - load = test-vectors pem pkcs1 x509 openssl random hmac curl + load = test-vectors pem pkcs1 openssl random hmac curl } # pluto uses optimized DH exponent sizes (RFC 3526) diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-blowfish/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf index 6420b3414..e96dfe574 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf index 6420b3414..e96dfe574 100644 --- a/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-camellia/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt index b8efbe87e..a1f31495d 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-high/description.txt @@ -1,8 +1,8 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf index f988d90b4..8dcf8e96f 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-high/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt index 4f043e7d9..84b6eb4bf 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/description.txt +++ b/testing/tests/openssl-ikev2/alg-ecp-low/description.txt @@ -1,8 +1,8 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp plus the openssl plugin for -the Elliptic Curve Diffie-Hellman groups only. +plugin based on the OpenSSL library for all cryptographical and X.509 +certificate functions whereas roadwarrior dave uses the default strongSwan +cryptographical plugins aes des sha1 sha2 md5 gmp x509 plus the openssl +plugin for the Elliptic Curve Diffie-Hellman groups only.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf index f988d90b4..8dcf8e96f 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf index b8038df01..b9da84efb 100644 --- a/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/alg-ecp-low/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt index 2c098d898..4f855eb1a 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/description.txt +++ b/testing/tests/openssl-ikev2/ecdsa-certs/description.txt @@ -1,5 +1,5 @@ The hosts carol, dave, and moon use the openssl plugin -based on the OpenSSL library for all cryptographical functions. +based on the OpenSSL library for all cryptographical and X.509 certificate functions.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on ECDSA signatures diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/dave/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf index 807ca9411..bdbdad2e5 100644 --- a/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/ecdsa-certs/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } diff --git a/testing/tests/openssl-ikev2/rw-cert/description.txt b/testing/tests/openssl-ikev2/rw-cert/description.txt index 0f721c52b..b16faad06 100644 --- a/testing/tests/openssl-ikev2/rw-cert/description.txt +++ b/testing/tests/openssl-ikev2/rw-cert/description.txt @@ -1,7 +1,7 @@ The roadwarrior carol and the gateway moon use the openssl -plugin based on the OpenSSL library for all cryptographical functions -whereas roadwarrior dave uses the default strongSwan cryptographical -plugins aes des sha1 sha2 md5 gmp. +plugin based on the OpenSSL library for all cryptographical and X.509 certificate +functions whereas roadwarrior dave uses the default strongSwan cryptographical +plugins aes des sha1 sha2 md5 gmp and x509.

The roadwarriors carol and dave set up a connection each to gateway moon. The authentication is based on X.509 certificates. diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf index a442b244d..206f029f3 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf index 6fcefc56a..208f1c36d 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf index aa50403d8..3ae6205cb 100644 --- a/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/openssl-ikev2/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors pem pkcs1 openssl random x509 hmac stroke kernel-netlink socket-default updown + load = curl test-vectors pem pkcs1 openssl revocation random hmac stroke kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf +++ b/testing/tests/p2pnat/behind-same-nat/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/bob/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf index de9ae45cc..339b56987 100644 --- a/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf +++ b/testing/tests/p2pnat/medsrv-psk/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-aes-xcbc/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha384/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha384/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha512/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/alg-sha512/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/esp-alg-null/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/esp-alg-null/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/host2host-transport/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/host2host-transport/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/alice/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf +++ b/testing/tests/pfkey/nat-two-rw/hosts/venus/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf +++ b/testing/tests/pfkey/net2net-route/hosts/sun/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-dual/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-dual/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-route/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf index 1d17b3614..21015f8a2 100644 --- a/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/protoport-route/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } diff --git a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/carol/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/dave/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf index 7d8cda47e..d59e04ef3 100644 --- a/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/pfkey/rw-cert/hosts/moon/etc/strongswan.conf @@ -1,7 +1,7 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-pfkey kernel-netlink socket-default updown } libstrongswan { diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..5b9beb3bb 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,13 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +85,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +105,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql index 8f5a5ece8..e0c5dfc37 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -77,13 +83,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -97,13 +109,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -117,7 +129,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( @@ -167,13 +179,13 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 7, 1211299013 , 1211299205 + 1, X'0a030001', 8, 1211299013 , 1211299205 ); INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030002', 8, 1211299031, 1211299187 + 1, X'0a030002', 9, 1211299031, 1211299187 ); INSERT INTO addresses ( @@ -203,11 +215,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 7, 1211299013 , 1211299205 + 1, 8, 1211299013 , 1211299205 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 2, 8, 1211299031, 1211299187 + 2, 9, 1211299031, 1211299187 ); diff --git a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-expired/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..9739a7839 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql index 8e11c6a20..1ea0bd3ad 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -111,7 +123,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( @@ -161,13 +173,13 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 6, 1211299013 , 1211299205 + 1, X'0a030001', 7, 1211299013 , 1211299205 ); INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030002', 7, 1211299031, 1211299187 + 1, X'0a030002', 8, 1211299031, 1211299187 ); INSERT INTO addresses ( @@ -197,11 +209,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 6, 1211299013 , 1211299205 + 1, 7, 1211299013 , 1211299205 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 2, 7, 1211299031, 1211299187 + 2, 8, 1211299031, 1211299187 ); diff --git a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db-restart/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql index 5dc82a942..d2cd51deb 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/ipsec.d/data.sql @@ -6,6 +6,12 @@ INSERT INTO identities ( 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' ); +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + INSERT INTO identities ( type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf index aed370ffa..d5f50c361 100644 --- a/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql index 329cac53b..eb58e9d9c 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/ipsec.d/data.sql @@ -6,6 +6,12 @@ INSERT INTO identities ( 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' ); +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + INSERT INTO identities ( type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf index aed370ffa..d5f50c361 100644 --- a/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql resolve } diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql index 82a9e43fe..0de63133e 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/ipsec.d/data.sql @@ -6,6 +6,12 @@ INSERT INTO identities ( 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' ); +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + INSERT INTO identities ( type, data ) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'bigpool' + 'rw', 1, 4, 6, 'bigpool' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-pool-db/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..acc82b8d1 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,15 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -20,7 +25,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +64,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -79,13 +90,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +110,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql index ac776f39d..3b0ea67d4 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -111,7 +123,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'pool0,pool1' + 'rw', 1, 4, 6, 'pool0,pool1' ); INSERT INTO child_configs ( @@ -167,7 +179,7 @@ INSERT INTO pools ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 1, X'0a030001', 6, 1247817255, 1247817277 + 1, X'0a030001', 7, 1247817255, 1247817277 ); INSERT INTO addresses ( @@ -179,7 +191,7 @@ INSERT INTO addresses ( INSERT INTO addresses ( pool, address, identity, acquired, released ) VALUES ( - 2, X'0a030101', 7, 1247817257, 1247817278 + 2, X'0a030101', 8, 1247817257, 1247817278 ); INSERT INTO addresses ( @@ -191,14 +203,11 @@ INSERT INTO addresses ( INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 1, 6, 1247817255, 1247817277 + 1, 7, 1247817255, 1247817277 ); INSERT INTO leases ( address, identity, acquired, released ) VALUES ( - 3, 7, 1247817257, 1247817278 + 3, 8, 1247817257, 1247817278 ); - - - diff --git a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db-restart/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql index 9afa1b15d..38c9d9bbe 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql index 425c180a1..9739a7839 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, virtual ) VALUES ( - 'home', 1, 3, 5, '0.0.0.0' + 'home', 1, 4, 6, '0.0.0.0' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql index a062ac167..ae493ee64 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, pool ) VALUES ( - 'rw', 1, 3, 5, 'pool0,pool1' + 'rw', 1, 4, 6, 'pool0,pool1' ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf index e99a7c505..1c30841cf 100644 --- a/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/ip-split-pools-db/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql attr-sql } libhydra { diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index c4424bd89..54086643f 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -26,7 +32,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 5 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 5 + 1, 6 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, mobike ) VALUES ( - 'net-net', 1, 3, 4, 0 + 'net-net', 1, 4, 5, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index d70481715..2bc8b34c8 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -26,7 +32,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 5 + 2, 6 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 5 + 1, 6 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, mobike ) VALUES ( - 'net-net', 1, 4, 3, 0 + 'net-net', 1, 5, 4, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql index 983f1bf35..b1bf20943 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=carol@strongswan.org' */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'home', 1, 3, 5 + 'home', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/carol/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql index 9ccee6ce8..53168adff 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=dave@strongswan.org' */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'home', 1, 3, 5 + 'home', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/dave/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql index b239402e4..1a3807b80 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -59,13 +65,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 ); /* Private Keys */ @@ -79,13 +91,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -99,7 +111,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'rw', 1, 3, 5 + 'rw', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf index 49de2788e..bc951c1dd 100644 --- a/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-cert/hosts/moon/etc/strongswan.conf @@ -6,7 +6,7 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl test-vectors aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } libstrongswan { diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql index d574e380a..8a4e5275b 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -75,7 +87,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 3 + 'home', 1, 4, 5, 3 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf index a5a7d2017..f17071c95 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = curl aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql index 2cd45fbf0..58a42cf00 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -62,6 +68,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + INSERT INTO certificate_identity ( certificate, identity ) VALUES ( @@ -85,13 +97,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Shared Secrets */ @@ -105,13 +117,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 7 ); /* Configurations */ @@ -125,7 +137,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, eap_type ) VALUES ( - 'rw-eap-aka', 1, 3, 5, 23 + 'rw-eap-aka', 1, 4, 6, 23 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf index 52de80b19..d2558edf4 100644 --- a/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-eap-aka-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 + load = aes des sha1 sha2 md5 fips-prf pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql eap-aka eap-aka-3gpp2 } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql index bb6a9ec80..7d2d17bab 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* carol@strongswan.org */ @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Configurations */ @@ -75,7 +87,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 2 + 'home', 1, 4, 5, 2 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql index 42082f400..53d84eec6 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* dave@strongswan.org */ @@ -44,6 +50,12 @@ INSERT INTO certificate_identity ( 1, 2 ); +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + /* Shared Secrets */ INSERT INTO shared_secrets ( @@ -55,13 +67,13 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 4 + 1, 5 ); @@ -76,7 +88,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id, auth_method ) VALUES ( - 'home', 1, 3, 4, 2 + 'home', 1, 4, 5, 2 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql index 35598e97d..70f188453 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/ipsec.d/data.sql @@ -8,10 +8,16 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' ); +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + INSERT INTO identities ( type, data ) VALUES ( /* moon.strongswan.org */ @@ -20,7 +26,7 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); @@ -71,13 +77,19 @@ INSERT INTO certificate_identity ( INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 3 + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 ); INSERT INTO certificate_identity ( certificate, identity ) VALUES ( - 2, 4 + 2, 5 ); /* Private Keys */ @@ -91,13 +103,13 @@ INSERT INTO private_keys ( INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO private_key_identity ( private_key, identity ) VALUES ( - 1, 4 + 1, 5 ); /* Shared Secrets */ @@ -117,25 +129,25 @@ INSERT INTO shared_secrets ( INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 3 + 1, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 1, 6 + 1, 7 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 2, 3 + 2, 4 ); INSERT INTO shared_secret_identity ( shared_secret, identity ) VALUES ( - 2, 7 + 2, 8 ); @@ -150,7 +162,7 @@ INSERT INTO ike_configs ( INSERT INTO peer_configs ( name, ike_cfg, local_id, remote_id ) VALUES ( - 'rw', 1, 3, 5 + 'rw', 1, 4, 6 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf index a0d88cff1..f375db9c9 100644 --- a/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-psk-rsa-split/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql index f5d06eaba..4f181b91b 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql index 2e9acf5f6..9a36c2c37 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql index ee7586925..9718a75bf 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/ipsec.d/data.sql @@ -26,19 +26,19 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); diff --git a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa-keyid/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql index bf086ad42..8219bdfad 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/carol/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql index cbd2ae2e0..7c9cd9fe4 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/ipsec.d/data.sql @@ -14,13 +14,13 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/dave/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql index 545708e67..8a4eb2d21 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/ipsec.d/data.sql @@ -26,19 +26,19 @@ INSERT INTO identities ( INSERT INTO identities ( type, data -) VALUES ( /* keyid of moon.strongswan.org */ +) VALUES ( /* subjkey of moon.strongswan.org */ 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of carol@strongswan.org */ +) VALUES ( /* subjkey of carol@strongswan.org */ 11, X'1fa1a988d9648cb5a0a2546439b4f23d745d6e7c' ); INSERT INTO identities ( type, data -) VALUES ( /* keyid of dave@strongswan.org */ +) VALUES ( /* subjkey of dave@strongswan.org */ 11, X'ee7f38daeea1b81a41777f78f2674be8439d8e0e' ); diff --git a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf index 6e6641fa5..34f0c571e 100644 --- a/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf +++ b/testing/tests/sql/rw-rsa/hosts/moon/etc/strongswan.conf @@ -6,5 +6,5 @@ charon { database = sqlite:///etc/ipsec.d/ipsec.db } } - load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 hmac xcbc stroke kernel-netlink socket-default updown sqlite sql + load = curl aes des sha1 sha2 md5 pem pkcs1 pubkey gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql } -- cgit v1.2.3 From 568905f488e63e28778f87ac0e38d845f45bae79 Mon Sep 17 00:00:00 2001 From: René Mayrhofer Date: Sat, 5 Mar 2011 09:20:09 +0100 Subject: Imported Upstream version 4.5.1 --- Android.mk | 2 +- Makefile.in | 4 +- NEWS | 74 ++ configure | 447 ++++++-- configure.in | 65 +- ltmain.sh | 0 man/Makefile.in | 4 +- man/ipsec.conf.5 | 24 +- man/ipsec.conf.5.in | 22 +- man/ipsec.secrets.5 | 2 +- man/strongswan.conf.5 | 65 +- man/strongswan.conf.5.in | 63 +- scripts/Makefile.am | 8 +- scripts/Makefile.in | 43 +- scripts/fetch.c | 41 + scripts/oid2der.c | 31 + src/Makefile.am | 18 +- src/Makefile.in | 38 +- src/_copyright/Makefile.am | 1 - src/_copyright/Makefile.in | 102 +- src/_copyright/_copyright.8 | 29 - src/_updown/Makefile.in | 4 +- src/_updown_espmark/Makefile.in | 4 +- src/charon/Makefile.in | 4 +- src/charon/charon.c | 137 ++- src/checksum/Makefile.in | 4 +- src/conftest/Makefile.am | 26 + src/conftest/Makefile.in | 954 ++++++++++++++++ src/conftest/README | 315 ++++++ src/conftest/actions.c | 339 ++++++ src/conftest/actions.h | 42 + src/conftest/config.c | 343 ++++++ src/conftest/config.h | 56 + src/conftest/conftest.c | 550 +++++++++ src/conftest/conftest.h | 74 ++ src/conftest/hooks/add_notify.c | 140 +++ src/conftest/hooks/add_payload.c | 151 +++ src/conftest/hooks/custom_proposal.c | 188 +++ src/conftest/hooks/force_cookie.c | 117 ++ src/conftest/hooks/hook.h | 45 + src/conftest/hooks/ignore_message.c | 89 ++ src/conftest/hooks/ike_auth_fill.c | 145 +++ src/conftest/hooks/log_id.c | 89 ++ src/conftest/hooks/log_ke.c | 81 ++ src/conftest/hooks/log_proposals.c | 98 ++ src/conftest/hooks/log_ts.c | 86 ++ src/conftest/hooks/pretend_auth.c | 386 +++++++ src/conftest/hooks/rebuild_auth.c | 243 ++++ src/conftest/hooks/reset_seq.c | 158 +++ src/conftest/hooks/set_critical.c | 123 ++ src/conftest/hooks/set_ike_initiator.c | 87 ++ src/conftest/hooks/set_ike_request.c | 84 ++ src/conftest/hooks/set_ike_spi.c | 104 ++ src/conftest/hooks/set_ike_version.c | 111 ++ src/conftest/hooks/set_length.c | 133 +++ src/conftest/hooks/set_proposal_number.c | 163 +++ src/conftest/hooks/set_reserved.c | 245 ++++ src/conftest/hooks/unencrypted_notify.c | 153 +++ src/conftest/hooks/unsort_message.c | 133 +++ src/dumm/Makefile.in | 4 +- src/include/Makefile.in | 4 +- src/include/linux/xfrm.h | 1 + src/ipsec/Makefile.in | 4 +- src/ipsec/ipsec.8 | 2 +- src/ipsec/ipsec.in | 6 +- src/libcharon/Makefile.am | 20 +- src/libcharon/Makefile.in | 157 ++- src/libcharon/bus/bus.c | 2 +- src/libcharon/config/backend_manager.c | 74 +- src/libcharon/config/child_cfg.c | 268 ++--- src/libcharon/config/child_cfg.h | 31 +- src/libcharon/config/peer_cfg.c | 2 +- src/libcharon/config/proposal.c | 10 +- src/libcharon/daemon.c | 220 +--- src/libcharon/daemon.h | 19 +- src/libcharon/encoding/generator.c | 375 +----- src/libcharon/encoding/message.c | 174 ++- src/libcharon/encoding/message.h | 41 +- src/libcharon/encoding/parser.c | 34 +- src/libcharon/encoding/payloads/auth_payload.c | 205 ++-- src/libcharon/encoding/payloads/auth_payload.h | 24 +- src/libcharon/encoding/payloads/cert_payload.c | 198 ++-- src/libcharon/encoding/payloads/cert_payload.h | 9 + src/libcharon/encoding/payloads/certreq_payload.c | 161 ++- .../encoding/payloads/configuration_attribute.c | 108 +- src/libcharon/encoding/payloads/cp_payload.c | 169 ++- src/libcharon/encoding/payloads/delete_payload.c | 21 +- src/libcharon/encoding/payloads/eap_payload.c | 19 +- src/libcharon/encoding/payloads/id_payload.c | 220 ++-- src/libcharon/encoding/payloads/id_payload.h | 44 +- src/libcharon/encoding/payloads/ike_header.c | 315 +++--- src/libcharon/encoding/payloads/ike_header.h | 22 + src/libcharon/encoding/payloads/ke_payload.c | 203 ++-- src/libcharon/encoding/payloads/ke_payload.h | 23 +- src/libcharon/encoding/payloads/nonce_payload.c | 178 ++- src/libcharon/encoding/payloads/notify_payload.c | 207 ++-- src/libcharon/encoding/payloads/payload.c | 64 +- src/libcharon/encoding/payloads/payload.h | 39 +- .../encoding/payloads/proposal_substructure.c | 62 +- .../encoding/payloads/proposal_substructure.h | 6 +- src/libcharon/encoding/payloads/sa_payload.c | 27 +- src/libcharon/encoding/payloads/sa_payload.h | 7 + .../payloads/traffic_selector_substructure.c | 164 ++- .../encoding/payloads/transform_attribute.c | 221 ++-- .../encoding/payloads/transform_substructure.c | 299 ++--- .../encoding/payloads/transform_substructure.h | 65 +- src/libcharon/encoding/payloads/ts_payload.c | 273 ++--- src/libcharon/encoding/payloads/ts_payload.h | 34 +- src/libcharon/encoding/payloads/unknown_payload.c | 172 +-- src/libcharon/encoding/payloads/unknown_payload.h | 18 +- .../encoding/payloads/vendor_id_payload.c | 125 +- .../encoding/payloads/vendor_id_payload.h | 5 + src/libcharon/plugins/addrblock/Makefile.in | 4 +- .../plugins/addrblock/addrblock_validator.c | 9 +- src/libcharon/plugins/android/Makefile.in | 4 +- src/libcharon/plugins/android/android_creds.c | 2 +- src/libcharon/plugins/android/android_service.c | 4 +- src/libcharon/plugins/dhcp/Makefile.in | 4 +- src/libcharon/plugins/dhcp/dhcp_socket.c | 7 +- src/libcharon/plugins/eap_aka/Makefile.in | 4 +- src/libcharon/plugins/eap_aka_3gpp2/Makefile.in | 4 +- src/libcharon/plugins/eap_gtc/Makefile.in | 4 +- src/libcharon/plugins/eap_identity/Makefile.in | 4 +- src/libcharon/plugins/eap_md5/Makefile.in | 4 +- src/libcharon/plugins/eap_mschapv2/Makefile.in | 4 +- src/libcharon/plugins/eap_radius/Makefile.in | 4 +- src/libcharon/plugins/eap_sim/Makefile.in | 4 +- src/libcharon/plugins/eap_sim_file/Makefile.in | 4 +- .../plugins/eap_simaka_pseudonym/Makefile.in | 4 +- .../plugins/eap_simaka_reauth/Makefile.in | 4 +- src/libcharon/plugins/eap_simaka_sql/Makefile.in | 4 +- src/libcharon/plugins/eap_tls/Makefile.in | 4 +- src/libcharon/plugins/eap_tnc/Makefile.in | 4 +- src/libcharon/plugins/eap_tnc/eap_tnc.c | 26 +- src/libcharon/plugins/eap_ttls/Makefile.in | 4 +- src/libcharon/plugins/eap_ttls/eap_ttls_peer.c | 1 + src/libcharon/plugins/farp/Makefile.in | 4 +- src/libcharon/plugins/ha/Makefile.in | 4 +- src/libcharon/plugins/ha/ha_ctl.c | 9 +- src/libcharon/plugins/ha/ha_dispatcher.c | 8 +- src/libcharon/plugins/ha/ha_segments.c | 14 +- src/libcharon/plugins/ha/ha_socket.c | 8 +- src/libcharon/plugins/ha/ha_tunnel.c | 4 +- src/libcharon/plugins/led/Makefile.in | 4 +- src/libcharon/plugins/load_tester/Makefile.in | 4 +- .../plugins/load_tester/load_tester_config.c | 4 +- .../plugins/load_tester/load_tester_ipsec.c | 2 +- .../plugins/load_tester/load_tester_plugin.c | 4 +- src/libcharon/plugins/maemo/Makefile.am | 6 +- src/libcharon/plugins/maemo/Makefile.in | 11 +- src/libcharon/plugins/maemo/maemo_service.c | 15 +- .../plugins/maemo/org.strongswan.charon.service | 4 - .../plugins/maemo/org.strongswan.charon.service.in | 4 + src/libcharon/plugins/medcli/Makefile.in | 4 +- src/libcharon/plugins/medcli/medcli_config.c | 8 +- src/libcharon/plugins/medsrv/Makefile.in | 4 +- src/libcharon/plugins/nm/Makefile.in | 4 +- src/libcharon/plugins/nm/nm_creds.c | 6 +- src/libcharon/plugins/nm/nm_service.c | 4 +- src/libcharon/plugins/smp/Makefile.in | 4 +- src/libcharon/plugins/socket_default/Makefile.in | 4 +- src/libcharon/plugins/socket_dynamic/Makefile.in | 4 +- src/libcharon/plugins/socket_raw/Makefile.in | 4 +- src/libcharon/plugins/sql/Makefile.in | 4 +- src/libcharon/plugins/sql/sql_config.c | 169 ++- src/libcharon/plugins/sql/sql_cred.c | 246 ++-- src/libcharon/plugins/sql/sql_plugin.c | 18 +- src/libcharon/plugins/stroke/Makefile.am | 3 +- src/libcharon/plugins/stroke/Makefile.in | 10 +- src/libcharon/plugins/stroke/stroke_ca.c | 76 +- src/libcharon/plugins/stroke/stroke_config.c | 103 +- src/libcharon/plugins/stroke/stroke_control.c | 189 +++- src/libcharon/plugins/stroke/stroke_control.h | 7 + src/libcharon/plugins/stroke/stroke_cred.c | 409 +------ src/libcharon/plugins/stroke/stroke_list.c | 130 ++- src/libcharon/plugins/stroke/stroke_plugin.c | 18 +- src/libcharon/plugins/stroke/stroke_shared_key.c | 140 --- src/libcharon/plugins/stroke/stroke_shared_key.h | 60 - src/libcharon/plugins/stroke/stroke_socket.c | 23 + src/libcharon/plugins/tnc_imc/Makefile.am | 7 +- src/libcharon/plugins/tnc_imc/Makefile.in | 18 +- src/libcharon/plugins/tnc_imc/tnc_imc.c | 207 ++++ src/libcharon/plugins/tnc_imc/tnc_imc.h | 36 + .../plugins/tnc_imc/tnc_imc_bind_function.c | 83 ++ src/libcharon/plugins/tnc_imc/tnc_imc_manager.c | 238 ++++ src/libcharon/plugins/tnc_imc/tnc_imc_manager.h | 32 + src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c | 141 ++- src/libcharon/plugins/tnc_imv/Makefile.am | 8 +- src/libcharon/plugins/tnc_imv/Makefile.in | 21 +- src/libcharon/plugins/tnc_imv/tnc_imv.c | 208 ++++ src/libcharon/plugins/tnc_imv/tnc_imv.h | 36 + .../plugins/tnc_imv/tnc_imv_bind_function.c | 137 +++ src/libcharon/plugins/tnc_imv/tnc_imv_manager.c | 295 +++++ src/libcharon/plugins/tnc_imv/tnc_imv_manager.h | 32 + src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c | 137 ++- .../plugins/tnc_imv/tnc_imv_recommendations.c | 415 +++++++ .../plugins/tnc_imv/tnc_imv_recommendations.h | 33 + src/libcharon/plugins/tnccs_11/Makefile.am | 16 +- src/libcharon/plugins/tnccs_11/Makefile.in | 92 +- src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c | 323 ++++++ src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h | 100 ++ .../plugins/tnccs_11/messages/imc_imv_msg.c | 242 ++++ .../plugins/tnccs_11/messages/imc_imv_msg.h | 71 ++ .../plugins/tnccs_11/messages/tnccs_error_msg.c | 191 ++++ .../plugins/tnccs_11/messages/tnccs_error_msg.h | 80 ++ .../plugins/tnccs_11/messages/tnccs_msg.c | 140 +++ .../plugins/tnccs_11/messages/tnccs_msg.h | 102 ++ .../messages/tnccs_preferred_language_msg.c | 137 +++ .../messages/tnccs_preferred_language_msg.h | 64 ++ .../tnccs_11/messages/tnccs_reason_strings_msg.c | 149 +++ .../tnccs_11/messages/tnccs_reason_strings_msg.h | 64 ++ .../tnccs_11/messages/tnccs_recommendation_msg.c | 186 +++ .../tnccs_11/messages/tnccs_recommendation_msg.h | 64 ++ .../messages/tnccs_tncs_contact_info_msg.c | 118 ++ .../messages/tnccs_tncs_contact_info_msg.h | 54 + src/libcharon/plugins/tnccs_11/tnccs_11.c | 515 ++++++--- src/libcharon/plugins/tnccs_20/Makefile.am | 21 +- src/libcharon/plugins/tnccs_20/Makefile.in | 121 +- .../plugins/tnccs_20/batch/pb_tnc_batch.c | 543 +++++++++ .../plugins/tnccs_20/batch/pb_tnc_batch.h | 126 +++ .../messages/pb_access_recommendation_msg.c | 180 +++ .../messages/pb_access_recommendation_msg.h | 76 ++ .../tnccs_20/messages/pb_assessment_result_msg.c | 172 +++ .../tnccs_20/messages/pb_assessment_result_msg.h | 60 + .../plugins/tnccs_20/messages/pb_error_msg.c | 346 ++++++ .../plugins/tnccs_20/messages/pb_error_msg.h | 127 +++ .../tnccs_20/messages/pb_experimental_msg.c | 102 ++ .../tnccs_20/messages/pb_experimental_msg.h | 53 + .../tnccs_20/messages/pb_language_preference_msg.c | 175 +++ .../tnccs_20/messages/pb_language_preference_msg.h | 60 + .../plugins/tnccs_20/messages/pb_pa_msg.c | 293 +++++ .../plugins/tnccs_20/messages/pb_pa_msg.h | 123 ++ .../tnccs_20/messages/pb_reason_string_msg.c | 216 ++++ .../tnccs_20/messages/pb_reason_string_msg.h | 69 ++ .../messages/pb_remediation_parameters_msg.c | 259 +++++ .../messages/pb_remediation_parameters_msg.h | 96 ++ .../plugins/tnccs_20/messages/pb_tnc_msg.c | 75 ++ .../plugins/tnccs_20/messages/pb_tnc_msg.h | 128 +++ .../tnccs_20/state_machine/pb_tnc_state_machine.c | 287 +++++ .../tnccs_20/state_machine/pb_tnc_state_machine.h | 88 ++ src/libcharon/plugins/tnccs_20/tnccs_20.c | 575 +++++++++- src/libcharon/plugins/tnccs_dynamic/Makefile.am | 17 + src/libcharon/plugins/tnccs_dynamic/Makefile.in | 607 ++++++++++ .../plugins/tnccs_dynamic/tnccs_dynamic.c | 146 +++ .../plugins/tnccs_dynamic/tnccs_dynamic.h | 36 + .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.c | 47 + .../plugins/tnccs_dynamic/tnccs_dynamic_plugin.h | 42 + src/libcharon/plugins/uci/Makefile.in | 4 +- src/libcharon/plugins/uci/uci_config.c | 4 +- src/libcharon/plugins/unit_tester/Makefile.in | 4 +- src/libcharon/plugins/updown/Makefile.in | 4 +- src/libcharon/processing/jobs/acquire_job.c | 31 +- .../processing/jobs/delete_child_sa_job.c | 35 +- src/libcharon/processing/jobs/delete_ike_sa_job.c | 31 +- src/libcharon/processing/jobs/migrate_job.c | 39 +- .../processing/jobs/process_message_job.c | 29 +- src/libcharon/processing/jobs/rekey_child_sa_job.c | 33 +- src/libcharon/processing/jobs/rekey_ike_sa_job.c | 31 +- src/libcharon/processing/jobs/retransmit_job.c | 31 +- src/libcharon/processing/jobs/roam_job.c | 29 +- src/libcharon/processing/jobs/send_dpd_job.c | 29 +- src/libcharon/processing/jobs/send_keepalive_job.c | 29 +- src/libcharon/processing/jobs/start_action_job.c | 101 ++ src/libcharon/processing/jobs/start_action_job.h | 49 + src/libcharon/processing/jobs/update_sa_job.c | 33 +- src/libcharon/sa/authenticators/authenticator.c | 20 +- src/libcharon/sa/authenticators/authenticator.h | 8 +- .../sa/authenticators/eap_authenticator.c | 18 +- .../sa/authenticators/eap_authenticator.h | 8 +- .../sa/authenticators/psk_authenticator.c | 94 +- .../sa/authenticators/psk_authenticator.h | 8 +- .../sa/authenticators/pubkey_authenticator.c | 90 +- .../sa/authenticators/pubkey_authenticator.h | 8 +- src/libcharon/sa/child_sa.c | 12 +- src/libcharon/sa/child_sa.h | 3 +- src/libcharon/sa/connect_manager.c | 5 +- src/libcharon/sa/ike_sa.c | 79 +- src/libcharon/sa/ike_sa.h | 3 +- src/libcharon/sa/ike_sa_manager.c | 474 ++++---- src/libcharon/sa/ike_sa_manager.h | 18 +- src/libcharon/sa/keymat.c | 10 +- src/libcharon/sa/keymat.h | 8 +- src/libcharon/sa/task_manager.c | 46 +- src/libcharon/sa/task_manager.h | 10 + src/libcharon/sa/tasks/child_create.c | 182 +-- src/libcharon/sa/tasks/child_rekey.c | 7 +- src/libcharon/sa/tasks/ike_auth.c | 200 ++-- src/libcharon/sa/tasks/ike_cert_pre.c | 19 +- src/libcharon/sa/tasks/ike_rekey.c | 7 +- src/libcharon/tnc/imc/imc.h | 175 +++ src/libcharon/tnc/imc/imc_manager.h | 116 ++ src/libcharon/tnc/imv/imv.h | 175 +++ src/libcharon/tnc/imv/imv_manager.h | 134 +++ src/libcharon/tnc/imv/imv_recommendations.c | 24 + src/libcharon/tnc/imv/imv_recommendations.h | 117 ++ src/libcharon/tnc/tnccs/tnccs.c | 23 + src/libcharon/tnc/tnccs/tnccs.h | 82 ++ src/libcharon/tnc/tnccs/tnccs_manager.c | 477 ++++++++ src/libcharon/tnc/tnccs/tnccs_manager.h | 184 +++ src/libcharon/tnc/tncif.h | 106 ++ src/libcharon/tnc/tncifimc.h | 180 +++ src/libcharon/tnc/tncifimv.c | 36 + src/libcharon/tnc/tncifimv.h | 248 ++++ src/libcharon/tnccs/tnccs.c | 22 - src/libcharon/tnccs/tnccs.h | 52 - src/libcharon/tnccs/tnccs_manager.c | 148 --- src/libcharon/tnccs/tnccs_manager.h | 74 -- src/libfast/Makefile.in | 4 +- src/libfast/request.c | 11 +- src/libfast/request.h | 8 + src/libfreeswan/Makefile.am | 12 +- src/libfreeswan/Makefile.in | 40 +- src/libfreeswan/atosa.3 | 217 ---- src/libfreeswan/atosa.c | 198 ---- src/libfreeswan/copyright.c | 12 +- src/libfreeswan/freeswan.h | 29 - src/libfreeswan/keyblobtoid.3 | 102 -- src/libfreeswan/keyblobtoid.c | 146 --- src/libfreeswan/prng.3 | 120 -- src/libfreeswan/prng.c | 200 ---- src/libfreeswan/satoa.c | 100 -- src/libhydra/Makefile.in | 4 +- src/libhydra/kernel/kernel_interface.c | 8 +- src/libhydra/kernel/kernel_interface.h | 3 +- src/libhydra/kernel/kernel_ipsec.h | 3 +- src/libhydra/plugins/attr/Makefile.in | 4 +- src/libhydra/plugins/attr/attr_plugin.c | 19 +- src/libhydra/plugins/attr_sql/Makefile.in | 4 +- src/libhydra/plugins/attr_sql/attr_sql_plugin.c | 23 +- src/libhydra/plugins/kernel_klips/Makefile.in | 4 +- .../plugins/kernel_klips/kernel_klips_ipsec.c | 2 +- .../plugins/kernel_klips/kernel_klips_plugin.c | 19 +- src/libhydra/plugins/kernel_netlink/Makefile.in | 4 +- .../plugins/kernel_netlink/kernel_netlink_ipsec.c | 42 +- .../plugins/kernel_netlink/kernel_netlink_plugin.c | 17 +- src/libhydra/plugins/kernel_pfkey/Makefile.in | 4 +- .../plugins/kernel_pfkey/kernel_pfkey_ipsec.c | 17 +- .../plugins/kernel_pfkey/kernel_pfkey_plugin.c | 19 +- src/libhydra/plugins/kernel_pfroute/Makefile.in | 4 +- .../plugins/kernel_pfroute/kernel_pfroute_plugin.c | 19 +- src/libhydra/plugins/resolve/Makefile.in | 4 +- src/libhydra/plugins/resolve/resolve_plugin.c | 18 +- src/libsimaka/Makefile.in | 4 +- src/libstrongswan/Makefile.am | 24 +- src/libstrongswan/Makefile.in | 186 +-- src/libstrongswan/asn1/asn1.c | 94 ++ src/libstrongswan/asn1/asn1.h | 16 + src/libstrongswan/asn1/asn1_parser.c | 66 +- src/libstrongswan/asn1/oid.c | 715 ++++++------ src/libstrongswan/asn1/oid.h | 178 +-- src/libstrongswan/asn1/oid.txt | 17 +- src/libstrongswan/credentials/auth_cfg.c | 155 ++- src/libstrongswan/credentials/auth_cfg.h | 8 + src/libstrongswan/credentials/builder.c | 8 + src/libstrongswan/credentials/builder.h | 18 +- src/libstrongswan/credentials/cert_validator.h | 7 +- src/libstrongswan/credentials/certificates/crl.h | 15 + src/libstrongswan/credentials/certificates/x509.c | 28 - src/libstrongswan/credentials/certificates/x509.h | 89 +- src/libstrongswan/credentials/credential_manager.c | 90 +- .../credentials/sets/auth_cfg_wrapper.c | 3 +- src/libstrongswan/credentials/sets/mem_cred.c | 240 +++- src/libstrongswan/credentials/sets/mem_cred.h | 50 +- src/libstrongswan/crypto/crypto_factory.c | 133 ++- src/libstrongswan/crypto/crypto_factory.h | 31 +- src/libstrongswan/crypto/crypto_tester.c | 166 +-- src/libstrongswan/crypto/crypto_tester.h | 16 +- src/libstrongswan/eap/eap.h | 2 +- src/libstrongswan/enum.c | 2 +- src/libstrongswan/fetcher/fetcher_manager.c | 4 +- src/libstrongswan/integrity_checker.c | 62 +- src/libstrongswan/plugins/aes/Makefile.in | 4 +- src/libstrongswan/plugins/aes/aes_plugin.c | 4 +- src/libstrongswan/plugins/af_alg/Makefile.am | 20 + src/libstrongswan/plugins/af_alg/Makefile.in | 612 ++++++++++ src/libstrongswan/plugins/af_alg/af_alg_crypter.c | 237 ++++ src/libstrongswan/plugins/af_alg/af_alg_crypter.h | 54 + src/libstrongswan/plugins/af_alg/af_alg_hasher.c | 170 +++ src/libstrongswan/plugins/af_alg/af_alg_hasher.h | 52 + src/libstrongswan/plugins/af_alg/af_alg_ops.c | 226 ++++ src/libstrongswan/plugins/af_alg/af_alg_ops.h | 92 ++ src/libstrongswan/plugins/af_alg/af_alg_plugin.c | 74 ++ src/libstrongswan/plugins/af_alg/af_alg_plugin.h | 42 + src/libstrongswan/plugins/af_alg/af_alg_prf.c | 211 ++++ src/libstrongswan/plugins/af_alg/af_alg_prf.h | 52 + src/libstrongswan/plugins/af_alg/af_alg_signer.c | 206 ++++ src/libstrongswan/plugins/af_alg/af_alg_signer.h | 52 + src/libstrongswan/plugins/agent/Makefile.in | 4 +- src/libstrongswan/plugins/blowfish/Makefile.in | 4 +- .../plugins/blowfish/blowfish_plugin.c | 4 +- src/libstrongswan/plugins/ccm/Makefile.in | 4 +- src/libstrongswan/plugins/ccm/ccm_plugin.c | 37 +- src/libstrongswan/plugins/constraints/Makefile.am | 16 + src/libstrongswan/plugins/constraints/Makefile.in | 604 ++++++++++ .../plugins/constraints/constraints_plugin.c | 65 ++ .../plugins/constraints/constraints_plugin.h | 42 + .../plugins/constraints/constraints_validator.c | 578 ++++++++++ .../plugins/constraints/constraints_validator.h | 49 + src/libstrongswan/plugins/ctr/Makefile.in | 4 +- src/libstrongswan/plugins/ctr/ctr_plugin.c | 22 +- src/libstrongswan/plugins/curl/Makefile.in | 4 +- src/libstrongswan/plugins/curl/curl_fetcher.c | 16 +- src/libstrongswan/plugins/curl/curl_plugin.c | 16 +- src/libstrongswan/plugins/des/Makefile.in | 4 +- src/libstrongswan/plugins/des/des_plugin.c | 8 +- src/libstrongswan/plugins/dnskey/Makefile.in | 4 +- src/libstrongswan/plugins/dnskey/dnskey_plugin.c | 19 +- src/libstrongswan/plugins/fips_prf/Makefile.in | 4 +- src/libstrongswan/plugins/fips_prf/fips_prf.c | 55 +- .../plugins/fips_prf/fips_prf_plugin.c | 28 +- src/libstrongswan/plugins/gcm/Makefile.in | 4 +- src/libstrongswan/plugins/gcm/gcm_plugin.c | 20 +- src/libstrongswan/plugins/gcrypt/Makefile.in | 4 +- src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c | 68 +- src/libstrongswan/plugins/gmp/Makefile.in | 4 +- src/libstrongswan/plugins/gmp/gmp_plugin.c | 26 +- src/libstrongswan/plugins/hmac/Makefile.in | 4 +- src/libstrongswan/plugins/hmac/hmac_plugin.c | 88 +- src/libstrongswan/plugins/ldap/Makefile.in | 4 +- src/libstrongswan/plugins/ldap/ldap_fetcher.c | 35 +- src/libstrongswan/plugins/ldap/ldap_plugin.c | 16 +- src/libstrongswan/plugins/md4/Makefile.in | 4 +- src/libstrongswan/plugins/md4/md4_plugin.c | 20 +- src/libstrongswan/plugins/md5/Makefile.in | 4 +- src/libstrongswan/plugins/md5/md5_plugin.c | 20 +- src/libstrongswan/plugins/mysql/Makefile.in | 4 +- src/libstrongswan/plugins/mysql/mysql_database.c | 40 +- src/libstrongswan/plugins/mysql/mysql_plugin.c | 15 +- src/libstrongswan/plugins/openssl/Makefile.in | 4 +- src/libstrongswan/plugins/openssl/openssl_crl.c | 11 +- src/libstrongswan/plugins/openssl/openssl_plugin.c | 74 +- src/libstrongswan/plugins/openssl/openssl_x509.c | 100 +- src/libstrongswan/plugins/padlock/Makefile.in | 4 +- src/libstrongswan/plugins/padlock/padlock_plugin.c | 12 +- src/libstrongswan/plugins/pem/Makefile.in | 4 +- src/libstrongswan/plugins/pem/pem_encoder.c | 2 +- src/libstrongswan/plugins/pem/pem_plugin.c | 18 +- src/libstrongswan/plugins/pgp/Makefile.in | 4 +- src/libstrongswan/plugins/pgp/pgp_plugin.c | 21 +- src/libstrongswan/plugins/pkcs1/Makefile.in | 4 +- src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c | 16 +- src/libstrongswan/plugins/pkcs11/Makefile.in | 4 +- src/libstrongswan/plugins/pkcs11/pkcs11_creds.c | 23 +- src/libstrongswan/plugins/pkcs11/pkcs11_library.c | 67 +- src/libstrongswan/plugins/pkcs11/pkcs11_library.h | 21 +- src/libstrongswan/plugins/pkcs11/pkcs11_manager.c | 5 +- src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c | 14 +- .../plugins/pkcs11/pkcs11_private_key.c | 18 +- src/libstrongswan/plugins/plugin_loader.c | 111 +- src/libstrongswan/plugins/pubkey/Makefile.in | 4 +- src/libstrongswan/plugins/pubkey/pubkey_plugin.c | 18 +- src/libstrongswan/plugins/random/Makefile.in | 4 +- src/libstrongswan/plugins/random/random_plugin.c | 22 +- src/libstrongswan/plugins/random/random_rng.c | 37 +- src/libstrongswan/plugins/revocation/Makefile.in | 4 +- .../plugins/revocation/revocation_validator.c | 279 +++-- src/libstrongswan/plugins/sha1/Makefile.in | 4 +- src/libstrongswan/plugins/sha1/sha1_plugin.c | 22 +- src/libstrongswan/plugins/sha2/Makefile.in | 4 +- src/libstrongswan/plugins/sha2/sha2_plugin.c | 26 +- src/libstrongswan/plugins/soup/Makefile.am | 16 + src/libstrongswan/plugins/soup/Makefile.in | 601 ++++++++++ src/libstrongswan/plugins/soup/soup_fetcher.c | 159 +++ src/libstrongswan/plugins/soup/soup_fetcher.h | 44 + src/libstrongswan/plugins/soup/soup_plugin.c | 72 ++ src/libstrongswan/plugins/soup/soup_plugin.h | 42 + src/libstrongswan/plugins/sqlite/Makefile.in | 4 +- src/libstrongswan/plugins/sqlite/sqlite_database.c | 45 +- src/libstrongswan/plugins/sqlite/sqlite_plugin.c | 18 +- src/libstrongswan/plugins/test_vectors/Makefile.in | 4 +- .../plugins/test_vectors/test_vectors_plugin.c | 16 +- src/libstrongswan/plugins/x509/Makefile.in | 4 +- src/libstrongswan/plugins/x509/x509_cert.c | 1192 +++++++++++++++----- src/libstrongswan/plugins/x509/x509_crl.c | 173 ++- src/libstrongswan/plugins/x509/x509_plugin.c | 16 +- src/libstrongswan/plugins/xcbc/Makefile.in | 4 +- src/libstrongswan/plugins/xcbc/xcbc_plugin.c | 30 +- src/libstrongswan/printf_hook.c | 24 +- src/libstrongswan/processing/processor.c | 2 +- src/libstrongswan/selectors/traffic_selector.c | 6 +- src/libstrongswan/settings.c | 838 +++++++++++--- src/libstrongswan/settings.h | 171 ++- src/libstrongswan/utils.c | 8 + src/libstrongswan/utils.h | 17 +- src/libstrongswan/utils/backtrace.c | 14 +- src/libstrongswan/utils/backtrace.h | 9 +- src/libstrongswan/utils/hashtable.c | 3 +- src/libstrongswan/utils/host.c | 39 + src/libstrongswan/utils/host.h | 9 + src/libstrongswan/utils/identification.c | 10 +- src/libstrongswan/utils/leak_detective.c | 33 +- src/libstrongswan/utils/optionsfrom.c | 30 +- src/libtls/Makefile.in | 4 +- src/libtls/tls.h | 2 +- src/libtls/tls_crypto.c | 10 +- src/libtls/tls_eap.c | 12 +- src/libtls/tls_reader.c | 18 +- src/libtls/tls_writer.c | 2 +- src/manager/Makefile.in | 4 +- src/medsrv/Makefile.in | 4 +- src/openac/Makefile.in | 4 +- src/pki/Makefile.in | 4 +- src/pki/command.c | 2 +- src/pki/command.h | 2 +- src/pki/commands/issue.c | 223 +++- src/pki/commands/print.c | 151 ++- src/pki/commands/self.c | 171 ++- src/pki/commands/signcrl.c | 86 +- src/pluto/Makefile.in | 4 +- src/pluto/ca.c | 2 +- src/pluto/crl.c | 10 +- src/pluto/crypto.c | 279 +++-- src/pluto/demux.c | 2 +- src/pluto/ike_alg.c | 81 +- src/pluto/ike_alg.h | 6 +- src/pluto/kernel.c | 6 +- src/pluto/kernel_alg.c | 50 +- src/pluto/keys.c | 8 +- src/pluto/ocsp.c | 4 +- src/pluto/plugins/xauth/Makefile.in | 4 +- src/pluto/pluto.8 | 10 +- src/pluto/x509.c | 8 +- src/scepclient/Makefile.in | 4 +- src/scepclient/scepclient.8 | 4 +- src/starter/Makefile.am | 21 +- src/starter/Makefile.in | 126 +-- src/starter/args.c | 2 + src/starter/confread.c | 17 + src/starter/confread.h | 2 + src/starter/keywords.c | 288 ++--- src/starter/keywords.h | 6 +- src/starter/keywords.txt | 7 +- src/starter/starter.8 | 0 src/starter/starterstroke.c | 2 + src/stroke/Makefile.in | 4 +- src/stroke/stroke.c | 25 + src/stroke/stroke_keywords.c | 98 +- src/stroke/stroke_keywords.h | 3 + src/stroke/stroke_keywords.txt | 3 + src/stroke/stroke_msg.h | 10 +- src/whack/Makefile.in | 4 +- testing/INSTALL | 13 +- testing/Makefile.in | 4 +- testing/do-tests.in | 1 + testing/hosts/default/etc/hosts | 2 + testing/hosts/default/etc/ipsec.d/tables.sql | 38 +- testing/hosts/winnetou/etc/openssl/index.txt | 1 + testing/hosts/winnetou/etc/openssl/index.txt.old | 1 + testing/hosts/winnetou/etc/openssl/newcerts/23.pem | 25 + testing/hosts/winnetou/etc/openssl/serial | 2 +- testing/hosts/winnetou/etc/openssl/serial.old | 2 +- testing/scripts/build-umlrootfs | 20 + testing/scripts/kstart-umls | 2 +- testing/scripts/xstart-umls | 2 +- testing/testing.conf | 18 +- testing/tests/ha/both-active/description.txt | 8 + testing/tests/ha/both-active/evaltest.dat | 20 + .../ha/both-active/hosts/alice/etc/init.d/iptables | 104 ++ .../ha/both-active/hosts/alice/etc/ipsec.conf | 22 + .../hosts/alice/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/alice/etc/ipsec.d/private/marsKey.pem | 27 + .../ha/both-active/hosts/alice/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/alice/etc/strongswan.conf | 15 + .../ha/both-active/hosts/carol/etc/ipsec.conf | 23 + .../ha/both-active/hosts/carol/etc/strongswan.conf | 5 + .../tests/ha/both-active/hosts/dave/etc/ipsec.conf | 23 + .../ha/both-active/hosts/dave/etc/strongswan.conf | 6 + .../ha/both-active/hosts/moon/etc/init.d/iptables | 104 ++ .../tests/ha/both-active/hosts/moon/etc/ipsec.conf | 22 + .../hosts/moon/etc/ipsec.d/certs/marsCert.pem | 25 + .../hosts/moon/etc/ipsec.d/private/marsKey.pem | 27 + .../ha/both-active/hosts/moon/etc/ipsec.secrets | 3 + .../ha/both-active/hosts/moon/etc/strongswan.conf | 15 + testing/tests/ha/both-active/posttest.dat | 17 + testing/tests/ha/both-active/pretest.dat | 18 + testing/tests/ha/both-active/test.conf | 21 + testing/tests/ikev1/dpd-restart/evaltest.dat | 4 +- testing/tests/ikev1/dynamic-initiator/pretest.dat | 2 +- testing/tests/ikev1/dynamic-responder/pretest.dat | 2 +- testing/tests/ikev1/net2net-start/pretest.dat | 2 +- testing/tests/ikev1/xauth-rsa-fail/description.txt | 2 +- .../tests/ikev1/xauth-rsa-nosecret/description.txt | 2 +- .../tests/ikev2/critical-extension/description.txt | 5 + .../tests/ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../tests/ikev2/critical-extension/posttest.dat | 5 + testing/tests/ikev2/critical-extension/pretest.dat | 6 + testing/tests/ikev2/critical-extension/test.conf | 21 + .../hosts/carol/etc/strongswan.conf | 2 +- .../hosts/moon/etc/strongswan.conf | 2 +- .../rw-eap-tnc-11-radius-block/description.txt | 11 + .../ikev2/rw-eap-tnc-11-radius-block/evaltest.dat | 14 + .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 + .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 ++ .../hosts/alice/etc/raddb/sites-available/default | 44 + .../alice/etc/raddb/sites-available/inner-tunnel | 32 + .../etc/raddb/sites-available/inner-tunnel-second | 23 + .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 ++ .../hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 12 + .../ikev2/rw-eap-tnc-11-radius-block/posttest.dat | 8 + .../ikev2/rw-eap-tnc-11-radius-block/pretest.dat | 15 + .../ikev2/rw-eap-tnc-11-radius-block/test.conf | 26 + .../ikev2/rw-eap-tnc-11-radius/description.txt | 10 + .../tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat | 19 + .../hosts/alice/etc/raddb/clients.conf | 4 + .../hosts/alice/etc/raddb/dictionary | 2 + .../hosts/alice/etc/raddb/dictionary.tnc | 5 + .../hosts/alice/etc/raddb/eap.conf | 25 + .../hosts/alice/etc/raddb/proxy.conf | 5 + .../hosts/alice/etc/raddb/radiusd.conf | 120 ++ .../hosts/alice/etc/raddb/sites-available/default | 44 + .../alice/etc/raddb/sites-available/inner-tunnel | 32 + .../etc/raddb/sites-available/inner-tunnel-second | 36 + .../hosts/alice/etc/raddb/users | 2 + .../hosts/alice/etc/tnc_config | 3 + .../hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 6 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config | 3 + .../hosts/moon/etc/init.d/iptables | 84 ++ .../rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf | 35 + .../hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 13 + .../tests/ikev2/rw-eap-tnc-11-radius/posttest.dat | 8 + .../tests/ikev2/rw-eap-tnc-11-radius/pretest.dat | 18 + testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf | 26 + testing/tests/ikev2/rw-eap-tnc-11/description.txt | 9 + testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat | 19 + .../ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf | 23 + .../rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/carol/etc/strongswan.conf | 6 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf | 23 + .../rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-11/hosts/dave/etc/strongswan.conf | 6 + .../rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config | 3 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-11/hosts/moon/etc/strongswan.conf | 13 + .../ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-11/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-11/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-11/test.conf | 26 + .../ikev2/rw-eap-tnc-20-block/description.txt | 11 + .../tests/ikev2/rw-eap-tnc-20-block/evaltest.dat | 12 + .../rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 14 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 14 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-block/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf | 26 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 19 + .../rw-eap-tnc-20-block/hosts/moon/etc/tnc_config | 3 + .../tests/ikev2/rw-eap-tnc-20-block/posttest.dat | 6 + .../tests/ikev2/rw-eap-tnc-20-block/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20-block/test.conf | 26 + .../tests/ikev2/rw-eap-tnc-20-tls/description.txt | 10 + testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat | 19 + .../rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf | 24 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf | 24 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config | 3 + .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 + .../rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config | 3 + testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf | 26 + testing/tests/ikev2/rw-eap-tnc-20/description.txt | 11 + testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat | 19 + .../ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf | 23 + .../rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf | 23 + .../rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets | 3 + .../rw-eap-tnc-20/hosts/dave/etc/strongswan.conf | 11 + .../rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file | 1 + .../ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config | 4 + .../ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf | 36 + .../rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets | 6 + .../rw-eap-tnc-20/hosts/moon/etc/strongswan.conf | 16 + .../ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config | 4 + testing/tests/ikev2/rw-eap-tnc-20/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-20/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-20/test.conf | 26 + .../tests/ikev2/rw-eap-tnc-block/description.txt | 8 - testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat | 12 - .../rw-eap-tnc-block/hosts/carol/etc/ipsec.conf | 23 - .../rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/dave/etc/ipsec.conf | 23 - .../rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-block/hosts/dave/etc/tnc_config | 3 - .../rw-eap-tnc-block/hosts/moon/etc/ipsec.conf | 26 - .../rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets | 6 - .../hosts/moon/etc/strongswan.conf | 13 - .../rw-eap-tnc-block/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-block/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-block/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc-block/test.conf | 26 - .../tests/ikev2/rw-eap-tnc-dynamic/description.txt | 12 + .../tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat | 27 + .../rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf | 23 + .../hosts/carol/etc/ipsec.secrets | 3 + .../hosts/carol/etc/strongswan.conf | 11 + .../hosts/carol/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf | 23 + .../hosts/dave/etc/ipsec.secrets | 3 + .../hosts/dave/etc/strongswan.conf | 11 + .../hosts/dave/etc/tnc/dummyimc.file | 1 + .../rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config | 4 + .../rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf | 36 + .../hosts/moon/etc/ipsec.secrets | 6 + .../hosts/moon/etc/strongswan.conf | 16 + .../rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config | 4 + .../tests/ikev2/rw-eap-tnc-dynamic/posttest.dat | 6 + testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat | 15 + testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf | 26 + .../ikev2/rw-eap-tnc-radius-block/description.txt | 11 - .../ikev2/rw-eap-tnc-radius-block/evaltest.dat | 14 - .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 - .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 -- .../hosts/alice/etc/raddb/sites-available/default | 44 - .../alice/etc/raddb/sites-available/inner-tunnel | 32 - .../etc/raddb/sites-available/inner-tunnel-second | 23 - .../hosts/alice/etc/raddb/users | 2 - .../hosts/alice/etc/tnc_config | 3 - .../hosts/carol/etc/ipsec.conf | 24 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../hosts/carol/etc/tnc_config | 3 - .../hosts/dave/etc/ipsec.conf | 24 - .../hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 -- .../hosts/moon/etc/ipsec.conf | 25 - .../hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 12 - .../ikev2/rw-eap-tnc-radius-block/posttest.dat | 8 - .../ikev2/rw-eap-tnc-radius-block/pretest.dat | 15 - .../tests/ikev2/rw-eap-tnc-radius-block/test.conf | 26 - .../tests/ikev2/rw-eap-tnc-radius/description.txt | 10 - testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat | 19 - .../hosts/alice/etc/raddb/clients.conf | 4 - .../hosts/alice/etc/raddb/dictionary | 2 - .../hosts/alice/etc/raddb/dictionary.tnc | 5 - .../hosts/alice/etc/raddb/eap.conf | 25 - .../hosts/alice/etc/raddb/proxy.conf | 5 - .../hosts/alice/etc/raddb/radiusd.conf | 120 -- .../hosts/alice/etc/raddb/sites-available/default | 44 - .../alice/etc/raddb/sites-available/inner-tunnel | 32 - .../etc/raddb/sites-available/inner-tunnel-second | 36 - .../rw-eap-tnc-radius/hosts/alice/etc/raddb/users | 2 - .../rw-eap-tnc-radius/hosts/alice/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf | 24 - .../hosts/carol/etc/ipsec.secrets | 3 - .../hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/carol/etc/tnc_config | 3 - .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf | 24 - .../rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets | 3 - .../hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-radius/hosts/dave/etc/tnc_config | 3 - .../hosts/moon/etc/init.d/iptables | 84 -- .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf | 35 - .../rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets | 3 - .../hosts/moon/etc/strongswan.conf | 13 - testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat | 8 - testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat | 18 - testing/tests/ikev2/rw-eap-tnc-radius/test.conf | 26 - testing/tests/ikev2/rw-eap-tnc-tls/description.txt | 7 - testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat | 19 - .../rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf | 24 - .../rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf | 6 - .../hosts/carol/etc/tnc/dummyimc.file | 1 - .../rw-eap-tnc-tls/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf | 24 - .../rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf | 6 - .../hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf | 36 - .../rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc-tls/test.conf | 26 - testing/tests/ikev2/rw-eap-tnc/description.txt | 9 - testing/tests/ikev2/rw-eap-tnc/evaltest.dat | 19 - .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf | 23 - .../ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/carol/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf | 23 - .../ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets | 3 - .../rw-eap-tnc/hosts/dave/etc/strongswan.conf | 6 - .../rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file | 1 - .../ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config | 3 - .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf | 36 - .../ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets | 6 - .../rw-eap-tnc/hosts/moon/etc/strongswan.conf | 13 - .../ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config | 3 - testing/tests/ikev2/rw-eap-tnc/posttest.dat | 6 - testing/tests/ikev2/rw-eap-tnc/pretest.dat | 15 - testing/tests/ikev2/rw-eap-tnc/test.conf | 26 - .../ikev2/two-certs/hosts/carol/etc/ipsec.conf | 1 + .../critical-extension/description.txt | 5 + .../openssl-ikev2/critical-extension/evaltest.dat | 6 + .../critical-extension/hosts/moon/etc/ipsec.conf | 25 + .../hosts/moon/etc/ipsec.d/certs/moonCert.der | Bin 0 -> 952 bytes .../hosts/moon/etc/strongswan.conf | 12 + .../critical-extension/hosts/sun/etc/ipsec.conf | 25 + .../hosts/sun/etc/ipsec.d/certs/sunCert.der | Bin 0 -> 951 bytes .../hosts/sun/etc/strongswan.conf | 6 + .../openssl-ikev2/critical-extension/posttest.dat | 5 + .../openssl-ikev2/critical-extension/pretest.dat | 6 + .../openssl-ikev2/critical-extension/test.conf | 21 + testing/tests/p2pnat/behind-same-nat/pretest.dat | 2 +- testing/tests/p2pnat/medsrv-psk/pretest.dat | 2 +- testing/tests/sql/multi-level-ca/description.txt | 6 + testing/tests/sql/multi-level-ca/evaltest.dat | 18 + .../sql/multi-level-ca/hosts/carol/etc/ipsec.conf | 7 + .../hosts/carol/etc/ipsec.d/data.sql | 192 ++++ .../multi-level-ca/hosts/carol/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/carol/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/dave/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/dave/etc/ipsec.d/data.sql | 194 ++++ .../multi-level-ca/hosts/dave/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/dave/etc/strongswan.conf | 10 + .../sql/multi-level-ca/hosts/moon/etc/ipsec.conf | 7 + .../multi-level-ca/hosts/moon/etc/ipsec.d/data.sql | 164 +++ .../multi-level-ca/hosts/moon/etc/ipsec.secrets | 3 + .../multi-level-ca/hosts/moon/etc/strongswan.conf | 10 + testing/tests/sql/multi-level-ca/posttest.dat | 10 + testing/tests/sql/multi-level-ca/pretest.dat | 18 + testing/tests/sql/multi-level-ca/test.conf | 21 + .../net2net-cert/hosts/moon/etc/ipsec.d/data.sql | 4 +- .../net2net-cert/hosts/sun/etc/ipsec.d/data.sql | 4 +- .../tests/sql/net2net-route-pem/description.txt | 10 + testing/tests/sql/net2net-route-pem/evaltest.dat | 16 + .../net2net-route-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 249 ++++ .../net2net-route-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-route-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 249 ++++ .../net2net-route-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-route-pem/posttest.dat | 6 + testing/tests/sql/net2net-route-pem/pretest.dat | 13 + testing/tests/sql/net2net-route-pem/test.conf | 21 + .../tests/sql/net2net-start-pem/description.txt | 10 + testing/tests/sql/net2net-start-pem/evaltest.dat | 12 + .../net2net-start-pem/hosts/moon/etc/ipsec.conf | 8 + .../hosts/moon/etc/ipsec.d/data.sql | 279 +++++ .../net2net-start-pem/hosts/moon/etc/ipsec.secrets | 3 + .../hosts/moon/etc/strongswan.conf | 10 + .../sql/net2net-start-pem/hosts/sun/etc/ipsec.conf | 8 + .../hosts/sun/etc/ipsec.d/data.sql | 273 +++++ .../net2net-start-pem/hosts/sun/etc/ipsec.secrets | 3 + .../hosts/sun/etc/strongswan.conf | 10 + testing/tests/sql/net2net-start-pem/posttest.dat | 6 + testing/tests/sql/net2net-start-pem/pretest.dat | 11 + testing/tests/sql/net2net-start-pem/test.conf | 21 + 922 files changed, 38462 insertions(+), 11282 deletions(-) mode change 100644 => 100755 ltmain.sh create mode 100644 scripts/fetch.c create mode 100644 scripts/oid2der.c delete mode 100644 src/_copyright/_copyright.8 create mode 100644 src/conftest/Makefile.am create mode 100644 src/conftest/Makefile.in create mode 100644 src/conftest/README create mode 100644 src/conftest/actions.c create mode 100644 src/conftest/actions.h create mode 100644 src/conftest/config.c create mode 100644 src/conftest/config.h create mode 100644 src/conftest/conftest.c create mode 100644 src/conftest/conftest.h create mode 100644 src/conftest/hooks/add_notify.c create mode 100644 src/conftest/hooks/add_payload.c create mode 100644 src/conftest/hooks/custom_proposal.c create mode 100644 src/conftest/hooks/force_cookie.c create mode 100644 src/conftest/hooks/hook.h create mode 100644 src/conftest/hooks/ignore_message.c create mode 100644 src/conftest/hooks/ike_auth_fill.c create mode 100644 src/conftest/hooks/log_id.c create mode 100644 src/conftest/hooks/log_ke.c create mode 100644 src/conftest/hooks/log_proposals.c create mode 100644 src/conftest/hooks/log_ts.c create mode 100644 src/conftest/hooks/pretend_auth.c create mode 100644 src/conftest/hooks/rebuild_auth.c create mode 100644 src/conftest/hooks/reset_seq.c create mode 100644 src/conftest/hooks/set_critical.c create mode 100644 src/conftest/hooks/set_ike_initiator.c create mode 100644 src/conftest/hooks/set_ike_request.c create mode 100644 src/conftest/hooks/set_ike_spi.c create mode 100644 src/conftest/hooks/set_ike_version.c create mode 100644 src/conftest/hooks/set_length.c create mode 100644 src/conftest/hooks/set_proposal_number.c create mode 100644 src/conftest/hooks/set_reserved.c create mode 100644 src/conftest/hooks/unencrypted_notify.c create mode 100644 src/conftest/hooks/unsort_message.c delete mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service create mode 100644 src/libcharon/plugins/maemo/org.strongswan.charon.service.in delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.c delete mode 100644 src/libcharon/plugins/stroke/stroke_shared_key.h create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc.h create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.c create mode 100644 src/libcharon/plugins/tnc_imc/tnc_imc_manager.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_manager.h create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c create mode 100644 src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c create mode 100644 src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c create mode 100644 src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c create mode 100644 src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c create mode 100644 src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c create mode 100644 src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.am create mode 100644 src/libcharon/plugins/tnccs_dynamic/Makefile.in create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c create mode 100644 src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h create mode 100644 src/libcharon/processing/jobs/start_action_job.c create mode 100644 src/libcharon/processing/jobs/start_action_job.h create mode 100644 src/libcharon/tnc/imc/imc.h create mode 100644 src/libcharon/tnc/imc/imc_manager.h create mode 100644 src/libcharon/tnc/imv/imv.h create mode 100644 src/libcharon/tnc/imv/imv_manager.h create mode 100644 src/libcharon/tnc/imv/imv_recommendations.c create mode 100644 src/libcharon/tnc/imv/imv_recommendations.h create mode 100644 src/libcharon/tnc/tnccs/tnccs.c create mode 100644 src/libcharon/tnc/tnccs/tnccs.h create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.c create mode 100644 src/libcharon/tnc/tnccs/tnccs_manager.h create mode 100644 src/libcharon/tnc/tncif.h create mode 100644 src/libcharon/tnc/tncifimc.h create mode 100644 src/libcharon/tnc/tncifimv.c create mode 100644 src/libcharon/tnc/tncifimv.h delete mode 100644 src/libcharon/tnccs/tnccs.c delete mode 100644 src/libcharon/tnccs/tnccs.h delete mode 100644 src/libcharon/tnccs/tnccs_manager.c delete mode 100644 src/libcharon/tnccs/tnccs_manager.h delete mode 100644 src/libfreeswan/atosa.3 delete mode 100644 src/libfreeswan/atosa.c delete mode 100644 src/libfreeswan/keyblobtoid.3 delete mode 100644 src/libfreeswan/keyblobtoid.c delete mode 100644 src/libfreeswan/prng.3 delete mode 100644 src/libfreeswan/prng.c delete mode 100644 src/libfreeswan/satoa.c delete mode 100644 src/libstrongswan/credentials/certificates/x509.c create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.am create mode 100644 src/libstrongswan/plugins/af_alg/Makefile.in create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_crypter.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_hasher.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_ops.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_plugin.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_prf.h create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.c create mode 100644 src/libstrongswan/plugins/af_alg/af_alg_signer.h create mode 100644 src/libstrongswan/plugins/constraints/Makefile.am create mode 100644 src/libstrongswan/plugins/constraints/Makefile.in create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.c create mode 100644 src/libstrongswan/plugins/constraints/constraints_plugin.h create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.c create mode 100644 src/libstrongswan/plugins/constraints/constraints_validator.h create mode 100644 src/libstrongswan/plugins/soup/Makefile.am create mode 100644 src/libstrongswan/plugins/soup/Makefile.in create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.c create mode 100644 src/libstrongswan/plugins/soup/soup_fetcher.h create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.c create mode 100644 src/libstrongswan/plugins/soup/soup_plugin.h delete mode 100644 src/starter/starter.8 create mode 100644 testing/hosts/winnetou/etc/openssl/newcerts/23.pem create mode 100644 testing/tests/ha/both-active/description.txt create mode 100644 testing/tests/ha/both-active/evaltest.dat create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ha/both-active/posttest.dat create mode 100644 testing/tests/ha/both-active/pretest.dat create mode 100644 testing/tests/ha/both-active/test.conf create mode 100644 testing/tests/ikev2/critical-extension/description.txt create mode 100644 testing/tests/ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/ikev2/critical-extension/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables create mode 100755 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-11/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-20/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-block/test.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config create mode 100755 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat create mode 100644 testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables delete mode 100755 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-radius/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc-tls/test.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/description.txt delete mode 100644 testing/tests/ikev2/rw-eap-tnc/evaltest.dat delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config delete mode 100755 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf delete mode 100644 testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config delete mode 100644 testing/tests/ikev2/rw-eap-tnc/posttest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/pretest.dat delete mode 100644 testing/tests/ikev2/rw-eap-tnc/test.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/description.txt create mode 100644 testing/tests/openssl-ikev2/critical-extension/evaltest.dat create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der create mode 100644 testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/openssl-ikev2/critical-extension/posttest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/pretest.dat create mode 100644 testing/tests/openssl-ikev2/critical-extension/test.conf create mode 100644 testing/tests/sql/multi-level-ca/description.txt create mode 100644 testing/tests/sql/multi-level-ca/evaltest.dat create mode 100755 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf create mode 100755 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf create mode 100644 testing/tests/sql/multi-level-ca/posttest.dat create mode 100644 testing/tests/sql/multi-level-ca/pretest.dat create mode 100644 testing/tests/sql/multi-level-ca/test.conf create mode 100644 testing/tests/sql/net2net-route-pem/description.txt create mode 100644 testing/tests/sql/net2net-route-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-route-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-route-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-route-pem/test.conf create mode 100644 testing/tests/sql/net2net-start-pem/description.txt create mode 100644 testing/tests/sql/net2net-start-pem/evaltest.dat create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf create mode 100755 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets create mode 100644 testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf create mode 100644 testing/tests/sql/net2net-start-pem/posttest.dat create mode 100644 testing/tests/sql/net2net-start-pem/pretest.dat create mode 100644 testing/tests/sql/net2net-start-pem/test.conf (limited to 'src/libcharon/encoding/payloads/cert_payload.c') diff --git a/Android.mk b/Android.mk index d6c83367f..4c90f6340 100644 --- a/Android.mk +++ b/Android.mk @@ -53,7 +53,7 @@ strongswan_CFLAGS := \ -DUSE_VSTR \ -DROUTING_TABLE=0 \ -DROUTING_TABLE_PRIO=220 \ - -DVERSION=\"4.5.0\" \ + -DVERSION=\"4.5.1\" \ -DPLUGINS='"$(strongswan_PLUGINS)"' \ -DIPSEC_DIR=\"/system/bin\" \ -DIPSEC_PIDDIR=\"/data/misc/vpn\" \ diff --git a/Makefile.in b/Makefile.in index 56c31b104..eba785b0c 100644 --- a/Makefile.in +++ b/Makefile.in @@ -229,9 +229,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -270,6 +268,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/NEWS b/NEWS index ed0d18211..42af2d37f 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,77 @@ +strongswan-4.5.1 +---------------- + +- Sansar Choinyambuu implemented the RFC 5793 Posture Broker Protocol (BP) + compatible with Trusted Network Connect (TNC). The TNCCS 2.0 protocol + requires the tnccs_20, tnc_imc and tnc_imv plugins but does not depend + on the libtnc library. Any available IMV/IMC pairs conforming to the + Trusted Computing Group's TNC-IF-IMV/IMC 1.2 interface specification + can be loaded via /etc/tnc_config. + +- Re-implemented the TNCCS 1.1 protocol by using the tnc_imc and tnc_imv + in place of the external libtnc library. + +- The tnccs_dynamic plugin loaded on a TNC server in addition to the + tnccs_11 and tnccs_20 plugins, dynamically detects the IF-TNCCS + protocol version used by a TNC client and invokes an instance of + the corresponding protocol stack. + +- IKE and ESP proposals can now be stored in an SQL database using a + new proposals table. The start_action field in the child_configs + tables allows the automatic starting or routing of connections stored + in an SQL database. + +- The new certificate_authorities and certificate_distribution_points + tables make it possible to store CRL and OCSP Certificate Distribution + points in an SQL database. + +- The new 'include' statement allows to recursively include other files in + strongswan.conf. Existing sections and values are thereby extended and + replaced, respectively. + +- Due to the changes in the parser for strongswan.conf, the configuration + syntax for the attr plugin has changed. Previously, it was possible to + specify multiple values of a specific attribute type by adding multiple + key/value pairs with the same key (e.g. dns) to the plugins.attr section. + Because values with the same key now replace previously defined values + this is not possible anymore. As an alternative, multiple values can be + specified by separating them with a comma (e.g. dns = 1.2.3.4, 2.3.4.5). + +- ipsec listalgs now appends (set in square brackets) to each crypto + algorithm listed the plugin that registered the function. + +- Traffic Flow Confidentiality padding supported with Linux 2.6.38 can be used + by the IKEv2 daemon. The ipsec.conf 'tfc' keyword pads all packets to a given + boundary, the special value '%mtu' pads all packets to the path MTU. + +- The new af-alg plugin can use various crypto primitives of the Linux Crypto + API using the AF_ALG interface introduced with 2.6.38. This removes the need + for additional userland implementations of symmetric cipher, hash, hmac and + xcbc algorithms. + +- The IKEv2 daemon supports the INITIAL_CONTACT notify as initiator and + responder. The notify is sent when initiating configurations with a unique + policy, set in ipsec.conf via the global 'uniqueids' option. + +- The conftest conformance testing framework enables the IKEv2 stack to perform + many tests using a distinct tool and configuration frontend. Various hooks + can alter reserved bits, flags, add custom notifies and proposals, reorder + or drop messages and much more. It is enabled using the --enable-conftest + ./configure switch. + +- The new libstrongswan constraints plugin provides advanced X.509 constraint + checking. In additon to X.509 pathLen constraints, the plugin checks for + nameConstraints and certificatePolicies, including policyMappings and + policyConstraints. The x509 certificate plugin and the pki tool have been + enhanced to support these extensions. The new left/rightcertpolicy ipsec.conf + connection keywords take OIDs a peer certificate must have. + +- The left/rightauth ipsec.conf keywords accept values with a minimum strength + for trustchain public keys in bits, such as rsa-2048 or ecdsa-256. + +- The revocation and x509 libstrongswan plugins and the pki tool gained basic + support for delta CRLs. + strongswan-4.5.0 ---------------- diff --git a/configure b/configure index d823c3045..b0b1cdc60 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for strongSwan 4.5.0. +# Generated by GNU Autoconf 2.67 for strongSwan 4.5.1. # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, @@ -698,8 +698,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='strongSwan' PACKAGE_TARNAME='strongswan' -PACKAGE_VERSION='4.5.0' -PACKAGE_STRING='strongSwan 4.5.0' +PACKAGE_VERSION='4.5.1' +PACKAGE_STRING='strongSwan 4.5.1' PACKAGE_BUGREPORT='' PACKAGE_URL='' @@ -753,12 +753,18 @@ USE_VSTR_FALSE USE_VSTR_TRUE USE_LIBCAP_FALSE USE_LIBCAP_TRUE +USE_IPSEC_SCRIPT_FALSE +USE_IPSEC_SCRIPT_TRUE USE_FILE_CONFIG_FALSE USE_FILE_CONFIG_TRUE +USE_LIBCHARON_FALSE +USE_LIBCHARON_TRUE USE_LIBHYDRA_FALSE USE_LIBHYDRA_TRUE USE_LIBSTRONGSWAN_FALSE USE_LIBSTRONGSWAN_TRUE +USE_CONFTEST_FALSE +USE_CONFTEST_TRUE USE_SCRIPTS_FALSE USE_SCRIPTS_TRUE USE_TOOLS_FALSE @@ -821,6 +827,8 @@ USE_SOCKET_RAW_FALSE USE_SOCKET_RAW_TRUE USE_SOCKET_DEFAULT_FALSE USE_SOCKET_DEFAULT_TRUE +USE_TNCCS_DYNAMIC_FALSE +USE_TNCCS_DYNAMIC_TRUE USE_TNCCS_20_FALSE USE_TNCCS_20_TRUE USE_TNCCS_11_FALSE @@ -889,6 +897,8 @@ USE_MEDSRV_FALSE USE_MEDSRV_TRUE USE_STROKE_FALSE USE_STROKE_TRUE +USE_AF_ALG_FALSE +USE_AF_ALG_TRUE USE_GCM_FALSE USE_GCM_TRUE USE_CCM_FALSE @@ -923,6 +933,8 @@ USE_PKCS1_FALSE USE_PKCS1_TRUE USE_PUBKEY_FALSE USE_PUBKEY_TRUE +USE_CONSTRAINTS_FALSE +USE_CONSTRAINTS_TRUE USE_REVOCATION_FALSE USE_REVOCATION_TRUE USE_X509_FALSE @@ -949,6 +961,8 @@ USE_AES_FALSE USE_AES_TRUE USE_LDAP_FALSE USE_LDAP_TRUE +USE_SOUP_FALSE +USE_SOUP_TRUE USE_CURL_FALSE USE_CURL_TRUE USE_TEST_VECTORS_FALSE @@ -980,14 +994,14 @@ gtk_LIBS gtk_CFLAGS xml_LIBS xml_CFLAGS +soup_LIBS +soup_CFLAGS PTHREADLIB RTLIB SOCKLIB BTLIB DLLIB ALLOCA -ipsecgid -ipsecuid GPERF PERL YFLAGS @@ -1138,6 +1152,7 @@ with_xauth_module with_user with_group enable_curl +enable_soup enable_ldap enable_aes enable_des @@ -1151,6 +1166,7 @@ enable_gmp enable_random enable_x509 enable_revocation +enable_constraints enable_pubkey enable_pkcs1 enable_pgp @@ -1158,6 +1174,7 @@ enable_dnskey enable_pem enable_hmac enable_xcbc +enable_af_alg enable_test_vectors enable_mysql enable_sqlite @@ -1191,6 +1208,7 @@ enable_tnc_imc enable_tnc_imv enable_tnccs_11 enable_tnccs_20 +enable_tnccs_dynamic enable_kernel_netlink enable_kernel_pfkey enable_kernel_pfroute @@ -1214,6 +1232,7 @@ enable_threads enable_charon enable_tools enable_scripts +enable_conftest enable_updown enable_attr enable_attr_sql @@ -1259,6 +1278,8 @@ CPPFLAGS CPP YACC YFLAGS +soup_CFLAGS +soup_LIBS xml_CFLAGS xml_LIBS gtk_CFLAGS @@ -1809,7 +1830,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures strongSwan 4.5.0 to adapt to many kinds of systems. +\`configure' configures strongSwan 4.5.1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1879,7 +1900,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of strongSwan 4.5.0:";; + short | recursive ) echo "Configuration of strongSwan 4.5.1:";; esac cat <<\_ACEOF @@ -1889,6 +1910,8 @@ Optional Features: --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --enable-curl enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl. + --enable-soup enable soup fetcher plugin to fetch from HTTP via + libsoup. Requires libsoup. --enable-ldap enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP. --disable-aes disable AES software implementation plugin. @@ -1905,6 +1928,7 @@ Optional Features: --disable-random disable RNG implementation on top of /dev/(u)random. --disable-x509 disable X509 certificate implementation plugin. --disable-revocation disable X509 CRL/OCSP revocation check plugin. + --disable-constraints disable advanced X509 constraint checking plugin. --disable-pubkey disable RAW public key support plugin. --disable-pkcs1 disable PKCS1 key decoding plugin. --disable-pgp disable PGP key decoding plugin. @@ -1912,6 +1936,7 @@ Optional Features: --disable-pem disable PEM decoding plugin. --disable-hmac disable HMAC crypto implementation plugin. --disable-xcbc disable xcbc crypto implementation plugin. + --enable-af-alg enable AF_ALG crypto interface to Linux Crypto API. --enable-test-vectors enable plugin providing crypto test vectors. --enable-mysql enable MySQL database support. Requires libmysqlclient_r. @@ -1955,6 +1980,7 @@ Optional Features: --enable-tnc-imv enable TNC IMV module. --enable-tnccs-11 enable TNCCS 1.1 protocol module. --enable-tnccs-20 enable TNCCS 2.0 protocol module. + --enable-tnccs-dynamic enable dynamic TNCCS protocol discovery module. --disable-kernel-netlink disable the netlink kernel interface. --enable-kernel-pfkey enable the PF_KEY kernel interface. @@ -1990,6 +2016,7 @@ Optional Features: pki). --disable-scripts disable additional utilities (found in directory scripts). + --enable-conftest enforce Suite B conformance test framework. --disable-updown disable updown firewall script plugin. --disable-attr disable strongswan.conf based configuration attribute plugin. @@ -2092,6 +2119,8 @@ Some influential environment variables: YFLAGS The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of `-d' given by some make applications. + soup_CFLAGS C compiler flags for soup, overriding pkg-config + soup_LIBS linker flags for soup, overriding pkg-config xml_CFLAGS C compiler flags for xml, overriding pkg-config xml_LIBS linker flags for xml, overriding pkg-config gtk_CFLAGS C compiler flags for gtk, overriding pkg-config @@ -2168,7 +2197,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -strongSwan configure 4.5.0 +strongSwan configure 4.5.1 generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -2644,7 +2673,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by strongSwan $as_me 4.5.0, which was +It was created by strongSwan $as_me 4.5.1, which was generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -3459,7 +3488,7 @@ fi # Define the identity of the package. PACKAGE='strongswan' - VERSION='4.5.0' + VERSION='4.5.1' cat >>confdefs.h <<_ACEOF @@ -3947,6 +3976,21 @@ else fi +# Check whether --enable-soup was given. +if test "${enable_soup+set}" = set; then : + enableval=$enable_soup; soup_given=true + if test x$enableval = xyes; then + soup=true + else + soup=false + fi +else + soup=false + soup_given=false + +fi + + # Check whether --enable-ldap was given. if test "${enable_ldap+set}" = set; then : enableval=$enable_ldap; ldap_given=true @@ -4142,6 +4186,21 @@ else fi +# Check whether --enable-constraints was given. +if test "${enable_constraints+set}" = set; then : + enableval=$enable_constraints; constraints_given=true + if test x$enableval = xyes; then + constraints=true + else + constraints=false + fi +else + constraints=true + constraints_given=false + +fi + + # Check whether --enable-pubkey was given. if test "${enable_pubkey+set}" = set; then : enableval=$enable_pubkey; pubkey_given=true @@ -4247,6 +4306,21 @@ else fi +# Check whether --enable-af-alg was given. +if test "${enable_af_alg+set}" = set; then : + enableval=$enable_af_alg; af_alg_given=true + if test x$enableval = xyes; then + af_alg=true + else + af_alg=false + fi +else + af_alg=false + af_alg_given=false + +fi + + # Check whether --enable-test-vectors was given. if test "${enable_test_vectors+set}" = set; then : enableval=$enable_test_vectors; test_vectors_given=true @@ -4742,6 +4816,21 @@ else fi +# Check whether --enable-tnccs-dynamic was given. +if test "${enable_tnccs_dynamic+set}" = set; then : + enableval=$enable_tnccs_dynamic; tnccs_dynamic_given=true + if test x$enableval = xyes; then + tnccs_dynamic=true + else + tnccs_dynamic=false + fi +else + tnccs_dynamic=false + tnccs_dynamic_given=false + +fi + + # Check whether --enable-kernel-netlink was given. if test "${enable_kernel_netlink+set}" = set; then : enableval=$enable_kernel_netlink; kernel_netlink_given=true @@ -5087,6 +5176,21 @@ else fi +# Check whether --enable-conftest was given. +if test "${enable_conftest+set}" = set; then : + enableval=$enable_conftest; conftest_given=true + if test x$enableval = xyes; then + conftest=true + else + conftest=false + fi +else + conftest=false + conftest_given=false + +fi + + # Check whether --enable-updown was given. if test "${enable_updown+set}" = set; then : enableval=$enable_updown; updown_given=true @@ -7769,13 +7873,13 @@ if test "${lt_cv_nm_interface+set}" = set; then : else lt_cv_nm_interface="BSD nm" echo "int some_variable = 0;" > conftest.$ac_ext - (eval echo "\"\$as_me:7772: $ac_compile\"" >&5) + (eval echo "\"\$as_me:7876: $ac_compile\"" >&5) (eval "$ac_compile" 2>conftest.err) cat conftest.err >&5 - (eval echo "\"\$as_me:7775: $NM \\\"conftest.$ac_objext\\\"\"" >&5) + (eval echo "\"\$as_me:7879: $NM \\\"conftest.$ac_objext\\\"\"" >&5) (eval "$NM \"conftest.$ac_objext\"" 2>conftest.err > conftest.out) cat conftest.err >&5 - (eval echo "\"\$as_me:7778: output\"" >&5) + (eval echo "\"\$as_me:7882: output\"" >&5) cat conftest.out >&5 if $GREP 'External.*some_variable' conftest.out > /dev/null; then lt_cv_nm_interface="MS dumpbin" @@ -8980,7 +9084,7 @@ ia64-*-hpux*) ;; *-*-irix6*) # Find out which ABI we are using. - echo '#line 8983 "configure"' > conftest.$ac_ext + echo '#line 9087 "configure"' > conftest.$ac_ext if { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_compile\""; } >&5 (eval $ac_compile) 2>&5 ac_status=$? @@ -10242,11 +10346,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10245: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10349: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10249: \$? = $ac_status" >&5 + echo "$as_me:10353: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10581,11 +10685,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10584: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10688: $lt_compile\"" >&5) (eval "$lt_compile" 2>conftest.err) ac_status=$? cat conftest.err >&5 - echo "$as_me:10588: \$? = $ac_status" >&5 + echo "$as_me:10692: \$? = $ac_status" >&5 if (exit $ac_status) && test -s "$ac_outfile"; then # The compiler can only warn and ignore the option if not recognized # So say no if there are warnings other than the usual output. @@ -10686,11 +10790,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10689: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10793: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10693: \$? = $ac_status" >&5 + echo "$as_me:10797: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -10741,11 +10845,11 @@ else -e 's:.*FLAGS}\{0,1\} :&$lt_compiler_flag :; t' \ -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \ -e 's:$: $lt_compiler_flag:'` - (eval echo "\"\$as_me:10744: $lt_compile\"" >&5) + (eval echo "\"\$as_me:10848: $lt_compile\"" >&5) (eval "$lt_compile" 2>out/conftest.err) ac_status=$? cat out/conftest.err >&5 - echo "$as_me:10748: \$? = $ac_status" >&5 + echo "$as_me:10852: \$? = $ac_status" >&5 if (exit $ac_status) && test -s out/conftest2.$ac_objext then # The compiler can only warn and ignore the option if not recognized @@ -13125,7 +13229,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 13128 "configure" +#line 13232 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13221,7 +13325,7 @@ else lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2 lt_status=$lt_dlunknown cat > conftest.$ac_ext <<_LT_EOF -#line 13224 "configure" +#line 13328 "configure" #include "confdefs.h" #if HAVE_DLFCN_H @@ -13855,27 +13959,6 @@ else $as_echo "not found" >&6; } fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid of user \"$ipsecuser\"" >&5 -$as_echo_n "checking for uid of user \"$ipsecuser\"... " >&6; } -ipsecuid=`id -u $ipsecuser 2>/dev/null` -if test -n "$ipsecuid"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecuid" >&5 -$as_echo "$ipsecuid" >&6; } - -else - as_fn_error $? "not found" "$LINENO" 5 -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for gid of group \"$ipsecgroup\"" >&5 -$as_echo_n "checking for gid of group \"$ipsecgroup\"... " >&6; } -ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` -if test -n "$ipsecgid"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ipsecgid" >&5 -$as_echo "$ipsecgid" >&6; } - -else - as_fn_error $? "not found" "$LINENO" 5 -fi - if test x$eap_aka_3gpp2 = xtrue; then gmp=true; @@ -13901,7 +13984,7 @@ if test x$fips_prf = xtrue; then fi fi -if test x$smp = xtrue; then +if test x$smp = xtrue -o x$tnccs_11 = xtrue; then xml=true fi @@ -15245,6 +15328,100 @@ else fi +fi + +if test x$soup = xtrue; then + +pkg_failed=no +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for soup" >&5 +$as_echo_n "checking for soup... " >&6; } + +if test -n "$soup_CFLAGS"; then + pkg_cv_soup_CFLAGS="$soup_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_soup_CFLAGS=`$PKG_CONFIG --cflags "libsoup-2.4" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi +if test -n "$soup_LIBS"; then + pkg_cv_soup_LIBS="$soup_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ + { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"libsoup-2.4\""; } >&5 + ($PKG_CONFIG --exists --print-errors "libsoup-2.4") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then + pkg_cv_soup_LIBS=`$PKG_CONFIG --libs "libsoup-2.4" 2>/dev/null` +else + pkg_failed=yes +fi + else + pkg_failed=untried +fi + + + +if test $pkg_failed = yes; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi + if test $_pkg_short_errors_supported = yes; then + soup_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "libsoup-2.4" 2>&1` + else + soup_PKG_ERRORS=`$PKG_CONFIG --print-errors "libsoup-2.4" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$soup_PKG_ERRORS" >&5 + + as_fn_error $? "Package requirements (libsoup-2.4) were not met: + +$soup_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +Alternatively, you may set the environment variables soup_CFLAGS +and soup_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details." "$LINENO" 5 +elif test $pkg_failed = untried; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +Alternatively, you may set the environment variables soup_CFLAGS +and soup_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details. + +To get pkg-config, see . +See \`config.log' for more details" "$LINENO" 5 ; } +else + soup_CFLAGS=$pkg_cv_soup_CFLAGS + soup_LIBS=$pkg_cv_soup_LIBS + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +fi + + fi if test x$xml = xtrue; then @@ -15931,17 +16108,6 @@ fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi -if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then - ac_fn_c_check_header_mongrel "$LINENO" "libtnc.h" "ac_cv_header_libtnc_h" "$ac_includes_default" -if test "x$ac_cv_header_libtnc_h" = x""yes; then : - -else - as_fn_error $? "libtnc header libtnc.h not found!" "$LINENO" 5 -fi - - -fi - if test x$uci = xtrue; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -luci" >&5 $as_echo_n "checking for main in -luci... " >&6; } @@ -16544,6 +16710,15 @@ if test x$curl = xtrue; then libcharon_plugins=${libcharon_plugins}" curl" pluto_plugins=${pluto_plugins}" curl" scepclient_plugins=${scepclient_plugins}" curl" + scripts_plugins=${scripts_plugins}" curl" + + fi + +if test x$soup = xtrue; then + s_plugins=${s_plugins}" soup" + libcharon_plugins=${libcharon_plugins}" soup" + pluto_plugins=${pluto_plugins}" soup" + scripts_plugins=${scripts_plugins}" soup" fi @@ -16552,6 +16727,7 @@ if test x$ldap = xtrue; then libcharon_plugins=${libcharon_plugins}" ldap" pluto_plugins=${pluto_plugins}" ldap" scepclient_plugins=${scepclient_plugins}" ldap" + scripts_plugins=${scripts_plugins}" ldap" fi @@ -16681,6 +16857,12 @@ if test x$revocation = xtrue; then fi +if test x$constraints = xtrue; then + s_plugins=${s_plugins}" constraints" + libcharon_plugins=${libcharon_plugins}" constraints" + + fi + if test x$pubkey = xtrue; then s_plugins=${s_plugins}" pubkey" libcharon_plugins=${libcharon_plugins}" pubkey" @@ -16825,6 +17007,18 @@ if test x$gcm = xtrue; then fi +if test x$af_alg = xtrue; then + s_plugins=${s_plugins}" af-alg" + libcharon_plugins=${libcharon_plugins}" af-alg" + pluto_plugins=${pluto_plugins}" af-alg" + openac_plugins=${openac_plugins}" af-alg" + scepclient_plugins=${scepclient_plugins}" af-alg" + pki_plugins=${pki_plugins}" af-alg" + scripts_plugins=${scripts_plugins}" af-alg" + medsrv_plugins=${medsrv_plugins}" af-alg" + + fi + if test x$xauth = xtrue; then p_plugins=${p_plugins}" xauth" pluto_plugins=${pluto_plugins}" xauth" @@ -16845,6 +17039,12 @@ if test x$attr_sql = xtrue; then fi +if test x$load_tester = xtrue; then + c_plugins=${c_plugins}" load-tester" + libcharon_plugins=${libcharon_plugins}" load-tester" + + fi + if test x$kernel_pfkey = xtrue; then h_plugins=${h_plugins}" kernel-pfkey" libcharon_plugins=${libcharon_plugins}" kernel-pfkey" @@ -16880,12 +17080,6 @@ if test x$resolve = xtrue; then fi -if test x$load_tester = xtrue; then - c_plugins=${c_plugins}" load-tester" - libcharon_plugins=${libcharon_plugins}" load-tester" - - fi - if test x$socket_default = xtrue; then c_plugins=${c_plugins}" socket-default" libcharon_plugins=${libcharon_plugins}" socket-default" @@ -17024,15 +17218,9 @@ if test x$eap_tnc = xtrue; then fi -if test x$tnc_imc = xtrue; then - c_plugins=${c_plugins}" tnc-imc" - libcharon_plugins=${libcharon_plugins}" tnc-imc" - - fi - -if test x$tnc_imv = xtrue; then - c_plugins=${c_plugins}" tnc-imv" - libcharon_plugins=${libcharon_plugins}" tnc-imv" +if test x$tnccs_20 = xtrue; then + c_plugins=${c_plugins}" tnccs-20" + libcharon_plugins=${libcharon_plugins}" tnccs-20" fi @@ -17042,9 +17230,21 @@ if test x$tnccs_11 = xtrue; then fi -if test x$tnccs_20 = xtrue; then - c_plugins=${c_plugins}" tnccs-20" - libcharon_plugins=${libcharon_plugins}" tnccs-20" +if test x$tnccs_dynamic = xtrue; then + c_plugins=${c_plugins}" tnccs-dynamic" + libcharon_plugins=${libcharon_plugins}" tnccs-dynamic" + + fi + +if test x$tnc_imc = xtrue; then + c_plugins=${c_plugins}" tnc-imc" + libcharon_plugins=${libcharon_plugins}" tnc-imc" + + fi + +if test x$tnc_imv = xtrue; then + c_plugins=${c_plugins}" tnc-imv" + libcharon_plugins=${libcharon_plugins}" tnc-imv" fi @@ -17147,6 +17347,14 @@ else USE_CURL_FALSE= fi + if test x$soup = xtrue; then + USE_SOUP_TRUE= + USE_SOUP_FALSE='#' +else + USE_SOUP_TRUE='#' + USE_SOUP_FALSE= +fi + if test x$ldap = xtrue; then USE_LDAP_TRUE= USE_LDAP_FALSE='#' @@ -17251,6 +17459,14 @@ else USE_REVOCATION_FALSE= fi + if test x$constraints = xtrue; then + USE_CONSTRAINTS_TRUE= + USE_CONSTRAINTS_FALSE='#' +else + USE_CONSTRAINTS_TRUE='#' + USE_CONSTRAINTS_FALSE= +fi + if test x$pubkey = xtrue; then USE_PUBKEY_TRUE= USE_PUBKEY_FALSE='#' @@ -17387,6 +17603,14 @@ else USE_GCM_FALSE= fi + if test x$af_alg = xtrue; then + USE_AF_ALG_TRUE= + USE_AF_ALG_FALSE='#' +else + USE_AF_ALG_TRUE='#' + USE_AF_ALG_FALSE= +fi + if test x$stroke = xtrue; then USE_STROKE_TRUE= @@ -17660,6 +17884,14 @@ else USE_TNCCS_20_FALSE= fi + if test x$tnccs_dynamic = xtrue; then + USE_TNCCS_DYNAMIC_TRUE= + USE_TNCCS_DYNAMIC_FALSE='#' +else + USE_TNCCS_DYNAMIC_TRUE='#' + USE_TNCCS_DYNAMIC_FALSE= +fi + if test x$socket_default = xtrue; then USE_SOCKET_DEFAULT_TRUE= USE_SOCKET_DEFAULT_FALSE='#' @@ -17911,7 +18143,15 @@ else USE_SCRIPTS_FALSE= fi - if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue; then + if test x$conftest = xtrue; then + USE_CONFTEST_TRUE= + USE_CONFTEST_FALSE='#' +else + USE_CONFTEST_TRUE='#' + USE_CONFTEST_FALSE= +fi + + if test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then USE_LIBSTRONGSWAN_TRUE= USE_LIBSTRONGSWAN_FALSE='#' else @@ -17927,6 +18167,14 @@ else USE_LIBHYDRA_FALSE= fi + if test x$charon = xtrue -o x$conftest = xtrue; then + USE_LIBCHARON_TRUE= + USE_LIBCHARON_FALSE='#' +else + USE_LIBCHARON_TRUE='#' + USE_LIBCHARON_FALSE= +fi + if test x$pluto = xtrue -o x$stroke = xtrue; then USE_FILE_CONFIG_TRUE= USE_FILE_CONFIG_FALSE='#' @@ -17935,6 +18183,14 @@ else USE_FILE_CONFIG_FALSE= fi + if test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue; then + USE_IPSEC_SCRIPT_TRUE= + USE_IPSEC_SCRIPT_FALSE='#' +else + USE_IPSEC_SCRIPT_TRUE='#' + USE_IPSEC_SCRIPT_FALSE= +fi + if test x$capabilities = xlibcap; then USE_LIBCAP_TRUE= USE_LIBCAP_FALSE='#' @@ -17992,7 +18248,7 @@ fi -ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile scripts/Makefile testing/Makefile" +ac_config_files="$ac_config_files Makefile man/Makefile src/Makefile src/include/Makefile src/libstrongswan/Makefile src/libstrongswan/plugins/aes/Makefile src/libstrongswan/plugins/des/Makefile src/libstrongswan/plugins/blowfish/Makefile src/libstrongswan/plugins/md4/Makefile src/libstrongswan/plugins/md5/Makefile src/libstrongswan/plugins/sha1/Makefile src/libstrongswan/plugins/sha2/Makefile src/libstrongswan/plugins/fips_prf/Makefile src/libstrongswan/plugins/gmp/Makefile src/libstrongswan/plugins/random/Makefile src/libstrongswan/plugins/hmac/Makefile src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile src/libstrongswan/plugins/padlock/Makefile src/libstrongswan/plugins/openssl/Makefile src/libstrongswan/plugins/gcrypt/Makefile src/libstrongswan/plugins/agent/Makefile src/libstrongswan/plugins/pkcs11/Makefile src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile src/libhydra/plugins/attr_sql/Makefile src/libhydra/plugins/kernel_klips/Makefile src/libhydra/plugins/kernel_netlink/Makefile src/libhydra/plugins/kernel_pfkey/Makefile src/libhydra/plugins/kernel_pfroute/Makefile src/libhydra/plugins/resolve/Makefile src/libfreeswan/Makefile src/libsimaka/Makefile src/libtls/Makefile src/pluto/Makefile src/pluto/plugins/xauth/Makefile src/whack/Makefile src/charon/Makefile src/libcharon/Makefile src/libcharon/plugins/eap_aka/Makefile src/libcharon/plugins/eap_aka_3gpp2/Makefile src/libcharon/plugins/eap_identity/Makefile src/libcharon/plugins/eap_md5/Makefile src/libcharon/plugins/eap_gtc/Makefile src/libcharon/plugins/eap_sim/Makefile src/libcharon/plugins/eap_sim_file/Makefile src/libcharon/plugins/eap_simaka_sql/Makefile src/libcharon/plugins/eap_simaka_pseudonym/Makefile src/libcharon/plugins/eap_simaka_reauth/Makefile src/libcharon/plugins/eap_mschapv2/Makefile src/libcharon/plugins/eap_tls/Makefile src/libcharon/plugins/eap_ttls/Makefile src/libcharon/plugins/eap_tnc/Makefile src/libcharon/plugins/eap_radius/Makefile src/libcharon/plugins/tnc_imc/Makefile src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile src/libcharon/plugins/farp/Makefile src/libcharon/plugins/smp/Makefile src/libcharon/plugins/sql/Makefile src/libcharon/plugins/medsrv/Makefile src/libcharon/plugins/medcli/Makefile src/libcharon/plugins/nm/Makefile src/libcharon/plugins/addrblock/Makefile src/libcharon/plugins/uci/Makefile src/libcharon/plugins/ha/Makefile src/libcharon/plugins/led/Makefile src/libcharon/plugins/android/Makefile src/libcharon/plugins/maemo/Makefile src/libcharon/plugins/stroke/Makefile src/libcharon/plugins/updown/Makefile src/libcharon/plugins/dhcp/Makefile src/libcharon/plugins/unit_tester/Makefile src/libcharon/plugins/load_tester/Makefile src/stroke/Makefile src/ipsec/Makefile src/starter/Makefile src/_updown/Makefile src/_updown_espmark/Makefile src/_copyright/Makefile src/openac/Makefile src/scepclient/Makefile src/pki/Makefile src/dumm/Makefile src/dumm/ext/extconf.rb src/libfast/Makefile src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile src/conftest/Makefile scripts/Makefile testing/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -18153,6 +18409,10 @@ if test -z "${USE_CURL_TRUE}" && test -z "${USE_CURL_FALSE}"; then as_fn_error $? "conditional \"USE_CURL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_SOUP_TRUE}" && test -z "${USE_SOUP_FALSE}"; then + as_fn_error $? "conditional \"USE_SOUP\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LDAP_TRUE}" && test -z "${USE_LDAP_FALSE}"; then as_fn_error $? "conditional \"USE_LDAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18205,6 +18465,10 @@ if test -z "${USE_REVOCATION_TRUE}" && test -z "${USE_REVOCATION_FALSE}"; then as_fn_error $? "conditional \"USE_REVOCATION\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_CONSTRAINTS_TRUE}" && test -z "${USE_CONSTRAINTS_FALSE}"; then + as_fn_error $? "conditional \"USE_CONSTRAINTS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_PUBKEY_TRUE}" && test -z "${USE_PUBKEY_FALSE}"; then as_fn_error $? "conditional \"USE_PUBKEY\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18273,6 +18537,10 @@ if test -z "${USE_GCM_TRUE}" && test -z "${USE_GCM_FALSE}"; then as_fn_error $? "conditional \"USE_GCM\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_AF_ALG_TRUE}" && test -z "${USE_AF_ALG_FALSE}"; then + as_fn_error $? "conditional \"USE_AF_ALG\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_STROKE_TRUE}" && test -z "${USE_STROKE_FALSE}"; then as_fn_error $? "conditional \"USE_STROKE\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18409,6 +18677,10 @@ if test -z "${USE_TNCCS_20_TRUE}" && test -z "${USE_TNCCS_20_FALSE}"; then as_fn_error $? "conditional \"USE_TNCCS_20\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_TNCCS_DYNAMIC_TRUE}" && test -z "${USE_TNCCS_DYNAMIC_FALSE}"; then + as_fn_error $? "conditional \"USE_TNCCS_DYNAMIC\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_SOCKET_DEFAULT_TRUE}" && test -z "${USE_SOCKET_DEFAULT_FALSE}"; then as_fn_error $? "conditional \"USE_SOCKET_DEFAULT\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18533,6 +18805,10 @@ if test -z "${USE_SCRIPTS_TRUE}" && test -z "${USE_SCRIPTS_FALSE}"; then as_fn_error $? "conditional \"USE_SCRIPTS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_CONFTEST_TRUE}" && test -z "${USE_CONFTEST_FALSE}"; then + as_fn_error $? "conditional \"USE_CONFTEST\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LIBSTRONGSWAN_TRUE}" && test -z "${USE_LIBSTRONGSWAN_FALSE}"; then as_fn_error $? "conditional \"USE_LIBSTRONGSWAN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18541,10 +18817,18 @@ if test -z "${USE_LIBHYDRA_TRUE}" && test -z "${USE_LIBHYDRA_FALSE}"; then as_fn_error $? "conditional \"USE_LIBHYDRA\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_LIBCHARON_TRUE}" && test -z "${USE_LIBCHARON_FALSE}"; then + as_fn_error $? "conditional \"USE_LIBCHARON\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_FILE_CONFIG_TRUE}" && test -z "${USE_FILE_CONFIG_FALSE}"; then as_fn_error $? "conditional \"USE_FILE_CONFIG\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${USE_IPSEC_SCRIPT_TRUE}" && test -z "${USE_IPSEC_SCRIPT_FALSE}"; then + as_fn_error $? "conditional \"USE_IPSEC_SCRIPT\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${USE_LIBCAP_TRUE}" && test -z "${USE_LIBCAP_FALSE}"; then as_fn_error $? "conditional \"USE_LIBCAP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -18973,7 +19257,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by strongSwan $as_me 4.5.0, which was +This file was extended by strongSwan $as_me 4.5.1, which was generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -19030,7 +19314,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -strongSwan config.status 4.5.0 +strongSwan config.status 4.5.1 configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\" @@ -19424,12 +19708,14 @@ do "src/libstrongswan/plugins/xcbc/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/xcbc/Makefile" ;; "src/libstrongswan/plugins/x509/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/x509/Makefile" ;; "src/libstrongswan/plugins/revocation/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/revocation/Makefile" ;; + "src/libstrongswan/plugins/constraints/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/constraints/Makefile" ;; "src/libstrongswan/plugins/pubkey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pubkey/Makefile" ;; "src/libstrongswan/plugins/pkcs1/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pkcs1/Makefile" ;; "src/libstrongswan/plugins/pgp/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pgp/Makefile" ;; "src/libstrongswan/plugins/dnskey/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/dnskey/Makefile" ;; "src/libstrongswan/plugins/pem/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/pem/Makefile" ;; "src/libstrongswan/plugins/curl/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/curl/Makefile" ;; + "src/libstrongswan/plugins/soup/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/soup/Makefile" ;; "src/libstrongswan/plugins/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ldap/Makefile" ;; "src/libstrongswan/plugins/mysql/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/mysql/Makefile" ;; "src/libstrongswan/plugins/sqlite/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/sqlite/Makefile" ;; @@ -19441,6 +19727,7 @@ do "src/libstrongswan/plugins/ctr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ctr/Makefile" ;; "src/libstrongswan/plugins/ccm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/ccm/Makefile" ;; "src/libstrongswan/plugins/gcm/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/gcm/Makefile" ;; + "src/libstrongswan/plugins/af_alg/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/af_alg/Makefile" ;; "src/libstrongswan/plugins/test_vectors/Makefile") CONFIG_FILES="$CONFIG_FILES src/libstrongswan/plugins/test_vectors/Makefile" ;; "src/libhydra/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/Makefile" ;; "src/libhydra/plugins/attr/Makefile") CONFIG_FILES="$CONFIG_FILES src/libhydra/plugins/attr/Makefile" ;; @@ -19477,6 +19764,7 @@ do "src/libcharon/plugins/tnc_imv/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnc_imv/Makefile" ;; "src/libcharon/plugins/tnccs_11/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_11/Makefile" ;; "src/libcharon/plugins/tnccs_20/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_20/Makefile" ;; + "src/libcharon/plugins/tnccs_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/tnccs_dynamic/Makefile" ;; "src/libcharon/plugins/socket_default/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_default/Makefile" ;; "src/libcharon/plugins/socket_raw/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_raw/Makefile" ;; "src/libcharon/plugins/socket_dynamic/Makefile") CONFIG_FILES="$CONFIG_FILES src/libcharon/plugins/socket_dynamic/Makefile" ;; @@ -19512,6 +19800,7 @@ do "src/manager/Makefile") CONFIG_FILES="$CONFIG_FILES src/manager/Makefile" ;; "src/medsrv/Makefile") CONFIG_FILES="$CONFIG_FILES src/medsrv/Makefile" ;; "src/checksum/Makefile") CONFIG_FILES="$CONFIG_FILES src/checksum/Makefile" ;; + "src/conftest/Makefile") CONFIG_FILES="$CONFIG_FILES src/conftest/Makefile" ;; "scripts/Makefile") CONFIG_FILES="$CONFIG_FILES scripts/Makefile" ;; "testing/Makefile") CONFIG_FILES="$CONFIG_FILES testing/Makefile" ;; diff --git a/configure.in b/configure.in index 83c35d614..823456239 100644 --- a/configure.in +++ b/configure.in @@ -16,7 +16,7 @@ dnl =========================== dnl initialize & set some vars dnl =========================== -AC_INIT(strongSwan,4.5.0) +AC_INIT(strongSwan,4.5.1) AM_INIT_AUTOMAKE(tar-ustar) AC_CONFIG_MACRO_DIR([m4/config]) PKG_PROG_PKG_CONFIG @@ -66,6 +66,7 @@ AC_ARG_WITH( m4_include(m4/macros/enable-disable.m4) ARG_ENABL_SET([curl], [enable CURL fetcher plugin to fetch files via libcurl. Requires libcurl.]) +ARG_ENABL_SET([soup], [enable soup fetcher plugin to fetch from HTTP via libsoup. Requires libsoup.]) ARG_ENABL_SET([ldap], [enable LDAP fetching plugin to fetch files via libldap. Requires openLDAP.]) ARG_DISBL_SET([aes], [disable AES software implementation plugin.]) ARG_DISBL_SET([des], [disable DES/3DES software implementation plugin.]) @@ -79,6 +80,7 @@ ARG_DISBL_SET([gmp], [disable GNU MP (libgmp) based crypto implementa ARG_DISBL_SET([random], [disable RNG implementation on top of /dev/(u)random.]) ARG_DISBL_SET([x509], [disable X509 certificate implementation plugin.]) ARG_DISBL_SET([revocation], [disable X509 CRL/OCSP revocation check plugin.]) +ARG_DISBL_SET([constraints], [disable advanced X509 constraint checking plugin.]) ARG_DISBL_SET([pubkey], [disable RAW public key support plugin.]) ARG_DISBL_SET([pkcs1], [disable PKCS1 key decoding plugin.]) ARG_DISBL_SET([pgp], [disable PGP key decoding plugin.]) @@ -86,6 +88,7 @@ ARG_DISBL_SET([dnskey], [disable DNS RR key decoding plugin.]) ARG_DISBL_SET([pem], [disable PEM decoding plugin.]) ARG_DISBL_SET([hmac], [disable HMAC crypto implementation plugin.]) ARG_DISBL_SET([xcbc], [disable xcbc crypto implementation plugin.]) +ARG_ENABL_SET([af-alg], [enable AF_ALG crypto interface to Linux Crypto API.]) ARG_ENABL_SET([test-vectors], [enable plugin providing crypto test vectors.]) ARG_ENABL_SET([mysql], [enable MySQL database support. Requires libmysqlclient_r.]) ARG_ENABL_SET([sqlite], [enable SQLite database support. Requires libsqlite3.]) @@ -119,6 +122,7 @@ ARG_ENABL_SET([tnc-imc], [enable TNC IMC module.]) ARG_ENABL_SET([tnc-imv], [enable TNC IMV module.]) ARG_ENABL_SET([tnccs-11], [enable TNCCS 1.1 protocol module.]) ARG_ENABL_SET([tnccs-20], [enable TNCCS 2.0 protocol module.]) +ARG_ENABL_SET([tnccs-dynamic], [enable dynamic TNCCS protocol discovery module.]) ARG_DISBL_SET([kernel-netlink], [disable the netlink kernel interface.]) ARG_ENABL_SET([kernel-pfkey], [enable the PF_KEY kernel interface.]) ARG_ENABL_SET([kernel-pfroute], [enable the PF_ROUTE kernel interface.]) @@ -142,6 +146,7 @@ ARG_DISBL_SET([threads], [disable the use of threads in pluto. Charon alw ARG_DISBL_SET([charon], [disable the IKEv2 keying daemon charon.]) ARG_DISBL_SET([tools], [disable additional utilities (openac, scepclient and pki).]) ARG_DISBL_SET([scripts], [disable additional utilities (found in directory scripts).]) +ARG_ENABL_SET([conftest], [enforce Suite B conformance test framework.]) ARG_DISBL_SET([updown], [disable updown firewall script plugin.]) ARG_DISBL_SET([attr], [disable strongswan.conf based configuration attribute plugin.]) ARG_ENABL_SET([attr-sql], [enable SQL based configuration attribute plugin.]) @@ -201,24 +206,6 @@ else AC_MSG_RESULT([not found]) fi -dnl translate user/group to numercial ids -AC_MSG_CHECKING([for uid of user "$ipsecuser"]) -ipsecuid=`id -u $ipsecuser 2>/dev/null` -if test -n "$ipsecuid"; then - AC_MSG_RESULT([$ipsecuid]) - AC_SUBST(ipsecuid) -else - AC_MSG_ERROR([not found]) -fi -AC_MSG_CHECKING([for gid of group "$ipsecgroup"]) -ipsecgid=`$EGREP "^$ipsecgroup:" /etc/group | $AWK -F: '{ print $3 }'` -if test -n "$ipsecgid"; then - AC_MSG_RESULT([$ipsecgid]) - AC_SUBST(ipsecgid) -else - AC_MSG_ERROR([not found]) -fi - dnl ========================= dnl dependency calculation dnl ========================= @@ -247,7 +234,7 @@ if test x$fips_prf = xtrue; then fi fi -if test x$smp = xtrue; then +if test x$smp = xtrue -o x$tnccs_11 = xtrue; then xml=true fi @@ -513,6 +500,12 @@ if test x$curl = xtrue; then AC_CHECK_HEADER([curl/curl.h],,[AC_MSG_ERROR([CURL header curl/curl.h not found!])]) fi +if test x$soup = xtrue; then + PKG_CHECK_MODULES(soup, [libsoup-2.4]) + AC_SUBST(soup_CFLAGS) + AC_SUBST(soup_LIBS) +fi + if test x$xml = xtrue; then PKG_CHECK_MODULES(xml, [libxml-2.0]) AC_SUBST(xml_CFLAGS) @@ -607,10 +600,6 @@ if test x$gcrypt = xtrue; then ) fi -if test x$tnccs_11 = xtrue -o x$tnc_imc = xtrue -o x$tnc_imv = xtrue; then - AC_CHECK_HEADER([libtnc.h],,[AC_MSG_ERROR([libtnc header libtnc.h not found!])]) -fi - if test x$uci = xtrue; then AC_HAVE_LIBRARY([uci],[LIBS="$LIBS"],[AC_MSG_ERROR([UCI library libuci not found])]) AC_CHECK_HEADER([uci.h],,[AC_MSG_ERROR([UCI header uci.h not found!])]) @@ -708,8 +697,9 @@ h_plugins= s_plugins= ADD_PLUGIN([test-vectors], [s libcharon pluto openac scepclient pki]) -ADD_PLUGIN([curl], [s libcharon pluto scepclient]) -ADD_PLUGIN([ldap], [s libcharon pluto scepclient]) +ADD_PLUGIN([curl], [s libcharon pluto scepclient scripts]) +ADD_PLUGIN([soup], [s libcharon pluto scripts]) +ADD_PLUGIN([ldap], [s libcharon pluto scepclient scripts]) ADD_PLUGIN([mysql], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([sqlite], [s libcharon pluto pool manager medsrv]) ADD_PLUGIN([aes], [s libcharon pluto openac scepclient pki scripts]) @@ -722,6 +712,7 @@ ADD_PLUGIN([md5], [s libcharon pluto openac scepclient pki]) ADD_PLUGIN([random], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([x509], [s libcharon pluto openac scepclient pki scripts]) ADD_PLUGIN([revocation], [s libcharon]) +ADD_PLUGIN([constraints], [s libcharon]) ADD_PLUGIN([pubkey], [s libcharon]) ADD_PLUGIN([pkcs1], [s libcharon pluto openac scepclient pki scripts manager medsrv]) ADD_PLUGIN([pgp], [s libcharon pluto]) @@ -739,15 +730,16 @@ ADD_PLUGIN([hmac], [s libcharon pluto scripts]) ADD_PLUGIN([ctr], [s libcharon scripts]) ADD_PLUGIN([ccm], [s libcharon scripts]) ADD_PLUGIN([gcm], [s libcharon scripts]) +ADD_PLUGIN([af-alg], [s libcharon pluto openac scepclient pki scripts medsrv]) ADD_PLUGIN([xauth], [p pluto]) ADD_PLUGIN([attr], [h libcharon pluto]) ADD_PLUGIN([attr-sql], [h libcharon pluto]) +ADD_PLUGIN([load-tester], [c libcharon]) ADD_PLUGIN([kernel-pfkey], [h libcharon pluto]) ADD_PLUGIN([kernel-pfroute], [h libcharon pluto]) ADD_PLUGIN([kernel-klips], [h libcharon pluto]) ADD_PLUGIN([kernel-netlink], [h libcharon pluto]) ADD_PLUGIN([resolve], [h libcharon pluto]) -ADD_PLUGIN([load-tester], [c libcharon]) ADD_PLUGIN([socket-default], [c libcharon]) ADD_PLUGIN([socket-raw], [c libcharon]) ADD_PLUGIN([socket-dynamic], [c libcharon]) @@ -771,10 +763,11 @@ ADD_PLUGIN([eap-radius], [c libcharon]) ADD_PLUGIN([eap-tls], [c libcharon]) ADD_PLUGIN([eap-ttls], [c libcharon]) ADD_PLUGIN([eap-tnc], [c libcharon]) +ADD_PLUGIN([tnccs-20], [c libcharon]) +ADD_PLUGIN([tnccs-11], [c libcharon]) +ADD_PLUGIN([tnccs-dynamic], [c libcharon]) ADD_PLUGIN([tnc-imc], [c libcharon]) ADD_PLUGIN([tnc-imv], [c libcharon]) -ADD_PLUGIN([tnccs-11], [c libcharon]) -ADD_PLUGIN([tnccs-20], [c libcharon]) ADD_PLUGIN([medsrv], [c libcharon]) ADD_PLUGIN([medcli], [c libcharon]) ADD_PLUGIN([nm], [c libcharon]) @@ -810,6 +803,7 @@ dnl libstrongswan plugins dnl ===================== AM_CONDITIONAL(USE_TEST_VECTORS, test x$test_vectors = xtrue) AM_CONDITIONAL(USE_CURL, test x$curl = xtrue) +AM_CONDITIONAL(USE_SOUP, test x$soup = xtrue) AM_CONDITIONAL(USE_LDAP, test x$ldap = xtrue) AM_CONDITIONAL(USE_AES, test x$aes = xtrue) AM_CONDITIONAL(USE_DES, test x$des = xtrue) @@ -823,6 +817,7 @@ AM_CONDITIONAL(USE_GMP, test x$gmp = xtrue) AM_CONDITIONAL(USE_RANDOM, test x$random = xtrue) AM_CONDITIONAL(USE_X509, test x$x509 = xtrue) AM_CONDITIONAL(USE_REVOCATION, test x$revocation = xtrue) +AM_CONDITIONAL(USE_CONSTRAINTS, test x$constraints = xtrue) AM_CONDITIONAL(USE_PUBKEY, test x$pubkey = xtrue) AM_CONDITIONAL(USE_PKCS1, test x$pkcs1 = xtrue) AM_CONDITIONAL(USE_PGP, test x$pgp = xtrue) @@ -840,6 +835,7 @@ AM_CONDITIONAL(USE_PKCS11, test x$pkcs11 = xtrue) AM_CONDITIONAL(USE_CTR, test x$ctr = xtrue) AM_CONDITIONAL(USE_CCM, test x$ccm = xtrue) AM_CONDITIONAL(USE_GCM, test x$gcm = xtrue) +AM_CONDITIONAL(USE_AF_ALG, test x$af_alg = xtrue) dnl charon plugins dnl ============== @@ -877,6 +873,7 @@ AM_CONDITIONAL(USE_TNC_IMC, test x$tnc_imc = xtrue) AM_CONDITIONAL(USE_TNC_IMV, test x$tnc_imv = xtrue) AM_CONDITIONAL(USE_TNCCS_11, test x$tnccs_11 = xtrue) AM_CONDITIONAL(USE_TNCCS_20, test x$tnccs_20 = xtrue) +AM_CONDITIONAL(USE_TNCCS_DYNAMIC, test x$tnccs_dynamic = xtrue) AM_CONDITIONAL(USE_SOCKET_DEFAULT, test x$socket_default = xtrue) AM_CONDITIONAL(USE_SOCKET_RAW, test x$socket_raw = xtrue) AM_CONDITIONAL(USE_SOCKET_DYNAMIC, test x$socket_dynamic = xtrue) @@ -917,9 +914,12 @@ AM_CONDITIONAL(USE_THREADS, test x$threads = xtrue) AM_CONDITIONAL(USE_CHARON, test x$charon = xtrue) AM_CONDITIONAL(USE_TOOLS, test x$tools = xtrue) AM_CONDITIONAL(USE_SCRIPTS, test x$scripts = xtrue) -AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue) +AM_CONDITIONAL(USE_CONFTEST, test x$conftest = xtrue) +AM_CONDITIONAL(USE_LIBSTRONGSWAN, test x$charon = xtrue -o x$pluto = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBHYDRA, test x$charon = xtrue -o x$pluto = xtrue) +AM_CONDITIONAL(USE_LIBCHARON, test x$charon = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_FILE_CONFIG, test x$pluto = xtrue -o x$stroke = xtrue) +AM_CONDITIONAL(USE_IPSEC_SCRIPT, test x$pluto = xtrue -o x$stroke = xtrue -o x$tools = xtrue -o x$conftest = xtrue) AM_CONDITIONAL(USE_LIBCAP, test x$capabilities = xlibcap) AM_CONDITIONAL(USE_VSTR, test x$vstr = xtrue) AM_CONDITIONAL(USE_SIMAKA, test x$simaka = xtrue) @@ -965,12 +965,14 @@ AC_OUTPUT( src/libstrongswan/plugins/xcbc/Makefile src/libstrongswan/plugins/x509/Makefile src/libstrongswan/plugins/revocation/Makefile + src/libstrongswan/plugins/constraints/Makefile src/libstrongswan/plugins/pubkey/Makefile src/libstrongswan/plugins/pkcs1/Makefile src/libstrongswan/plugins/pgp/Makefile src/libstrongswan/plugins/dnskey/Makefile src/libstrongswan/plugins/pem/Makefile src/libstrongswan/plugins/curl/Makefile + src/libstrongswan/plugins/soup/Makefile src/libstrongswan/plugins/ldap/Makefile src/libstrongswan/plugins/mysql/Makefile src/libstrongswan/plugins/sqlite/Makefile @@ -982,6 +984,7 @@ AC_OUTPUT( src/libstrongswan/plugins/ctr/Makefile src/libstrongswan/plugins/ccm/Makefile src/libstrongswan/plugins/gcm/Makefile + src/libstrongswan/plugins/af_alg/Makefile src/libstrongswan/plugins/test_vectors/Makefile src/libhydra/Makefile src/libhydra/plugins/attr/Makefile @@ -1018,6 +1021,7 @@ AC_OUTPUT( src/libcharon/plugins/tnc_imv/Makefile src/libcharon/plugins/tnccs_11/Makefile src/libcharon/plugins/tnccs_20/Makefile + src/libcharon/plugins/tnccs_dynamic/Makefile src/libcharon/plugins/socket_default/Makefile src/libcharon/plugins/socket_raw/Makefile src/libcharon/plugins/socket_dynamic/Makefile @@ -1053,6 +1057,7 @@ AC_OUTPUT( src/manager/Makefile src/medsrv/Makefile src/checksum/Makefile + src/conftest/Makefile scripts/Makefile testing/Makefile ) diff --git a/ltmain.sh b/ltmain.sh old mode 100644 new mode 100755 diff --git a/man/Makefile.in b/man/Makefile.in index 4388e318b..f0d8cde7d 100644 --- a/man/Makefile.in +++ b/man/Makefile.in @@ -198,9 +198,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -239,6 +237,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/man/ipsec.conf.5 b/man/ipsec.conf.5 index b1e60b280..1b74fab08 100644 --- a/man/ipsec.conf.5 +++ b/man/ipsec.conf.5 @@ -1,4 +1,4 @@ -.TH IPSEC.CONF 5 "2010-10-19" "4.5.0rc2" "strongSwan" +.TH IPSEC.CONF 5 "2010-10-19" "4.5.1" "strongSwan" .SH NAME ipsec.conf \- IPsec configuration and connections .SH DESCRIPTION @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = " +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = " sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = " +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index 187f36957..9a789acef 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -544,8 +544,13 @@ for public key authentication (RSA/ECDSA), .B psk for pre-shared key authentication and .B eap -to (require the) use of the Extensible Authentication Protocol. In the case -of +to (require the) use of the Extensible Authentication Protocol. +To require a trustchain public key strength for the remote side, specify the +key type followed by the strength in bits (for example +.BR rsa-2048 +or +.BR ecdsa-256 ). +For .B eap, an optional EAP method can be appended. Currently defined methods are .BR eap-aka , @@ -589,7 +594,7 @@ sets to the distinguished name of the certificate's subject and .B leftca to the distinguished name of the certificate's issuer. -The left participant's ID can be overriden by specifying a +The left participant's ID can be overridden by specifying a .B leftid value which must be certified by the certificate, though. .TP @@ -598,6 +603,10 @@ Same as .B leftcert, but for the second authentication round (IKEv2 only). .TP +.BR leftcertpolicy " = " +Comma separated list of certificate policy OIDs the peers certificate must have. +OIDs are specified using the numerical dotted representation (IKEv2 only). +.TP .BR leftfirewall " = yes | " no whether the left participant is doing forwarding-firewalling (including masquerading) using iptables for traffic from \fIleftsubnet\fR, @@ -953,6 +962,13 @@ synonym for .BR reqid " = " sets the reqid for a given connection to a pre-configured fixed value. .TP +.BR tfc " = " +number of bytes to pad ESP payload data to. Traffic Flow Confidentiality +is currently supported in IKEv2 and applies to outgoing packets only. The +special value +.BR %mtu +fills up ESP packets with padding to have the size of the MTU. +.TP .BR type " = " tunnel " | transport | transport_proxy | passthrough | drop" the type of the connection; currently the accepted values are diff --git a/man/ipsec.secrets.5 b/man/ipsec.secrets.5 index 1e586a491..3eb60afcf 100644 --- a/man/ipsec.secrets.5 +++ b/man/ipsec.secrets.5 @@ -1,4 +1,4 @@ -.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.0rc2" "strongSwan" +.TH IPSEC.SECRETS 5 "2010-05-30" "4.5.1" "strongSwan" .SH NAME ipsec.secrets \- secrets for IKE/IPsec authentication .SH DESCRIPTION diff --git a/man/strongswan.conf.5 b/man/strongswan.conf.5 index 2a8703503..2e58a87d0 100644 --- a/man/strongswan.conf.5 +++ b/man/strongswan.conf.5 @@ -1,4 +1,4 @@ -.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.0rc2" "strongSwan" +.TH STRONGSWAN.CONF 5 "2010-09-09" "4.5.1" "strongSwan" .SH NAME strongswan.conf \- strongSwan configuration file .SH DESCRIPTION @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 77db9a3c0..47aa6d552 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -60,6 +60,61 @@ An example file in this format might look like this: .PP Indentation is optional, you may use tabs or spaces. +.SH INCLUDING FILES +Using the +.B include +statement it is possible to include other files into strongswan.conf, e.g. +.PP +.EX + include /some/path/*.conf +.EE +.PP +If the file name is not an absolute path, it is considered to be relative +to the directory of the file containing the include statement. The file name +may include shell wildcards (see +.IR sh (1)). +Also, such inclusions can be nested. +.PP +Sections loaded from included files +.I extend +previously loaded sections; already existing values are +.IR replaced . +It is important to note that settings are added relative to the section the +include statement is in. +.PP +As an example, the following three files result in the same final +config as the one given above: +.PP +.EX + a = b + section-one { + somevalue = before include + include include.conf + } + include other.conf + +include.conf: + # settings loaded from this file are added to section-one + # the following replaces the previous value + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + +other.conf: + # this extends section-one and subsection + section-one { + subsection { + # this replaces the previous value + othervalue = xxx + } + } + section-two { + x = 12 + } +.EE + .SH READING VALUES Values are accessed using a dot-separated section list and a key. With reference to the example above, accessing @@ -405,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -420,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/scripts/Makefile.am b/scripts/Makefile.am index 827fb7dfb..2cd8b499b 100644 --- a/scripts/Makefile.am +++ b/scripts/Makefile.am @@ -2,8 +2,8 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libtls AM_CFLAGS = \ -DPLUGINS="\"${scripts_plugins}\"" -noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql \ - thread_analysis dh_speed pubkey_speed crypt_burn +noinst_PROGRAMS = bin2array bin2sql id2sql key2keyid keyid2sql oid2der \ + thread_analysis dh_speed pubkey_speed crypt_burn fetch if USE_TLS noinst_PROGRAMS += tls_test @@ -17,16 +17,20 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +oid2der_SOURCES = oid2der.c thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid.o : $(top_builddir)/config.status diff --git a/scripts/Makefile.in b/scripts/Makefile.in index e28424350..891555dcd 100644 --- a/scripts/Makefile.in +++ b/scripts/Makefile.in @@ -35,8 +35,9 @@ POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ noinst_PROGRAMS = bin2array$(EXEEXT) bin2sql$(EXEEXT) id2sql$(EXEEXT) \ - key2keyid$(EXEEXT) keyid2sql$(EXEEXT) thread_analysis$(EXEEXT) \ - dh_speed$(EXEEXT) pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) + key2keyid$(EXEEXT) keyid2sql$(EXEEXT) oid2der$(EXEEXT) \ + thread_analysis$(EXEEXT) dh_speed$(EXEEXT) \ + pubkey_speed$(EXEEXT) crypt_burn$(EXEEXT) fetch$(EXEEXT) subdir = scripts DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -69,6 +70,10 @@ am_dh_speed_OBJECTS = dh_speed.$(OBJEXT) dh_speed_OBJECTS = $(am_dh_speed_OBJECTS) dh_speed_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +am_fetch_OBJECTS = fetch.$(OBJEXT) +fetch_OBJECTS = $(am_fetch_OBJECTS) +fetch_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la am_id2sql_OBJECTS = id2sql.$(OBJEXT) id2sql_OBJECTS = $(am_id2sql_OBJECTS) id2sql_DEPENDENCIES = \ @@ -81,6 +86,10 @@ am_keyid2sql_OBJECTS = keyid2sql.$(OBJEXT) keyid2sql_OBJECTS = $(am_keyid2sql_OBJECTS) keyid2sql_DEPENDENCIES = \ $(top_builddir)/src/libstrongswan/libstrongswan.la +am_oid2der_OBJECTS = oid2der.$(OBJEXT) +oid2der_OBJECTS = $(am_oid2der_OBJECTS) +oid2der_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la am_pubkey_speed_OBJECTS = pubkey_speed.$(OBJEXT) pubkey_speed_OBJECTS = $(am_pubkey_speed_OBJECTS) pubkey_speed_DEPENDENCIES = \ @@ -102,13 +111,15 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ - $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ - $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ - $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \ + $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ + $(thread_analysis_SOURCES) DIST_SOURCES = $(bin2array_SOURCES) $(bin2sql_SOURCES) \ - $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(id2sql_SOURCES) \ - $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ - $(pubkey_speed_SOURCES) $(thread_analysis_SOURCES) + $(crypt_burn_SOURCES) $(dh_speed_SOURCES) $(fetch_SOURCES) \ + $(id2sql_SOURCES) $(key2keyid_SOURCES) $(keyid2sql_SOURCES) \ + $(oid2der_SOURCES) $(pubkey_speed_SOURCES) \ + $(thread_analysis_SOURCES) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -231,9 +242,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -272,6 +281,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -291,16 +302,20 @@ bin2sql_SOURCES = bin2sql.c id2sql_SOURCES = id2sql.c key2keyid_SOURCES = key2keyid.c keyid2sql_SOURCES = keyid2sql.c +oid2der_SOURCES = oid2der.c thread_analysis_SOURCES = thread_analysis.c dh_speed_SOURCES = dh_speed.c pubkey_speed_SOURCES = pubkey_speed.c crypt_burn_SOURCES = crypt_burn.c +fetch_SOURCES = fetch.c id2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la key2keyid_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la keyid2sql_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +oid2der_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la dh_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt pubkey_speed_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la -lrt crypt_burn_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la +fetch_LDADD = $(top_builddir)/src/libstrongswan/libstrongswan.la all: all-am .SUFFIXES: @@ -356,6 +371,9 @@ crypt_burn$(EXEEXT): $(crypt_burn_OBJECTS) $(crypt_burn_DEPENDENCIES) dh_speed$(EXEEXT): $(dh_speed_OBJECTS) $(dh_speed_DEPENDENCIES) @rm -f dh_speed$(EXEEXT) $(LINK) $(dh_speed_OBJECTS) $(dh_speed_LDADD) $(LIBS) +fetch$(EXEEXT): $(fetch_OBJECTS) $(fetch_DEPENDENCIES) + @rm -f fetch$(EXEEXT) + $(LINK) $(fetch_OBJECTS) $(fetch_LDADD) $(LIBS) id2sql$(EXEEXT): $(id2sql_OBJECTS) $(id2sql_DEPENDENCIES) @rm -f id2sql$(EXEEXT) $(LINK) $(id2sql_OBJECTS) $(id2sql_LDADD) $(LIBS) @@ -365,6 +383,9 @@ key2keyid$(EXEEXT): $(key2keyid_OBJECTS) $(key2keyid_DEPENDENCIES) keyid2sql$(EXEEXT): $(keyid2sql_OBJECTS) $(keyid2sql_DEPENDENCIES) @rm -f keyid2sql$(EXEEXT) $(LINK) $(keyid2sql_OBJECTS) $(keyid2sql_LDADD) $(LIBS) +oid2der$(EXEEXT): $(oid2der_OBJECTS) $(oid2der_DEPENDENCIES) + @rm -f oid2der$(EXEEXT) + $(LINK) $(oid2der_OBJECTS) $(oid2der_LDADD) $(LIBS) pubkey_speed$(EXEEXT): $(pubkey_speed_OBJECTS) $(pubkey_speed_DEPENDENCIES) @rm -f pubkey_speed$(EXEEXT) $(LINK) $(pubkey_speed_OBJECTS) $(pubkey_speed_LDADD) $(LIBS) @@ -382,9 +403,11 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/bin2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/crypt_burn.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dh_speed.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fetch.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/id2sql.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/key2keyid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyid2sql.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/oid2der.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pubkey_speed.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/thread_analysis.Po@am__quote@ diff --git a/scripts/fetch.c b/scripts/fetch.c new file mode 100644 index 000000000..57abce4ca --- /dev/null +++ b/scripts/fetch.c @@ -0,0 +1,41 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include + +#include +#include + +int main(int argc, char *argv[]) +{ + chunk_t res; + + library_init(NULL); + atexit(library_deinit); + lib->plugins->load(lib->plugins, NULL, PLUGINS); + + if (argc != 2) + { + fprintf(stderr, "usage: %s \n", argv[0]); + } + if (lib->fetcher->fetch(lib->fetcher, argv[1], &res, FETCH_END) == SUCCESS) + { + ignore_result(write(1, res.ptr, res.len)); + free(res.ptr); + return 0; + } + return 1; +} diff --git a/scripts/oid2der.c b/scripts/oid2der.c new file mode 100644 index 000000000..0da3bbb62 --- /dev/null +++ b/scripts/oid2der.c @@ -0,0 +1,31 @@ + +#include +#include + +/** + * convert string OID to DER encoding + */ +int main(int argc, char *argv[]) +{ + int i, nr = 0; + chunk_t oid; + + while (argc > ++nr) + { + oid = asn1_oid_from_string(argv[nr]); + if (oid.len) + { + for (i = 0; i < oid.len; i++) + { + printf("0x%02x,", oid.ptr[i]); + } + printf("\n"); + free(oid.ptr); + } + else + { + return 1; + } + } + return 0; +} diff --git a/src/Makefile.am b/src/Makefile.am index 0edddc9fc..cd75de5e9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -16,8 +16,16 @@ if USE_TLS SUBDIRS += libtls endif +if USE_LIBCHARON + SUBDIRS += libcharon +endif + if USE_FILE_CONFIG - SUBDIRS += libfreeswan starter ipsec _copyright + SUBDIRS += libfreeswan starter +endif + +if USE_IPSEC_SCRIPT + SUBDIRS += ipsec _copyright endif if USE_PLUTO @@ -25,7 +33,7 @@ if USE_PLUTO endif if USE_CHARON - SUBDIRS += libcharon charon + SUBDIRS += charon endif if USE_STROKE @@ -40,6 +48,10 @@ if USE_TOOLS SUBDIRS += libfreeswan openac scepclient pki endif +if USE_CONFTEST + SUBDIRS += conftest +endif + if USE_DUMM SUBDIRS += dumm endif @@ -64,4 +76,4 @@ EXTRA_DIST = strongswan.conf install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true diff --git a/src/Makefile.in b/src/Makefile.in index cb688d795..63d29b694 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -37,17 +37,20 @@ host_triplet = @host@ @USE_LIBHYDRA_TRUE@am__append_2 = libhydra @USE_SIMAKA_TRUE@am__append_3 = libsimaka @USE_TLS_TRUE@am__append_4 = libtls -@USE_FILE_CONFIG_TRUE@am__append_5 = libfreeswan starter ipsec _copyright -@USE_PLUTO_TRUE@am__append_6 = pluto whack -@USE_CHARON_TRUE@am__append_7 = libcharon charon -@USE_STROKE_TRUE@am__append_8 = stroke -@USE_UPDOWN_TRUE@am__append_9 = _updown _updown_espmark -@USE_TOOLS_TRUE@am__append_10 = libfreeswan openac scepclient pki -@USE_DUMM_TRUE@am__append_11 = dumm -@USE_FAST_TRUE@am__append_12 = libfast -@USE_MANAGER_TRUE@am__append_13 = manager -@USE_MEDSRV_TRUE@am__append_14 = medsrv -@USE_INTEGRITY_TEST_TRUE@am__append_15 = checksum +@USE_LIBCHARON_TRUE@am__append_5 = libcharon +@USE_FILE_CONFIG_TRUE@am__append_6 = libfreeswan starter +@USE_IPSEC_SCRIPT_TRUE@am__append_7 = ipsec _copyright +@USE_PLUTO_TRUE@am__append_8 = pluto whack +@USE_CHARON_TRUE@am__append_9 = charon +@USE_STROKE_TRUE@am__append_10 = stroke +@USE_UPDOWN_TRUE@am__append_11 = _updown _updown_espmark +@USE_TOOLS_TRUE@am__append_12 = libfreeswan openac scepclient pki +@USE_CONFTEST_TRUE@am__append_13 = conftest +@USE_DUMM_TRUE@am__append_14 = dumm +@USE_FAST_TRUE@am__append_15 = libfast +@USE_MANAGER_TRUE@am__append_16 = manager +@USE_MEDSRV_TRUE@am__append_17 = medsrv +@USE_INTEGRITY_TEST_TRUE@am__append_18 = checksum subdir = src DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -82,9 +85,9 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ ETAGS = etags CTAGS = ctags DIST_SUBDIRS = . include libstrongswan libhydra libsimaka libtls \ - libfreeswan starter ipsec _copyright pluto whack libcharon \ + libcharon libfreeswan starter ipsec _copyright pluto whack \ charon stroke _updown _updown_espmark openac scepclient pki \ - dumm libfast manager medsrv checksum + conftest dumm libfast manager medsrv checksum DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -230,9 +233,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -271,6 +272,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -285,7 +288,8 @@ SUBDIRS = . include $(am__append_1) $(am__append_2) $(am__append_3) \ $(am__append_4) $(am__append_5) $(am__append_6) \ $(am__append_7) $(am__append_8) $(am__append_9) \ $(am__append_10) $(am__append_11) $(am__append_12) \ - $(am__append_13) $(am__append_14) $(am__append_15) + $(am__append_13) $(am__append_14) $(am__append_15) \ + $(am__append_16) $(am__append_17) $(am__append_18) EXTRA_DIST = strongswan.conf all: all-recursive @@ -636,7 +640,7 @@ uninstall-am: install-exec-local : test -e "$(DESTDIR)${sysconfdir}" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)" - test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true + test -e "$(DESTDIR)$(sysconfdir)/strongswan.conf" || $(INSTALL) -m 640 $(srcdir)/strongswan.conf $(DESTDIR)$(sysconfdir)/strongswan.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/_copyright/Makefile.am b/src/_copyright/Makefile.am index 33c4ffc23..405e08b3d 100644 --- a/src/_copyright/Makefile.am +++ b/src/_copyright/Makefile.am @@ -1,6 +1,5 @@ ipsec_PROGRAMS = _copyright _copyright_SOURCES = _copyright.c -dist_man8_MANS = _copyright.8 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ diff --git a/src/_copyright/Makefile.in b/src/_copyright/Makefile.in index 58ebb523c..8d4ef733e 100644 --- a/src/_copyright/Makefile.in +++ b/src/_copyright/Makefile.in @@ -36,8 +36,7 @@ build_triplet = @build@ host_triplet = @host@ ipsec_PROGRAMS = _copyright$(EXEEXT) subdir = src/_copyright -DIST_COMMON = $(dist_man8_MANS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -53,7 +52,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am__copyright_OBJECTS = _copyright.$(OBJEXT) _copyright_OBJECTS = $(am__copyright_OBJECTS) @@ -75,30 +74,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(_copyright_SOURCES) DIST_SOURCES = $(_copyright_SOURCES) -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man8_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -221,9 +196,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +235,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,7 +248,6 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ _copyright_SOURCES = _copyright.c -dist_man8_MANS = _copyright.8 INCLUDES = \ -I$(top_srcdir)/src/libfreeswan \ -I$(top_srcdir)/src/libstrongswan @@ -394,40 +368,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man8_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list='$(dist_man8_MANS)'; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -482,19 +422,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -526,9 +453,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) +all-am: Makefile $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -579,7 +506,7 @@ info: info-am info-am: -install-data-am: install-ipsecPROGRAMS install-man +install-data-am: install-ipsecPROGRAMS install-dvi: install-dvi-am @@ -595,7 +522,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -625,9 +552,7 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-ipsecPROGRAMS .MAKE: install-am install-strip @@ -638,13 +563,12 @@ uninstall-man: uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-html \ install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ - uninstall-man uninstall-man8 + tags uninstall uninstall-am uninstall-ipsecPROGRAMS # Tell versions [3.59,3.63) of GNU make to not export all variables. diff --git a/src/_copyright/_copyright.8 b/src/_copyright/_copyright.8 deleted file mode 100644 index 99386254b..000000000 --- a/src/_copyright/_copyright.8 +++ /dev/null @@ -1,29 +0,0 @@ -.TH _COPYRIGHT 8 "25 Apr 2002" -.SH NAME -ipsec _copyright \- prints FreeSWAN copyright -.SH DESCRIPTION -.I _copyright -outputs the FreeSWAN copyright, and version numbers for "ipsec --copyright" -.SH "SEE ALSO" -ipsec(8) -.SH HISTORY -Man page written for the Linux FreeS/WAN project - -by Michael Richardson. Program written by Henry Spencer. -.\" -.\" $Log: _copyright.8,v $ -.\" Revision 1.1 2004/03/15 20:35:27 as -.\" added files from freeswan-2.04-x509-1.5.3 -.\" -.\" Revision 1.2 2002/04/29 22:39:31 mcr -.\" added basic man page for all internal commands. -.\" -.\" Revision 1.1 2002/04/26 01:21:43 mcr -.\" while tracking down a missing (not installed) /etc/ipsec.conf, -.\" MCR has decided that it is not okay for each program subdir to have -.\" some subset (determined with -f) of possible files. -.\" Each subdir that defines $PROGRAM, MUST have a PROGRAM.8 file as well as a PROGRAM file. -.\" Optional PROGRAM.5 files have been added to the makefiles. -.\" -.\" -.\" diff --git a/src/_updown/Makefile.in b/src/_updown/Makefile.in index 44c058d03..fa33bb570 100644 --- a/src/_updown/Makefile.in +++ b/src/_updown/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/_updown_espmark/Makefile.in b/src/_updown_espmark/Makefile.in index db44ee74e..a428db4e2 100644 --- a/src/_updown_espmark/Makefile.in +++ b/src/_updown_espmark/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/Makefile.in b/src/charon/Makefile.in index 5a60af3d8..f502b0f25 100644 --- a/src/charon/Makefile.in +++ b/src/charon/Makefile.in @@ -199,9 +199,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -240,6 +238,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/charon/charon.c b/src/charon/charon.c index fd255e919..d1fff5bd9 100644 --- a/src/charon/charon.c +++ b/src/charon/charon.c @@ -26,6 +26,8 @@ #include #include #include +#include +#include #include #include #include @@ -42,6 +44,9 @@ #include #endif +#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ +#define LOG_AUTHPRIV LOG_AUTH +#endif /** * PID file, in which charon stores its process id @@ -268,6 +273,134 @@ static void unlink_pidfile() unlink(PID_FILE); } +/** + * Initialize logging + */ +static void initialize_loggers(bool use_stderr, level_t levels[]) +{ + sys_logger_t *sys_logger; + file_logger_t *file_logger; + enumerator_t *enumerator; + char *facility, *filename; + int loggers_defined = 0; + debug_t group; + level_t def; + bool append, ike_name; + FILE *file; + + /* setup sysloggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.syslog"); + while (enumerator->enumerate(enumerator, &facility)) + { + loggers_defined++; + + ike_name = lib->settings->get_bool(lib->settings, + "charon.syslog.%s.ike_name", FALSE, facility); + if (streq(facility, "daemon")) + { + sys_logger = sys_logger_create(LOG_DAEMON, ike_name); + } + else if (streq(facility, "auth")) + { + sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); + } + else + { + continue; + } + def = lib->settings->get_int(lib->settings, + "charon.syslog.%s.default", 1, facility); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, + lib->settings->get_int(lib->settings, + "charon.syslog.%s.%N", def, + facility, debug_lower_names, group)); + } + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + } + enumerator->destroy(enumerator); + + /* and file loggers */ + enumerator = lib->settings->create_section_enumerator(lib->settings, + "charon.filelog"); + while (enumerator->enumerate(enumerator, &filename)) + { + loggers_defined++; + if (streq(filename, "stderr")) + { + file = stderr; + } + else if (streq(filename, "stdout")) + { + file = stdout; + } + else + { + append = lib->settings->get_bool(lib->settings, + "charon.filelog.%s.append", TRUE, filename); + file = fopen(filename, append ? "a" : "w"); + if (file == NULL) + { + DBG1(DBG_DMN, "opening file %s for logging failed: %s", + filename, strerror(errno)); + continue; + } + if (lib->settings->get_bool(lib->settings, + "charon.filelog.%s.flush_line", FALSE, filename)) + { + setlinebuf(file); + } + } + file_logger = file_logger_create(file, + lib->settings->get_str(lib->settings, + "charon.filelog.%s.time_format", NULL, filename), + lib->settings->get_bool(lib->settings, + "charon.filelog.%s.ike_name", FALSE, filename)); + def = lib->settings->get_int(lib->settings, + "charon.filelog.%s.default", 1, filename); + for (group = 0; group < DBG_MAX; group++) + { + file_logger->set_level(file_logger, group, + lib->settings->get_int(lib->settings, + "charon.filelog.%s.%N", def, + filename, debug_lower_names, group)); + } + charon->file_loggers->insert_last(charon->file_loggers, file_logger); + charon->bus->add_listener(charon->bus, &file_logger->listener); + + } + enumerator->destroy(enumerator); + + /* set up legacy style default loggers provided via command-line */ + if (!loggers_defined) + { + /* set up default stdout file_logger */ + file_logger = file_logger_create(stdout, NULL, FALSE); + charon->bus->add_listener(charon->bus, &file_logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, file_logger); + /* set up default daemon sys_logger */ + sys_logger = sys_logger_create(LOG_DAEMON, FALSE); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + for (group = 0; group < DBG_MAX; group++) + { + sys_logger->set_level(sys_logger, group, levels[group]); + if (use_stderr) + { + file_logger->set_level(file_logger, group, levels[group]); + } + } + + /* set up default auth sys_logger */ + sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); + charon->bus->add_listener(charon->bus, &sys_logger->listener); + charon->sys_loggers->insert_last(charon->sys_loggers, sys_logger); + sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); + } +} /** * print command line usage and exit @@ -395,8 +528,10 @@ int main(int argc, char *argv[]) goto deinit; } + initialize_loggers(!use_syslog, levels); + /* initialize daemon */ - if (!charon->initialize(charon, use_syslog, levels)) + if (!charon->initialize(charon)) { DBG1(DBG_DMN, "initialization failed - aborting charon"); goto deinit; diff --git a/src/checksum/Makefile.in b/src/checksum/Makefile.in index 61bfc1a9d..65aa91422 100644 --- a/src/checksum/Makefile.in +++ b/src/checksum/Makefile.in @@ -237,9 +237,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -278,6 +276,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/conftest/Makefile.am b/src/conftest/Makefile.am new file mode 100644 index 000000000..7eab0df27 --- /dev/null +++ b/src/conftest/Makefile.am @@ -0,0 +1,26 @@ +ipsec_PROGRAMS = conftest + +AM_CFLAGS = -rdynamic + +conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \ + hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \ + hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \ + hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \ + hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \ + hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \ + hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \ + hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \ + hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c + +INCLUDES = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +conftest_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + -lm $(PTHREADLIB) $(DLLIB) + +EXTRA_DIST = README diff --git a/src/conftest/Makefile.in b/src/conftest/Makefile.in new file mode 100644 index 000000000..1c07710e0 --- /dev/null +++ b/src/conftest/Makefile.in @@ -0,0 +1,954 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +ipsec_PROGRAMS = conftest$(EXEEXT) +subdir = src/conftest +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__installdirs = "$(DESTDIR)$(ipsecdir)" +PROGRAMS = $(ipsec_PROGRAMS) +am_conftest_OBJECTS = conftest.$(OBJEXT) config.$(OBJEXT) \ + actions.$(OBJEXT) ike_auth_fill.$(OBJEXT) \ + unsort_message.$(OBJEXT) add_notify.$(OBJEXT) \ + unencrypted_notify.$(OBJEXT) ignore_message.$(OBJEXT) \ + add_payload.$(OBJEXT) set_critical.$(OBJEXT) \ + force_cookie.$(OBJEXT) set_ike_version.$(OBJEXT) \ + pretend_auth.$(OBJEXT) set_length.$(OBJEXT) \ + log_proposals.$(OBJEXT) set_proposal_number.$(OBJEXT) \ + log_ke.$(OBJEXT) log_id.$(OBJEXT) custom_proposal.$(OBJEXT) \ + set_ike_spi.$(OBJEXT) set_ike_request.$(OBJEXT) \ + set_reserved.$(OBJEXT) set_ike_initiator.$(OBJEXT) \ + log_ts.$(OBJEXT) rebuild_auth.$(OBJEXT) reset_seq.$(OBJEXT) +conftest_OBJECTS = $(am_conftest_OBJECTS) +am__DEPENDENCIES_1 = +conftest_DEPENDENCIES = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(conftest_SOURCES) +DIST_SOURCES = $(conftest_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +AM_CFLAGS = -rdynamic +conftest_SOURCES = conftest.c conftest.h config.c config.h actions.c actions.h \ + hooks/hook.h hooks/ike_auth_fill.c hooks/unsort_message.c \ + hooks/add_notify.c hooks/unencrypted_notify.c hooks/ignore_message.c \ + hooks/add_payload.c hooks/set_critical.c hooks/force_cookie.c \ + hooks/set_ike_version.c hooks/pretend_auth.c hooks/set_length.c \ + hooks/log_proposals.c hooks/set_proposal_number.c hooks/log_ke.c \ + hooks/log_id.c hooks/custom_proposal.c hooks/set_ike_spi.c \ + hooks/set_ike_request.c hooks/set_reserved.c hooks/set_ike_initiator.c \ + hooks/log_ts.c hooks/rebuild_auth.c hooks/reset_seq.c + +INCLUDES = \ + -I$(top_srcdir)/src/libstrongswan \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon + +conftest_LDADD = \ + $(top_builddir)/src/libstrongswan/libstrongswan.la \ + $(top_builddir)/src/libhydra/libhydra.la \ + $(top_builddir)/src/libcharon/libcharon.la \ + -lm $(PTHREADLIB) $(DLLIB) + +EXTRA_DIST = README +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/conftest/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/conftest/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +install-ipsecPROGRAMS: $(ipsec_PROGRAMS) + @$(NORMAL_INSTALL) + test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + for p in $$list; do echo "$$p $$p"; done | \ + sed 's/$(EXEEXT)$$//' | \ + while read p p1; do if test -f $$p || test -f $$p1; \ + then echo "$$p"; echo "$$p"; else :; fi; \ + done | \ + sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ + -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ + sed 'N;N;N;s,\n, ,g' | \ + $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ + { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ + if ($$2 == $$4) files[d] = files[d] " " $$1; \ + else { print "f", $$3 "/" $$4, $$1; } } \ + END { for (d in files) print "f", d, files[d] }' | \ + while read type dir files; do \ + if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ + test -z "$$files" || { \ + echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(ipsecdir)$$dir'"; \ + $(INSTALL_PROGRAM_ENV) $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(ipsecdir)$$dir" || exit $$?; \ + } \ + ; done + +uninstall-ipsecPROGRAMS: + @$(NORMAL_UNINSTALL) + @list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \ + files=`for p in $$list; do echo "$$p"; done | \ + sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ + -e 's/$$/$(EXEEXT)/' `; \ + test -n "$$list" || exit 0; \ + echo " ( cd '$(DESTDIR)$(ipsecdir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(ipsecdir)" && rm -f $$files + +clean-ipsecPROGRAMS: + @list='$(ipsec_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list +conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) + @rm -f conftest$(EXEEXT) + $(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/actions.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_notify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/add_payload.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/config.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/conftest.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/custom_proposal.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/force_cookie.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ignore_message.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_auth_fill.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_id.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ke.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_proposals.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log_ts.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pretend_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rebuild_auth.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/reset_seq.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_critical.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_initiator.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_request.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_spi.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_ike_version.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_length.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_proposal_number.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/set_reserved.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unencrypted_notify.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/unsort_message.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +ike_auth_fill.o: hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.o -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ike_auth_fill.c' object='ike_auth_fill.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.o `test -f 'hooks/ike_auth_fill.c' || echo '$(srcdir)/'`hooks/ike_auth_fill.c + +ike_auth_fill.obj: hooks/ike_auth_fill.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ike_auth_fill.obj -MD -MP -MF $(DEPDIR)/ike_auth_fill.Tpo -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ike_auth_fill.Tpo $(DEPDIR)/ike_auth_fill.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ike_auth_fill.c' object='ike_auth_fill.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ike_auth_fill.obj `if test -f 'hooks/ike_auth_fill.c'; then $(CYGPATH_W) 'hooks/ike_auth_fill.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ike_auth_fill.c'; fi` + +unsort_message.o: hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.o -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unsort_message.c' object='unsort_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.o `test -f 'hooks/unsort_message.c' || echo '$(srcdir)/'`hooks/unsort_message.c + +unsort_message.obj: hooks/unsort_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unsort_message.obj -MD -MP -MF $(DEPDIR)/unsort_message.Tpo -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unsort_message.Tpo $(DEPDIR)/unsort_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unsort_message.c' object='unsort_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unsort_message.obj `if test -f 'hooks/unsort_message.c'; then $(CYGPATH_W) 'hooks/unsort_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unsort_message.c'; fi` + +add_notify.o: hooks/add_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.o -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_notify.c' object='add_notify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.o `test -f 'hooks/add_notify.c' || echo '$(srcdir)/'`hooks/add_notify.c + +add_notify.obj: hooks/add_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_notify.obj -MD -MP -MF $(DEPDIR)/add_notify.Tpo -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_notify.Tpo $(DEPDIR)/add_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_notify.c' object='add_notify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_notify.obj `if test -f 'hooks/add_notify.c'; then $(CYGPATH_W) 'hooks/add_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_notify.c'; fi` + +unencrypted_notify.o: hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.o -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unencrypted_notify.c' object='unencrypted_notify.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.o `test -f 'hooks/unencrypted_notify.c' || echo '$(srcdir)/'`hooks/unencrypted_notify.c + +unencrypted_notify.obj: hooks/unencrypted_notify.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT unencrypted_notify.obj -MD -MP -MF $(DEPDIR)/unencrypted_notify.Tpo -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/unencrypted_notify.Tpo $(DEPDIR)/unencrypted_notify.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/unencrypted_notify.c' object='unencrypted_notify.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o unencrypted_notify.obj `if test -f 'hooks/unencrypted_notify.c'; then $(CYGPATH_W) 'hooks/unencrypted_notify.c'; else $(CYGPATH_W) '$(srcdir)/hooks/unencrypted_notify.c'; fi` + +ignore_message.o: hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.o -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ignore_message.c' object='ignore_message.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.o `test -f 'hooks/ignore_message.c' || echo '$(srcdir)/'`hooks/ignore_message.c + +ignore_message.obj: hooks/ignore_message.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT ignore_message.obj -MD -MP -MF $(DEPDIR)/ignore_message.Tpo -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/ignore_message.Tpo $(DEPDIR)/ignore_message.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/ignore_message.c' object='ignore_message.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o ignore_message.obj `if test -f 'hooks/ignore_message.c'; then $(CYGPATH_W) 'hooks/ignore_message.c'; else $(CYGPATH_W) '$(srcdir)/hooks/ignore_message.c'; fi` + +add_payload.o: hooks/add_payload.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.o -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_payload.c' object='add_payload.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.o `test -f 'hooks/add_payload.c' || echo '$(srcdir)/'`hooks/add_payload.c + +add_payload.obj: hooks/add_payload.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT add_payload.obj -MD -MP -MF $(DEPDIR)/add_payload.Tpo -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/add_payload.Tpo $(DEPDIR)/add_payload.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/add_payload.c' object='add_payload.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o add_payload.obj `if test -f 'hooks/add_payload.c'; then $(CYGPATH_W) 'hooks/add_payload.c'; else $(CYGPATH_W) '$(srcdir)/hooks/add_payload.c'; fi` + +set_critical.o: hooks/set_critical.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.o -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_critical.c' object='set_critical.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.o `test -f 'hooks/set_critical.c' || echo '$(srcdir)/'`hooks/set_critical.c + +set_critical.obj: hooks/set_critical.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_critical.obj -MD -MP -MF $(DEPDIR)/set_critical.Tpo -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_critical.Tpo $(DEPDIR)/set_critical.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_critical.c' object='set_critical.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_critical.obj `if test -f 'hooks/set_critical.c'; then $(CYGPATH_W) 'hooks/set_critical.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_critical.c'; fi` + +force_cookie.o: hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.o -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/force_cookie.c' object='force_cookie.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.o `test -f 'hooks/force_cookie.c' || echo '$(srcdir)/'`hooks/force_cookie.c + +force_cookie.obj: hooks/force_cookie.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT force_cookie.obj -MD -MP -MF $(DEPDIR)/force_cookie.Tpo -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/force_cookie.Tpo $(DEPDIR)/force_cookie.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/force_cookie.c' object='force_cookie.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o force_cookie.obj `if test -f 'hooks/force_cookie.c'; then $(CYGPATH_W) 'hooks/force_cookie.c'; else $(CYGPATH_W) '$(srcdir)/hooks/force_cookie.c'; fi` + +set_ike_version.o: hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.o -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_version.c' object='set_ike_version.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.o `test -f 'hooks/set_ike_version.c' || echo '$(srcdir)/'`hooks/set_ike_version.c + +set_ike_version.obj: hooks/set_ike_version.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_version.obj -MD -MP -MF $(DEPDIR)/set_ike_version.Tpo -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_version.Tpo $(DEPDIR)/set_ike_version.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_version.c' object='set_ike_version.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_version.obj `if test -f 'hooks/set_ike_version.c'; then $(CYGPATH_W) 'hooks/set_ike_version.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_version.c'; fi` + +pretend_auth.o: hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.o -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/pretend_auth.c' object='pretend_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.o `test -f 'hooks/pretend_auth.c' || echo '$(srcdir)/'`hooks/pretend_auth.c + +pretend_auth.obj: hooks/pretend_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pretend_auth.obj -MD -MP -MF $(DEPDIR)/pretend_auth.Tpo -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pretend_auth.Tpo $(DEPDIR)/pretend_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/pretend_auth.c' object='pretend_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pretend_auth.obj `if test -f 'hooks/pretend_auth.c'; then $(CYGPATH_W) 'hooks/pretend_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/pretend_auth.c'; fi` + +set_length.o: hooks/set_length.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.o -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_length.c' object='set_length.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.o `test -f 'hooks/set_length.c' || echo '$(srcdir)/'`hooks/set_length.c + +set_length.obj: hooks/set_length.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_length.obj -MD -MP -MF $(DEPDIR)/set_length.Tpo -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_length.Tpo $(DEPDIR)/set_length.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_length.c' object='set_length.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_length.obj `if test -f 'hooks/set_length.c'; then $(CYGPATH_W) 'hooks/set_length.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_length.c'; fi` + +log_proposals.o: hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.o -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_proposals.c' object='log_proposals.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.o `test -f 'hooks/log_proposals.c' || echo '$(srcdir)/'`hooks/log_proposals.c + +log_proposals.obj: hooks/log_proposals.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_proposals.obj -MD -MP -MF $(DEPDIR)/log_proposals.Tpo -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_proposals.Tpo $(DEPDIR)/log_proposals.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_proposals.c' object='log_proposals.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_proposals.obj `if test -f 'hooks/log_proposals.c'; then $(CYGPATH_W) 'hooks/log_proposals.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_proposals.c'; fi` + +set_proposal_number.o: hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.o -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_proposal_number.c' object='set_proposal_number.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.o `test -f 'hooks/set_proposal_number.c' || echo '$(srcdir)/'`hooks/set_proposal_number.c + +set_proposal_number.obj: hooks/set_proposal_number.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_proposal_number.obj -MD -MP -MF $(DEPDIR)/set_proposal_number.Tpo -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_proposal_number.Tpo $(DEPDIR)/set_proposal_number.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_proposal_number.c' object='set_proposal_number.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_proposal_number.obj `if test -f 'hooks/set_proposal_number.c'; then $(CYGPATH_W) 'hooks/set_proposal_number.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_proposal_number.c'; fi` + +log_ke.o: hooks/log_ke.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.o -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ke.c' object='log_ke.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.o `test -f 'hooks/log_ke.c' || echo '$(srcdir)/'`hooks/log_ke.c + +log_ke.obj: hooks/log_ke.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ke.obj -MD -MP -MF $(DEPDIR)/log_ke.Tpo -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ke.Tpo $(DEPDIR)/log_ke.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ke.c' object='log_ke.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ke.obj `if test -f 'hooks/log_ke.c'; then $(CYGPATH_W) 'hooks/log_ke.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ke.c'; fi` + +log_id.o: hooks/log_id.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.o -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_id.c' object='log_id.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.o `test -f 'hooks/log_id.c' || echo '$(srcdir)/'`hooks/log_id.c + +log_id.obj: hooks/log_id.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_id.obj -MD -MP -MF $(DEPDIR)/log_id.Tpo -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_id.Tpo $(DEPDIR)/log_id.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_id.c' object='log_id.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_id.obj `if test -f 'hooks/log_id.c'; then $(CYGPATH_W) 'hooks/log_id.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_id.c'; fi` + +custom_proposal.o: hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.o -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/custom_proposal.c' object='custom_proposal.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.o `test -f 'hooks/custom_proposal.c' || echo '$(srcdir)/'`hooks/custom_proposal.c + +custom_proposal.obj: hooks/custom_proposal.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT custom_proposal.obj -MD -MP -MF $(DEPDIR)/custom_proposal.Tpo -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/custom_proposal.Tpo $(DEPDIR)/custom_proposal.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/custom_proposal.c' object='custom_proposal.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o custom_proposal.obj `if test -f 'hooks/custom_proposal.c'; then $(CYGPATH_W) 'hooks/custom_proposal.c'; else $(CYGPATH_W) '$(srcdir)/hooks/custom_proposal.c'; fi` + +set_ike_spi.o: hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.o -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_spi.c' object='set_ike_spi.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.o `test -f 'hooks/set_ike_spi.c' || echo '$(srcdir)/'`hooks/set_ike_spi.c + +set_ike_spi.obj: hooks/set_ike_spi.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_spi.obj -MD -MP -MF $(DEPDIR)/set_ike_spi.Tpo -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_spi.Tpo $(DEPDIR)/set_ike_spi.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_spi.c' object='set_ike_spi.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_spi.obj `if test -f 'hooks/set_ike_spi.c'; then $(CYGPATH_W) 'hooks/set_ike_spi.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_spi.c'; fi` + +set_ike_request.o: hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.o -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_request.c' object='set_ike_request.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.o `test -f 'hooks/set_ike_request.c' || echo '$(srcdir)/'`hooks/set_ike_request.c + +set_ike_request.obj: hooks/set_ike_request.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_request.obj -MD -MP -MF $(DEPDIR)/set_ike_request.Tpo -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_request.Tpo $(DEPDIR)/set_ike_request.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_request.c' object='set_ike_request.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_request.obj `if test -f 'hooks/set_ike_request.c'; then $(CYGPATH_W) 'hooks/set_ike_request.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_request.c'; fi` + +set_reserved.o: hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.o -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_reserved.c' object='set_reserved.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.o `test -f 'hooks/set_reserved.c' || echo '$(srcdir)/'`hooks/set_reserved.c + +set_reserved.obj: hooks/set_reserved.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_reserved.obj -MD -MP -MF $(DEPDIR)/set_reserved.Tpo -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_reserved.Tpo $(DEPDIR)/set_reserved.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_reserved.c' object='set_reserved.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_reserved.obj `if test -f 'hooks/set_reserved.c'; then $(CYGPATH_W) 'hooks/set_reserved.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_reserved.c'; fi` + +set_ike_initiator.o: hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.o -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_initiator.c' object='set_ike_initiator.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.o `test -f 'hooks/set_ike_initiator.c' || echo '$(srcdir)/'`hooks/set_ike_initiator.c + +set_ike_initiator.obj: hooks/set_ike_initiator.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT set_ike_initiator.obj -MD -MP -MF $(DEPDIR)/set_ike_initiator.Tpo -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/set_ike_initiator.Tpo $(DEPDIR)/set_ike_initiator.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/set_ike_initiator.c' object='set_ike_initiator.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o set_ike_initiator.obj `if test -f 'hooks/set_ike_initiator.c'; then $(CYGPATH_W) 'hooks/set_ike_initiator.c'; else $(CYGPATH_W) '$(srcdir)/hooks/set_ike_initiator.c'; fi` + +log_ts.o: hooks/log_ts.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.o -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ts.c' object='log_ts.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.o `test -f 'hooks/log_ts.c' || echo '$(srcdir)/'`hooks/log_ts.c + +log_ts.obj: hooks/log_ts.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT log_ts.obj -MD -MP -MF $(DEPDIR)/log_ts.Tpo -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/log_ts.Tpo $(DEPDIR)/log_ts.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/log_ts.c' object='log_ts.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o log_ts.obj `if test -f 'hooks/log_ts.c'; then $(CYGPATH_W) 'hooks/log_ts.c'; else $(CYGPATH_W) '$(srcdir)/hooks/log_ts.c'; fi` + +rebuild_auth.o: hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.o -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/rebuild_auth.c' object='rebuild_auth.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.o `test -f 'hooks/rebuild_auth.c' || echo '$(srcdir)/'`hooks/rebuild_auth.c + +rebuild_auth.obj: hooks/rebuild_auth.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT rebuild_auth.obj -MD -MP -MF $(DEPDIR)/rebuild_auth.Tpo -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/rebuild_auth.Tpo $(DEPDIR)/rebuild_auth.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/rebuild_auth.c' object='rebuild_auth.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o rebuild_auth.obj `if test -f 'hooks/rebuild_auth.c'; then $(CYGPATH_W) 'hooks/rebuild_auth.c'; else $(CYGPATH_W) '$(srcdir)/hooks/rebuild_auth.c'; fi` + +reset_seq.o: hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.o -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/reset_seq.c' object='reset_seq.o' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.o `test -f 'hooks/reset_seq.c' || echo '$(srcdir)/'`hooks/reset_seq.c + +reset_seq.obj: hooks/reset_seq.c +@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT reset_seq.obj -MD -MP -MF $(DEPDIR)/reset_seq.Tpo -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/reset_seq.Tpo $(DEPDIR)/reset_seq.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hooks/reset_seq.c' object='reset_seq.obj' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o reset_seq.obj `if test -f 'hooks/reset_seq.c'; then $(CYGPATH_W) 'hooks/reset_seq.c'; else $(CYGPATH_W) '$(srcdir)/hooks/reset_seq.c'; fi` + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(PROGRAMS) +installdirs: + for dir in "$(DESTDIR)$(ipsecdir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-ipsecPROGRAMS clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-ipsecPROGRAMS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-ipsecPROGRAMS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-ipsecPROGRAMS clean-libtool ctags distclean \ + distclean-compile distclean-generic distclean-libtool \ + distclean-tags distdir dvi dvi-am html html-am info info-am \ + install install-am install-data install-data-am install-dvi \ + install-dvi-am install-exec install-exec-am install-html \ + install-html-am install-info install-info-am \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + tags uninstall uninstall-am uninstall-ipsecPROGRAMS + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/conftest/README b/src/conftest/README new file mode 100644 index 000000000..e2156921f --- /dev/null +++ b/src/conftest/README @@ -0,0 +1,315 @@ + + + conftest - an IKEv2 conformance testing framework + ================================================= + + +1. Introduction +--------------- + +conftest is a conformance testing framework for IKEv2 and related protocols, +based on the strongSwan IKEv2 daemon charon. It uses a specialized configuration +and control front-end, but links against the mainstream strongSwan IKEv2 stack. + +The conftest framework can test other implementations of IKEv2 and related +standards. It can inject or mangle packets to test the behavior of other +implementations under certain conditions. + +2. Test suites +-------------- + +The framework can use different sets of conformance tests, called test suites. +Each test suite contains a global suite configuration file, usually named +suite.conf. It contains the global settings for all tests in this suite, mostly +credentials and connection definitions. + +A test suite consists of several test cases. Each test has its own configuration +file, often called test.conf. The test configuration file may contain test +specific credentials and connection definitions, but primarily defines actions +and hooks. Actions trigger certain protocol specific operations, such as +initiating or terminating a tunnel. Hooks are used to change the behavior of +the IKE stack, most likely to stress some factors of the IKE protocol and +provoke unintended behavior in the tested platform. + +3. Configuration syntax +----------------------- + +Both the suite and the test specific configuration file use the same syntax. +It is the same as used by the strongswan.conf file used to configure the +strongSwan software suite. + +The syntax is as follows: + + settings := (section|keyvalue)* + section := name { settings } + keyvalue := key = value\n + +Settings contain zero or more sub-sections or key/value pairs. A section +consists of a name, followed by curly open and close brackets. The value in the +key/value pair starts after the equal sign and is terminated by the end of the +line. + +The test specific configuration is merged to the suite configuration, resulting +in a unified configuration. Sections are merged, keys in the test configuration +overwrite existing identical keys in the suite configuration. + +4. Logging +---------- + +Logging verbosity can be controlled in the log section of a suite/test +configuration. The stdout subsection takes logging facility/verbosity key +value pairs, the different facility types are defined in debug_lower_names at +src/libstrongswan/debug.c. +Any other sub-section in the log section is considered as a file name to log +to. Each section takes the same facility/verbosity keys as the special stdout +section. + +5. Connections +-------------- + +Both the suite and test configuration may contain connection definitions under +the configs section. Each IKE_SA configuration has a sub-section. Each IKE_SA +sub-section contains one or more CHILD_SA configuration sub-sections: + +configs { + ike-a { + # ... ike options + child-a1 { + # ... child options + } + child-a2 { + # ... + } + } +} + +Configuration names can be chosen arbitrary, but should be unique within the +same file. + +The IKE_SA configuration uses the following options (as key/value pairs): + + lhost: Address (IP or Hostname) of this host + rhost: Address (IP or Hostname) of tested host + lid: IKEv2 identifier of this host + rid: IKEv2 identifier of tested host + proposal: IKE_SA proposal list, comma separated, e.g.: + aes128-sha1-modp2048,3des-md5-sha1-modp1024-modp1536 + Supported algorithm names are defined under + src/libstrongswan/crypt/proposal/proposal_keywords.txt + fake_nat: Fake the NAT_DETECTION_*_IP payloads to simulate a NAT + scenario + rsa_strength: connection requires a trustchain with RSA keys of given bits + ecdsa_strength: connection requires a trustchain with ECDSA keys of given bits + cert_policy: connection requries a certificate with the given OID policy + +The following CHILD_SA specific configuration options are supported: + + lts: Local side traffic selectors, comma separated CIDR subnets + rts: Remote side traffic selectors, comma separated CIDR subnets + transport: Propose IPsec transport mode instead of tunnel mode + tfc_padding: Inject Traffic Flow Confidentialty bytes to align packets to the + given length + +6. Credentials +-------------- + +Credentials may be defined globally in the suite or locally in the test specific +configuration file. Certificates files are defined in the certs section, either +in the trusted or in the untrusted section. Trusted certificates are trust +anchors, usually root CA certificates. Untrusted certificates do not build a +trust anchor and usually contain intermediate or end entity certificates. + +Certificates files are loaded relative to the configuration file path and may +be encoded either in plain ASN.1 DER or in PEM format. The prefix of the +key/value pair is used to specify the type of the certificate, usually x509 or +crl. + +Private keys can be defined in the suite or test config file under the keys +section. The prefix of the key/value pair must be either rsa or ecdsa, the +specified file may be encoded in ASN.1 DER or unencrypted PEM. + +certs { + trusted { + x509-a-ca = ca.pem + } + untrusted { + x509-me = /path/to/cert.pem + crl-from-ca = /path/to/crl.pem + } +} +keys { + ecdsa-me = /path/to/key.pem +} + +7. Actions +---------- + +The actions section in the test specific configuration file defines +the IKEv2 protocol actions to trigger. Currently, the following actions +are supported and take these arguments (as key/value pairs): + + initiate: Initiate an IKE- and CHILD_SA + config: name of the CHILD_SA configuration to initiate + delay: Delay to trigger action after startup + rekey_ike: Rekey an IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + rekey_child: Rekey an CHILD_SA + config: name of originating CHILD_SA configuration + delay: Delay to trigger action after startup + liveness: Do a liveness check (DPD) on the IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + close_ike: Close an IKE_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + close_child: Close a CHILD_SA + config: name of originating IKE_SA configuration + delay: Delay to trigger action after startup + +To trigger the same action multiple times, the action sections must be named +uniquely. Append an arbitrary string to the action name. The following example +initiates a connection and rekeys it twice: + +actions { + initiate { + config = child-a1 + } + rekey_ike-1 { + config = ike-a + delay = 3 + } + rekey_ike-2 { + config = ike-a + delay = 6 + } +} + +8. Hooks +-------- + +The hooks section section in the test configuration defines different hooks +to use to mangle packets or trigger other protocol modifications. These +hook functions are implemented in the hooks folder of conftest. + +Currently, the following hooks are defined with the following options: + + add_notify: Add a notify to a message + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add notify + type: notify type to add, names defined in notify_type_names + under src/libcharon/encoding/payloads/notify_payload.c + data: notification data to add, prepend 0x to interpret the + string as hex string + spi: SPI to use in notify + esp: yes to send an ESP protocol notify, no for IKE + add_payload: Add an arbitrary payload to a message + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add payload + type: type of the payload to add, names defined in + payload_type_short_names in payload.c + data: data to append after generic payload header, use 0x + prefix for hex encoded data + critical: yes to set payload critical bit + replace: yes to replace an existing payload of the same type + custom_proposal: set a custom proposal value in the SA payload + request: yes to include in request, no in response + id: IKEv2 message identifier of message to add notify + The hook takes subsections with numerical names, each + defining a proposal substructure. The substructure + takes key/value pairs, where key defines the type, value + the specific algorithm. + force_cookie: Reject IKE_SA_INIT requests with a COOKIE + ignore_message: Ignore a specific message, simulating packet loss + inbound: yes to ignore incoming, no for outgoing messages + request: yes to ignore requests, no for responses + id: IKEv2 message identifier of message to ignore + ike_auth_fill: Fill up IKE_AUTH message to a given size using a CERT + payload. + request: yes to fill requests messages, no for responses + id: IKEv2 message identifier of message to fill up + bytes: number of bytes the final IKE_AUTH message should have + log_id: Comfortably log received ID payload contents + log_ke: Comfortably log received KE payload DH groups + log_proposal: Comfortably log all proposals received in SA payloads + log_ts: Comfortably log all received TS payloads + pretend_auth: magically reconstruct IKE_AUTH response even if + AUTHENTICATION_FAILED received + rebuild_auth: rebuild AUTH payload, i.e. if ID payload changed + reset_seq: Reset sequence numbers of an ESP SA + delay: Seconds to delay reset after SA established + set_critical: Set critical bit on existing payloads: + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle payloads + payloads: space separated payload list to set critical bit on + set_ike_initiator: toggle IKE initiator flag in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + set_ike_request: toggle IKE request flag in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + set_ike_spi: set the IKE SPIs in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + spii: initiator SPI to set (as decimal integer) + spir: responder SPI to set + set_ike_version: set version fields in IKE header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + major: major version to set + minor: minor version to set + higher: yes to set Higher Version Supported flag + set_length: set the length in a payload header + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + type: payload type to mangle + diff: difference to add/remove from real length (+1,-3 etc.) + set_proposal_number:Change the number of a proposal in a SA payload + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + from: proposal number to mangle + to: new porposal number to set instead of from + set_reserved: set arbitrary reserved bits/bytes in payloads + request: yes to set in request, no in response + id: IKEv2 message identifier of message to mangle + The hook takes a list of subsection, each named as payload + type. Each section takes a bits and a bytes key, the + value is a comma separated list of decimal numbers of + bits/bytes to mangle (1 is the first reserved bit/byte + in the payload). The byteval key defines to which value + set mangled bytes in the byte list. + unencrypted_notify: Send an unencrypted message with a notify after + establishing an IKE_SA + id: IKEv2 message identifier of message to send + type: notify type to add, names defined in notify_type_names + under src/libcharon/encoding/payloads/notify_payload.c + data: notification data to add, prepend 0x to interpret the + string as hex string + spi: SPI to use in notify + esp: yes to send an ESP protocol notify, no for IKE + unsort_message: reorder the payloads in a message + request: yes to reorder requests messages, no for responses + id: IKEv2 message identifier of message to reorder + order: payload order, space separated payload names as defined + in payload_type_short_names under + src/libcharon/encoding/payloads/payload.c + +9. Invoking +----------- + +Compile time options required depend on the test suite. A minimalistic +strongSwan build with the OpenSSL crypto backend can be configured with: + +./configure --sysconfdir=/etc --disable-pluto --disable-scripts \ + --disable-tools --disable-aes --disable-des --disable-md5 \ + --disable-sha1 --disable-sha2 --disable-fips-prf --disable-gmp \ + --disable-pubkey --disable-pgp --disable-dnskey --disable-updown \ + --disable-attr --disable-resolve --enable-openssl --enable-conftest \ + --enable-gcm --enable-ccm --enable-ctr + +The conftest utility is installed by default under /usr/local/libexec/ipsec/, +but can be invoked with the ipsec helper script. It takes a suite specific +configuration file after the --suite option and a test specific file with +the --test option: + + ipsec conftest --suite suite.conf --test 1.1.1/test.conf diff --git a/src/conftest/actions.c b/src/conftest/actions.c new file mode 100644 index 000000000..e66e9d7f1 --- /dev/null +++ b/src/conftest/actions.c @@ -0,0 +1,339 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "actions.h" +#include "conftest.h" + +#include +#include +#include +#include +#include + +typedef struct private_actions_t private_actions_t; + +/** + * Private data of an actions_t object. + */ +struct private_actions_t { + + /** + * Public actions_t interface. + */ + actions_t public; +}; + +/** + * Initiate a CHILD_SA + */ +static job_requeue_t initiate(char *config) +{ + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg = NULL, *current; + enumerator_t *enumerator; + + peer_cfg = charon->backends->get_peer_cfg_by_name(charon->backends, config); + if (!peer_cfg) + { + DBG1(DBG_CFG, "initiating '%s' failed, config not found", config); + return JOB_REQUEUE_NONE; + } + enumerator = peer_cfg->create_child_cfg_enumerator(peer_cfg); + while (enumerator->enumerate(enumerator, ¤t)) + { + if (streq(current->get_name(current), config)) + { + child_cfg = current; + child_cfg->get_ref(child_cfg); + break; + } + } + enumerator->destroy(enumerator); + if (child_cfg) + { + DBG1(DBG_CFG, "initiating IKE_SA for CHILD_SA config '%s'", config); + charon->controller->initiate(charon->controller, peer_cfg, child_cfg, + NULL, NULL); + } + else + { + DBG1(DBG_CFG, "initiating '%s' failed, CHILD_SA config not found", + config); + } + + return JOB_REQUEUE_NONE; +} + +/** + * Rekey an IKE_SA + */ +static job_requeue_t rekey_ike(char *config) +{ + enumerator_t *enumerator; + job_t *job = NULL; + ike_sa_t *ike_sa; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + job = (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE); + break; + } + } + enumerator->destroy(enumerator); + + if (job) + { + DBG1(DBG_CFG, "starting rekey of IKE_SA '%s'", config); + lib->processor->queue_job(lib->processor, job); + } + else + { + DBG1(DBG_CFG, "rekeying '%s' failed, IKE_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Rekey an CHILD_SA + */ +static job_requeue_t rekey_child(char *config) +{ + enumerator_t *enumerator; + iterator_t *children; + ike_sa_t *ike_sa; + child_sa_t *child_sa; + u_int32_t reqid = 0, spi = 0; + protocol_id_t proto = PROTO_ESP; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (streq(config, child_sa->get_name(child_sa))) + { + reqid = child_sa->get_reqid(child_sa); + proto = child_sa->get_protocol(child_sa); + spi = child_sa->get_spi(child_sa, TRUE); + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + if (reqid) + { + DBG1(DBG_CFG, "starting rekey of CHILD_SA '%s'", config); + lib->processor->queue_job(lib->processor, + (job_t*)rekey_child_sa_job_create(reqid, proto, spi)); + } + else + { + DBG1(DBG_CFG, "rekeying '%s' failed, CHILD_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Do a liveness check + */ +static job_requeue_t liveness(char *config) +{ + enumerator_t *enumerator; + job_t *job = NULL; + ike_sa_t *ike_sa; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + job = (job_t*)send_dpd_job_create(ike_sa->get_id(ike_sa)); + break; + } + } + enumerator->destroy(enumerator); + + if (job) + { + DBG1(DBG_CFG, "starting liveness check of IKE_SA '%s'", config); + lib->processor->queue_job(lib->processor, job); + } + else + { + DBG1(DBG_CFG, "liveness check for '%s' failed, IKE_SA not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Close an IKE_SA with all CHILD_SAs + */ +static job_requeue_t close_ike(char *config) +{ + enumerator_t *enumerator; + ike_sa_t *ike_sa; + int id = 0; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + if (strcaseeq(config, ike_sa->get_name(ike_sa))) + { + id = ike_sa->get_unique_id(ike_sa); + break; + } + } + enumerator->destroy(enumerator); + if (id) + { + DBG1(DBG_CFG, "closing IKE_SA '%s'", config); + charon->controller->terminate_ike(charon->controller, id, NULL, NULL); + } + else + { + DBG1(DBG_CFG, "unable to close IKE_SA '%s', not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Close a CHILD_SAs + */ +static job_requeue_t close_child(char *config) +{ + enumerator_t *enumerator; + iterator_t *children; + ike_sa_t *ike_sa; + child_sa_t *child_sa; + int id = 0; + + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if (streq(config, child_sa->get_name(child_sa))) + { + id = child_sa->get_reqid(child_sa); + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + if (id) + { + DBG1(DBG_CFG, "closing CHILD_SA '%s'", config); + charon->controller->terminate_child(charon->controller, id, NULL, NULL); + } + else + { + DBG1(DBG_CFG, "unable to close CHILD_SA '%s', not found", config); + } + return JOB_REQUEUE_NONE; +} + +/** + * Load a single action + */ +static void load_action(settings_t *settings, char *action) +{ + static struct { + char *name; + callback_job_cb_t cb; + } actions[] = { + {"initiate", (void*)initiate}, + {"rekey_ike", (void*)rekey_ike}, + {"rekey_child", (void*)rekey_child}, + {"liveness", (void*)liveness}, + {"close_ike", (void*)close_ike}, + {"close_child", (void*)close_child}, + }; + bool found = FALSE; + int i; + + for (i = 0; i < countof(actions); i++) + { + if (strncaseeq(actions[i].name, action, strlen(actions[i].name))) + { + int delay; + char *config; + + found = TRUE; + delay = settings->get_int(settings, "actions.%s.delay", 0, action); + config = settings->get_str(settings, "actions.%s.config", + NULL, action); + if (!config) + { + DBG1(DBG_CFG, "no config defined for action '%s'", action); + break; + } + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create(actions[i].cb, config, NULL, NULL), + delay); + } + } + if (!found) + { + DBG1(DBG_CFG, "unknown action '%s', skipped", action); + } +} + +/** + * Load configured actions + */ +static void load_actions(settings_t *settings) +{ + enumerator_t *enumerator; + char *action; + + enumerator = settings->create_section_enumerator(settings, "actions"); + while (enumerator->enumerate(enumerator, &action)) + { + load_action(settings, action); + } + enumerator->destroy(enumerator); +} + +METHOD(actions_t, destroy, void, + private_actions_t *this) +{ + free(this); +} + +/** + * See header + */ +actions_t *actions_create() +{ + private_actions_t *this; + + INIT(this, + .public = { + .destroy = _destroy, + }, + ); + + load_actions(conftest->test); + + return &this->public; +} diff --git a/src/conftest/actions.h b/src/conftest/actions.h new file mode 100644 index 000000000..2e1cbbacd --- /dev/null +++ b/src/conftest/actions.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup actions actions + * @{ @ingroup conftest + */ + +#ifndef ACTIONS_H_ +#define ACTIONS_H_ + +typedef struct actions_t actions_t; + +/** + * actionss to trigger based on configuration. + */ +struct actions_t { + + /** + * Destroy a actions_t. + */ + void (*destroy)(actions_t *this); +}; + +/** + * Create a actions instance. + */ +actions_t *actions_create(); + +#endif /** ACTIONS_H_ @}*/ diff --git a/src/conftest/config.c b/src/conftest/config.c new file mode 100644 index 000000000..952141211 --- /dev/null +++ b/src/conftest/config.c @@ -0,0 +1,343 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "config.h" + +#include +#include + +typedef struct private_config_t private_config_t; + +/** + * Private data of an config_t object. + */ +struct private_config_t { + + /** + * Public config_t interface. + */ + config_t public; + + /** + * List of loaded peer configs + */ + linked_list_t *configs; +}; + +/** + * filter function for ike configs + */ +static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) +{ + *out = (*in)->get_ike_cfg(*in); + return TRUE; +} + +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_config_t *this, host_t *me, host_t *other) +{ + + return enumerator_create_filter( + this->configs->create_enumerator(this->configs), + (void*)ike_filter, NULL, NULL); +} + +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_config_t *this, identification_t *me, identification_t *other) +{ + return this->configs->create_enumerator(this->configs); +} + +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_config_t *this, char *name) +{ + enumerator_t *e1, *e2; + peer_cfg_t *current, *found = NULL; + child_cfg_t *child; + + e1 = this->configs->create_enumerator(this->configs); + while (e1->enumerate(e1, ¤t)) + { + e2 = current->create_child_cfg_enumerator(current); + while (e2->enumerate(e2, &child)) + { + if (streq(child->get_name(child), name)) + { + found = current; + found->get_ref(found); + break; + } + } + e2->destroy(e2); + if (found) + { + break; + } + } + e1->destroy(e1); + return found; +} + +/** + * Load IKE config for a given section name + */ +static ike_cfg_t *load_ike_config(private_config_t *this, + settings_t *settings, char *config) +{ + enumerator_t *enumerator; + ike_cfg_t *ike_cfg; + proposal_t *proposal; + char *token; + + ike_cfg = ike_cfg_create(TRUE, + settings->get_bool(settings, "configs.%s.fake_nat", FALSE, config), + settings->get_str(settings, "configs.%s.lhost", "%any", config), + settings->get_int(settings, "configs.%s.lport", 500, config), + settings->get_str(settings, "configs.%s.rhost", "%any", config), + settings->get_int(settings, "configs.%s.rport", 500, config)); + token = settings->get_str(settings, "configs.%s.proposal", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + proposal = proposal_create_from_string(PROTO_IKE, token); + if (proposal) + { + ike_cfg->add_proposal(ike_cfg, proposal); + } + else + { + DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + } + return ike_cfg; +} +/** + * Load CHILD config for given section names + */ +static child_cfg_t *load_child_config(private_config_t *this, + settings_t *settings, char *config, char *child) +{ + child_cfg_t *child_cfg; + lifetime_cfg_t lifetime = {}; + enumerator_t *enumerator; + proposal_t *proposal; + traffic_selector_t *ts; + ipsec_mode_t mode = MODE_TUNNEL; + host_t *net; + char *token; + int bits; + u_int32_t tfc; + + if (settings->get_bool(settings, "configs.%s.%s.transport", + FALSE, config, child)) + { + mode = MODE_TRANSPORT; + } + tfc = settings->get_int(settings, "configs.%s.%s.tfc_padding", + 0, config, child); + child_cfg = child_cfg_create(child, &lifetime, NULL, FALSE, mode, + ACTION_NONE, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL, tfc); + + token = settings->get_str(settings, "configs.%s.%s.proposal", + NULL, config, child); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + proposal = proposal_create_from_string(PROTO_ESP, token); + if (proposal) + { + child_cfg->add_proposal(child_cfg, proposal); + } + else + { + DBG1(DBG_CFG, "parsing proposal '%s' failed, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + } + + token = settings->get_str(settings, "configs.%s.%s.lts", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + net = host_create_from_subnet(token, &bits); + if (net) + { + ts = traffic_selector_create_from_subnet(net, bits, 0, 0); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + } + else + { + DBG1(DBG_CFG, "invalid local ts: %s, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, TRUE, ts); + } + + token = settings->get_str(settings, "configs.%s.%s.rts", NULL, config); + if (token) + { + enumerator = enumerator_create_token(token, ",", " "); + while (enumerator->enumerate(enumerator, &token)) + { + net = host_create_from_subnet(token, &bits); + if (net) + { + ts = traffic_selector_create_from_subnet(net, bits, 0, 0); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + } + else + { + DBG1(DBG_CFG, "invalid remote ts: %s, skipped", token); + } + } + enumerator->destroy(enumerator); + } + else + { + ts = traffic_selector_create_dynamic(0, 0, 65535); + child_cfg->add_traffic_selector(child_cfg, FALSE, ts); + } + return child_cfg; +} + +/** + * Load peer config for a given section name + */ +static peer_cfg_t *load_peer_config(private_config_t *this, + settings_t *settings, char *config) +{ + ike_cfg_t *ike_cfg; + peer_cfg_t *peer_cfg; + auth_cfg_t *auth; + child_cfg_t *child_cfg; + enumerator_t *enumerator; + identification_t *lid, *rid; + char *child, *policy; + uintptr_t strength; + + ike_cfg = load_ike_config(this, settings, config); + peer_cfg = peer_cfg_create(config, 2, ike_cfg, CERT_ALWAYS_SEND, + UNIQUE_NO, 1, 0, 0, 0, 0, FALSE, 0, + NULL, NULL, FALSE, NULL, NULL); + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + lid = identification_create_from_string( + settings->get_str(settings, "configs.%s.lid", "%any", config)); + auth->add(auth, AUTH_RULE_IDENTITY, lid); + peer_cfg->add_auth_cfg(peer_cfg, auth, TRUE); + + auth = auth_cfg_create(); + auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + rid = identification_create_from_string( + settings->get_str(settings, "configs.%s.rid", "%any", config)); + strength = settings->get_int(settings, "configs.%s.rsa_strength", 0); + if (strength) + { + auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); + } + strength = settings->get_int(settings, "configs.%s.ecdsa_strength", 0); + if (strength) + { + auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); + } + policy = settings->get_str(settings, "configs.%s.cert_policy", NULL, config); + if (policy) + { + auth->add(auth, AUTH_RULE_CERT_POLICY, strdup(policy)); + } + auth->add(auth, AUTH_RULE_IDENTITY, rid); + peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); + + DBG1(DBG_CFG, "loaded config %s: %Y - %Y", config, lid, rid); + + enumerator = settings->create_section_enumerator(settings, + "configs.%s", config); + while (enumerator->enumerate(enumerator, &child)) + { + child_cfg = load_child_config(this, settings, config, child); + peer_cfg->add_child_cfg(peer_cfg, child_cfg); + } + enumerator->destroy(enumerator); + return peer_cfg; +} + +METHOD(config_t, load, void, + private_config_t *this, settings_t *settings) +{ + enumerator_t *enumerator; + char *config; + + enumerator = settings->create_section_enumerator(settings, "configs"); + while (enumerator->enumerate(enumerator, &config)) + { + this->configs->insert_last(this->configs, + load_peer_config(this, settings, config)); + } + enumerator->destroy(enumerator); +} + +METHOD(config_t, destroy, void, + private_config_t *this) +{ + this->configs->destroy_offset(this->configs, offsetof(peer_cfg_t, destroy)); + free(this); +} + +/** + * See header + */ +config_t *config_create() +{ + private_config_t *this; + + INIT(this, + .public = { + .backend = { + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .load = _load, + .destroy = _destroy, + }, + .configs = linked_list_create(), + ); + + return &this->public; +} diff --git a/src/conftest/config.h b/src/conftest/config.h new file mode 100644 index 000000000..2a62b9ce0 --- /dev/null +++ b/src/conftest/config.h @@ -0,0 +1,56 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup config config + * @{ @ingroup conftest + */ + +#ifndef CONFIG_H_ +#define CONFIG_H_ + +typedef struct config_t config_t; + +#include + +/** + * Conftest IKE and CHILD config backend + */ +struct config_t { + + /** + * Implements the backend_t interface. + */ + backend_t backend; + + /** + * Load configurations from a settings file. + * + * @param settings settings file to load configs from + */ + void (*load)(config_t *this, settings_t *settings); + + /** + * Destroy a config_t. + */ + void (*destroy)(config_t *this); +}; + +/** + * Create a config instance. + */ +config_t *config_create(); + +#endif /** CONFIG_H_ @}*/ diff --git a/src/conftest/conftest.c b/src/conftest/conftest.c new file mode 100644 index 000000000..fea88818e --- /dev/null +++ b/src/conftest/conftest.c @@ -0,0 +1,550 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#include "conftest.h" +#include "config.h" +#include "hooks/hook.h" + +#include +#include + +/** + * Conftest globals struct + */ +conftest_t *conftest; + +/** + * Print usage information + */ +static void usage(FILE *out) +{ + fprintf(out, "Usage:\n"); + fprintf(out, " --help show usage information\n"); + fprintf(out, " --version show conftest version\n"); + fprintf(out, " --suite global testsuite configuration " + "(default: ./suite.conf)\n"); + fprintf(out, " --test test specific configuration\n"); +} + +/** + * Handle SIGSEGV/SIGILL signals raised by threads + */ +static void segv_handler(int signal) +{ + fprintf(stderr, "thread %u received %d\n", thread_current_id(), signal); + abort(); +} + +/** + * Load suite and test specific configurations + */ +static bool load_configs(char *suite_file, char *test_file) +{ + if (!test_file) + { + fprintf(stderr, "Missing test configuration file.\n"); + return FALSE; + } + if (access(suite_file, R_OK) != 0) + { + fprintf(stderr, "Reading suite configuration file '%s' failed: %s.\n", + suite_file, strerror(errno)); + return FALSE; + } + if (access(test_file, R_OK) != 0) + { + fprintf(stderr, "Reading test configuration file '%s' failed: %s.\n", + test_file, strerror(errno)); + return FALSE; + } + conftest->test = settings_create(suite_file); + conftest->test->load_files(conftest->test, test_file); + conftest->suite_dir = strdup(dirname(suite_file)); + return TRUE; +} + +/** + * Load trusted/untrusted certificates + */ +static bool load_cert(settings_t *settings, bool trusted) +{ + enumerator_t *enumerator; + char *key, *value; + + enumerator = settings->create_key_value_enumerator(settings, + trusted ? "certs.trusted" : "certs.untrusted"); + while (enumerator->enumerate(enumerator, &key, &value)) + { + certificate_t *cert = NULL; + + if (strncaseeq(key, "x509", strlen("x509"))) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, value, BUILD_END); + } + else if (strncaseeq(key, "crl", strlen("crl"))) + { + cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509_CRL, BUILD_FROM_FILE, value, BUILD_END); + } + else + { + fprintf(stderr, "certificate type '%s' not supported\n", key); + enumerator->destroy(enumerator); + return FALSE; + } + if (!cert) + { + fprintf(stderr, "loading %strusted certificate '%s' from '%s' " + "failed\n", trusted ? "" : "un", key, value); + enumerator->destroy(enumerator); + return FALSE; + } + conftest->creds->add_cert(conftest->creds, trusted, cert); + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Load certificates from the confiuguration file + */ +static bool load_certs(settings_t *settings, char *dir) +{ + char wd[PATH_MAX]; + + if (getcwd(wd, sizeof(wd)) == NULL) + { + fprintf(stderr, "getting cwd failed: %s\n", strerror(errno)); + return FALSE; + } + if (chdir(dir) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + dir, strerror(errno)); + return FALSE; + } + + if (!load_cert(settings, TRUE) || + !load_cert(settings, FALSE)) + { + return FALSE; + } + + if (chdir(wd) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + wd, strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Load private keys from the confiuguration file + */ +static bool load_keys(settings_t *settings, char *dir) +{ + enumerator_t *enumerator; + char *type, *value, wd[PATH_MAX]; + private_key_t *key; + key_type_t key_type; + + if (getcwd(wd, sizeof(wd)) == NULL) + { + fprintf(stderr, "getting cwd failed: %s\n", strerror(errno)); + return FALSE; + } + if (chdir(dir) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + dir, strerror(errno)); + return FALSE; + } + + enumerator = settings->create_key_value_enumerator(settings, "keys"); + while (enumerator->enumerate(enumerator, &type, &value)) + { + if (strncaseeq(type, "ecdsa", strlen("ecdsa"))) + { + key_type = KEY_ECDSA; + } + else if (strncaseeq(type, "rsa", strlen("rsa"))) + { + key_type = KEY_RSA; + } + else + { + fprintf(stderr, "unknown key type: '%s'\n", type); + enumerator->destroy(enumerator); + return FALSE; + } + key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, + BUILD_FROM_FILE, value, BUILD_END); + if (!key) + { + fprintf(stderr, "loading %s key from '%s' failed\n", type, value); + enumerator->destroy(enumerator); + return FALSE; + } + conftest->creds->add_key(conftest->creds, key); + } + enumerator->destroy(enumerator); + + if (chdir(wd) != 0) + { + fprintf(stderr, "opening directory '%s' failed: %s\n", + wd, strerror(errno)); + return FALSE; + } + return TRUE; +} + +/** + * Load certificate distribution points + */ +static void load_cdps(settings_t *settings) +{ + enumerator_t *enumerator; + identification_t *id; + char *ca, *uri, *section; + certificate_type_t type; + x509_t *x509; + + enumerator = settings->create_section_enumerator(settings, "cdps"); + while (enumerator->enumerate(enumerator, §ion)) + { + if (strncaseeq(section, "crl", strlen("crl"))) + { + type = CERT_X509_CRL; + } + else if (strncaseeq(section, "ocsp", strlen("ocsp"))) + { + type = CERT_X509_OCSP_RESPONSE; + } + else + { + fprintf(stderr, "unknown cdp type '%s', ignored\n", section); + continue; + } + + uri = settings->get_str(settings, "cdps.%s.uri", NULL, section); + ca = settings->get_str(settings, "cdps.%s.ca", NULL, section); + if (!ca || !uri) + { + fprintf(stderr, "cdp '%s' misses ca/uri, ignored\n", section); + continue; + } + x509 = lib->creds->create(lib->creds, CRED_CERTIFICATE, + CERT_X509, BUILD_FROM_FILE, ca, BUILD_END); + if (!x509) + { + fprintf(stderr, "loading cdp '%s' ca failed, ignored\n", section); + continue; + } + id = identification_create_from_encoding(ID_KEY_ID, + x509->get_subjectKeyIdentifier(x509)); + conftest->creds->add_cdp(conftest->creds, type, id, uri); + DESTROY_IF((certificate_t*)x509); + id->destroy(id); + } + enumerator->destroy(enumerator); +} + +/** + * Load configured hooks + */ +static bool load_hooks() +{ + enumerator_t *enumerator; + char *name, *pos, buf[64]; + hook_t *(*create)(char*); + hook_t *hook; + + enumerator = conftest->test->create_section_enumerator(conftest->test, + "hooks"); + while (enumerator->enumerate(enumerator, &name)) + { + pos = strchr(name, '-'); + if (pos) + { + snprintf(buf, sizeof(buf), "%.*s_hook_create", pos - name, name); + } + else + { + snprintf(buf, sizeof(buf), "%s_hook_create", name); + } + create = dlsym(RTLD_DEFAULT, buf); + if (create) + { + hook = create(name); + if (hook) + { + conftest->hooks->insert_last(conftest->hooks, hook); + charon->bus->add_listener(charon->bus, &hook->listener); + } + } + else + { + fprintf(stderr, "dlsym() for hook '%s' failed: %s\n", name, dlerror()); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * atexit() cleanup handler + */ +static void cleanup() +{ + hook_t *hook; + + DESTROY_IF(conftest->test); + lib->credmgr->remove_set(lib->credmgr, &conftest->creds->set); + conftest->creds->destroy(conftest->creds); + DESTROY_IF(conftest->actions); + while (conftest->hooks->remove_last(conftest->hooks, + (void**)&hook) == SUCCESS) + { + charon->bus->remove_listener(charon->bus, &hook->listener); + hook->destroy(hook); + } + conftest->hooks->destroy(conftest->hooks); + if (conftest->config) + { + if (charon->backends) + { + charon->backends->remove_backend(charon->backends, + &conftest->config->backend); + } + conftest->config->destroy(conftest->config); + } + free(conftest->suite_dir); + free(conftest); + libcharon_deinit(); + libhydra_deinit(); + library_deinit(); +} + +/** + * Load log levels for a logger from section + */ +static void load_log_levels(file_logger_t *logger, char *section) +{ + debug_t group; + level_t def; + + def = conftest->test->get_int(conftest->test, "log.%s.default", 1, section); + for (group = 0; group < DBG_MAX; group++) + { + logger->set_level(logger, group, + conftest->test->get_int(conftest->test, "log.%s.%N", def, + section, debug_lower_names, group)); + } +} + +/** + * Load logger configuration + */ +static void load_loggers(file_logger_t *logger) +{ + enumerator_t *enumerator; + char *section; + FILE *file; + + load_log_levels(logger, "stdout"); + + enumerator = conftest->test->create_section_enumerator(conftest->test, "log"); + while (enumerator->enumerate(enumerator, §ion)) + { + if (!streq(section, "stdout")) + { + file = fopen(section, "w"); + if (file == NULL) + { + fprintf(stderr, "opening file %s for logging failed: %s", + section, strerror(errno)); + continue; + } + logger = file_logger_create(file, NULL, FALSE); + load_log_levels(logger, section); + charon->bus->add_listener(charon->bus, &logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, logger); + } + } + enumerator->destroy(enumerator); +} + +/** + * Main function, starts the conftest daemon. + */ +int main(int argc, char *argv[]) +{ + struct sigaction action; + int status = 0; + sigset_t set; + int sig; + char *suite_file = "suite.conf", *test_file = NULL; + file_logger_t *logger; + + if (!library_init(NULL)) + { + library_deinit(); + return SS_RC_LIBSTRONGSWAN_INTEGRITY; + } + if (!libhydra_init("conftest")) + { + libhydra_deinit(); + library_deinit(); + return SS_RC_INITIALIZATION_FAILED; + } + if (!libcharon_init()) + { + libcharon_deinit(); + libhydra_deinit(); + library_deinit(); + return SS_RC_INITIALIZATION_FAILED; + } + + INIT(conftest, + .creds = mem_cred_create(), + ); + + logger = file_logger_create(stdout, NULL, FALSE); + logger->set_level(logger, DBG_ANY, LEVEL_CTRL); + charon->bus->add_listener(charon->bus, &logger->listener); + charon->file_loggers->insert_last(charon->file_loggers, logger); + + lib->credmgr->add_set(lib->credmgr, &conftest->creds->set); + conftest->hooks = linked_list_create(); + conftest->config = config_create(); + + atexit(cleanup); + + while (TRUE) + { + struct option long_opts[] = { + { "help", no_argument, NULL, 'h' }, + { "version", no_argument, NULL, 'v' }, + { "suite", required_argument, NULL, 's' }, + { "test", required_argument, NULL, 't' }, + { 0,0,0,0 } + }; + switch (getopt_long(argc, argv, "", long_opts, NULL)) + { + case EOF: + break; + case 'h': + usage(stdout); + return 0; + case 'v': + printf("strongSwan %s conftest\n", VERSION); + return 0; + case 's': + suite_file = optarg; + continue; + case 't': + test_file = optarg; + continue; + default: + usage(stderr); + return 1; + } + break; + } + + if (!load_configs(suite_file, test_file)) + { + return 1; + } + load_loggers(logger); + + if (!lib->plugins->load(lib->plugins, NULL, + conftest->test->get_str(conftest->test, "preload", ""))) + { + return 1; + } + if (!charon->initialize(charon)) + { + return 1; + } + if (!load_certs(conftest->test, conftest->suite_dir)) + { + return 1; + } + if (!load_keys(conftest->test, conftest->suite_dir)) + { + return 1; + } + load_cdps(conftest->test); + if (!load_hooks()) + { + return 1; + } + charon->backends->add_backend(charon->backends, &conftest->config->backend); + conftest->config->load(conftest->config, conftest->test); + conftest->actions = actions_create(); + + /* set up thread specific handlers */ + action.sa_handler = segv_handler; + action.sa_flags = 0; + sigemptyset(&action.sa_mask); + sigaddset(&action.sa_mask, SIGINT); + sigaddset(&action.sa_mask, SIGTERM); + sigaddset(&action.sa_mask, SIGHUP); + sigaction(SIGSEGV, &action, NULL); + sigaction(SIGILL, &action, NULL); + sigaction(SIGBUS, &action, NULL); + action.sa_handler = SIG_IGN; + sigaction(SIGPIPE, &action, NULL); + pthread_sigmask(SIG_SETMASK, &action.sa_mask, NULL); + + /* start thread pool */ + charon->start(charon); + + /* handle SIGINT/SIGTERM in main thread */ + sigemptyset(&set); + sigaddset(&set, SIGINT); + sigaddset(&set, SIGHUP); + sigaddset(&set, SIGTERM); + sigprocmask(SIG_BLOCK, &set, NULL); + + while (sigwait(&set, &sig) == 0) + { + switch (sig) + { + case SIGINT: + case SIGTERM: + fprintf(stderr, "\nshutting down...\n"); + break; + default: + continue; + } + break; + } + return status; +} diff --git a/src/conftest/conftest.h b/src/conftest/conftest.h new file mode 100644 index 000000000..2caf9b3ce --- /dev/null +++ b/src/conftest/conftest.h @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup conftest conftest + */ + +#ifndef CONFTEST_H_ +#define CONFTEST_H_ + +#include +#include +#include +#include + +#include "config.h" +#include "actions.h" + +typedef struct conftest_t conftest_t; + +/** + * Global conftest variables. + */ +struct conftest_t { + + /** + * Merged suite/test configuration + */ + settings_t *test; + + /** + * Directory containing suite files + */ + char *suite_dir; + + /** + * Credentials loaded from configuration + */ + mem_cred_t *creds; + + /** + * Configurations loaded from config + */ + config_t *config; + + /** + * Loaded hooks + */ + linked_list_t *hooks; + + /** + * Action handling + */ + actions_t *actions; +}; + +/** + * Conftest globals + */ +extern conftest_t *conftest; + +#endif /** CONFTEST_H_ */ diff --git a/src/conftest/hooks/add_notify.c b/src/conftest/hooks/add_notify.c new file mode 100644 index 000000000..de46ca81f --- /dev/null +++ b/src/conftest/hooks/add_notify.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_add_notify_t private_add_notify_t; + +/** + * Private data of an add_notify_t object. + */ +struct private_add_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, message, bool, + private_add_notify_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + message->add_payload(message, ¬ify->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_notify_hook_create(char *name) +{ + private_add_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/add_payload.c b/src/conftest/hooks/add_payload.c new file mode 100644 index 000000000..03a47cc23 --- /dev/null +++ b/src/conftest/hooks/add_payload.c @@ -0,0 +1,151 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_add_payload_t private_add_payload_t; + +/** + * Private data of an add_payload_t object. + */ +struct private_add_payload_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Payload data + */ + char *data; + + /** + * Set critical bit of the payload + */ + bool critical; + + /** + * True to replace existing payload of this type + */ + bool replace; +}; + +METHOD(listener_t, message, bool, + private_add_payload_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + unknown_payload_t *unknown; + payload_t *payload; + enumerator_t *enumerator; + chunk_t data = chunk_empty; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + if (this->replace) + { + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + break; + } + } + enumerator->destroy(enumerator); + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + unknown = unknown_payload_create_data(type, this->critical, data); + message->add_payload(message, &unknown->payload_interface); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_add_payload_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *add_payload_hook_create(char *name) +{ + private_add_payload_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .critical = conftest->test->get_bool(conftest->test, + "hooks.%s.critical", FALSE, name), + .replace = conftest->test->get_bool(conftest->test, + "hooks.%s.replace", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/custom_proposal.c b/src/conftest/hooks/custom_proposal.c new file mode 100644 index 000000000..e4acd841f --- /dev/null +++ b/src/conftest/hooks/custom_proposal.c @@ -0,0 +1,188 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +#include +#include +#include + +typedef struct private_custom_proposal_t private_custom_proposal_t; + +/** + * Private data of an custom_proposal_t object. + */ +struct private_custom_proposal_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * hook name + */ + char *name; +}; + +/** + * Load custom proposal configuration to proposal list + */ +static linked_list_t* load_proposals(private_custom_proposal_t *this, + protocol_id_t proto, u_int64_t spi) +{ + enumerator_t *props, *algs; + char *number, *key, *value; + linked_list_t *list; + + list = linked_list_create(); + props = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (props->enumerate(props, &number)) + { + const proposal_token_t *token = NULL; + proposal_t *proposal; + u_int16_t type, alg, keysize = 0; + char *end; + + proposal = proposal_create(proto, atoi(number)); + proposal->set_spi(proposal, spi); + + algs = conftest->test->create_key_value_enumerator(conftest->test, + "hooks.%s.%s", this->name, number); + while (algs->enumerate(algs, &key, &value)) + { + errno = 0; + type = strtoul(key, &end, 10); + if (end == key || errno) + { + type = enum_from_name(transform_type_names, key); + if (type == -1) + { + DBG1(DBG_CFG, "unknown transform: '%s', skipped", key); + continue; + } + } + errno = 0; + alg = strtoul(value, &end, 10); + if (end == value || errno) + { + token = proposal_get_token(value, strlen(value)); + if (!token) + { + DBG1(DBG_CFG, "unknown algorithm: '%s', skipped", value); + continue; + } + keysize = token->keysize; + alg = token->algorithm; + } + proposal->add_algorithm(proposal, type, alg, keysize); + } + algs->destroy(algs); + list->insert_last(list, proposal); + } + props->destroy(props); + return list; +} + +METHOD(listener_t, message, bool, + private_custom_proposal_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + sa_payload_t *new, *old = NULL; + linked_list_t *new_props, *old_props; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + old = (sa_payload_t*)payload; + message->remove_payload_at(message, enumerator); + } + } + enumerator->destroy(enumerator); + + if (old) + { + old_props = old->get_proposals(old); + old->destroy(old); + enumerator = old_props->create_enumerator(old_props); + if (enumerator->enumerate(enumerator, &proposal)) + { + new_props = load_proposals(this, + proposal->get_protocol(proposal), + proposal->get_spi(proposal)); + DBG1(DBG_CFG, "injecting custom proposal: %#P", new_props); + new = sa_payload_create_from_proposal_list(new_props); + message->add_payload(message, (payload_t*)new); + new_props->destroy_offset(new_props, offsetof(proposal_t, destroy)); + } + enumerator->destroy(enumerator); + old_props->destroy_offset(old_props, offsetof(proposal_t, destroy)); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_custom_proposal_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *custom_proposal_hook_create(char *name) +{ + private_custom_proposal_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/force_cookie.c b/src/conftest/hooks/force_cookie.c new file mode 100644 index 000000000..e34f82851 --- /dev/null +++ b/src/conftest/hooks/force_cookie.c @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_force_cookie_t private_force_cookie_t; + +/** + * Private data of an force_cookie_t object. + */ +struct private_force_cookie_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_force_cookie_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming && message->get_request(message) && + message->get_exchange_type(message) == IKE_SA_INIT) + { + enumerator_t *enumerator; + bool has_cookie = FALSE; + payload_t *payload; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + chunk_t data; + + if (notify->get_notify_type(notify) == COOKIE) + { + data = notify->get_notification_data(notify); + DBG1(DBG_CFG, "received COOKIE: %#B", &data); + has_cookie = TRUE; + break; + } + } + } + enumerator->destroy(enumerator); + if (!has_cookie) + { + message_t *response; + host_t *src, *dst; + packet_t *packet; + ike_sa_id_t *ike_sa_id; + chunk_t data = chunk_from_thing("COOKIE test data"); + + DBG1(DBG_CFG, "sending COOKIE: %#B", &data); + response = message_create(); + dst = message->get_source(message); + src = message->get_destination(message); + response->set_source(response, src->clone(src)); + response->set_destination(response, dst->clone(dst)); + response->set_exchange_type(response, IKE_SA_INIT); + response->set_request(response, FALSE); + response->set_message_id(response, 0); + ike_sa_id = message->get_ike_sa_id(message); + ike_sa_id->switch_initiator(ike_sa_id); + response->set_ike_sa_id(response, ike_sa_id); + response->add_notify(response, FALSE, COOKIE, data); + if (response->generate(response, NULL, &packet) == SUCCESS) + { + charon->sender->send(charon->sender, packet); + response->destroy(response); + } + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_force_cookie_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *force_cookie_hook_create(char *name) +{ + private_force_cookie_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/hook.h b/src/conftest/hooks/hook.h new file mode 100644 index 000000000..39a15f21b --- /dev/null +++ b/src/conftest/hooks/hook.h @@ -0,0 +1,45 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup hook hook + * @{ @ingroup hooks + */ + +#ifndef HOOK_H_ +#define HOOK_H_ + +typedef struct hook_t hook_t; + +#include +#include + +/** + * Hook providing interface. + */ +struct hook_t { + + /** + * Implements listener_t. + */ + listener_t listener; + + /** + * Destroy a hook_t. + */ + void (*destroy)(hook_t *this); +}; + +#endif /** HOOK_H_ @}*/ diff --git a/src/conftest/hooks/ignore_message.c b/src/conftest/hooks/ignore_message.c new file mode 100644 index 000000000..210f3ac50 --- /dev/null +++ b/src/conftest/hooks/ignore_message.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_ignore_message_t private_ignore_message_t; + +/** + * Private data of an ignore_message_t object. + */ +struct private_ignore_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Drop incoming or outgoing? + */ + bool in; + + /** + * Drop requests or responses? + */ + bool req; + + /** + * ID of message to drop. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_ignore_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming == this->in && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "ignoring message"); + message->set_exchange_type(message, EXCHANGE_TYPE_UNDEFINED); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ignore_message_t *this) +{ + free(this); +} + +/** + * Create the ignore_message hook + */ +hook_t *ignore_message_hook_create(char *name) +{ + private_ignore_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .in = conftest->test->get_bool(conftest->test, + "hooks.%s.inbound", TRUE, name), + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/ike_auth_fill.c b/src/conftest/hooks/ike_auth_fill.c new file mode 100644 index 000000000..2843d60c1 --- /dev/null +++ b/src/conftest/hooks/ike_auth_fill.c @@ -0,0 +1,145 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include + +#include +#include + +typedef struct private_ike_auth_fill_t private_ike_auth_fill_t; + +/** + * Private data of an ike_auth_fill_t object. + */ +struct private_ike_auth_fill_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Number of bytes to fill IKE_AUTH up + */ + int bytes; +}; + +/** size of non ESP-Marker */ +#define NON_ESP_MARKER_LEN 4 + +/** + * Calculate packet size on wire (without ethernet/IP header) + */ +static size_t calculate_wire_size(message_t *message, ike_sa_t *ike_sa) +{ + enumerator_t *enumerator; + payload_t *payload; + size_t size = 0; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + size += payload->get_length(payload); + } + enumerator->destroy(enumerator); + + if (message->get_exchange_type(message) != IKE_SA_INIT) + { + keymat_t *keymat; + aead_t *aead; + size_t bs; + + keymat = ike_sa->get_keymat(ike_sa); + aead = keymat->get_aead(keymat, FALSE); + if (aead) + { + bs = aead->get_block_size(aead); + size += ENCRYPTION_PAYLOAD_HEADER_LENGTH + NON_ESP_MARKER_LEN + + aead->get_icv_size(aead) + aead->get_iv_size(aead) + + (bs - (size % bs)); + } + } + return sizeof(struct udphdr) + IKE_HEADER_LENGTH + size; +} + +METHOD(listener_t, message, bool, + private_ike_auth_fill_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + cert_payload_t *pld; + size_t size, diff; + chunk_t data; + + size = calculate_wire_size(message, ike_sa); + if (size < this->bytes - CERT_PAYLOAD_HEADER_LENGTH) + { + diff = this->bytes - size - CERT_PAYLOAD_HEADER_LENGTH; + data = chunk_alloc(diff); + memset(data.ptr, 0x12, data.len); + pld = cert_payload_create_custom(201, data); + message->add_payload(message, &pld->payload_interface); + DBG1(DBG_CFG, "inserting %d dummy bytes certificate payload", diff); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_ike_auth_fill_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *ike_auth_fill_hook_create(char *name) +{ + private_ike_auth_fill_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 1, name), + .bytes = conftest->test->get_int(conftest->test, + "hooks.%s.bytes", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_id.c b/src/conftest/hooks/log_id.c new file mode 100644 index 000000000..ad14cea10 --- /dev/null +++ b/src/conftest/hooks/log_id.c @@ -0,0 +1,89 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_id_t private_log_id_t; + +/** + * Private data of an log_id_t object. + */ +struct private_log_id_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_id_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + id_payload_t *id_payload; + identification_t *id; + chunk_t data; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == ID_INITIATOR || + payload->get_type(payload) == ID_RESPONDER) + { + id_payload = (id_payload_t*)payload; + id = id_payload->get_identification(id_payload); + data = id->get_encoding(id); + + DBG1(DBG_CFG, "%N: %N %B", + payload_type_short_names, payload->get_type(payload), + id_type_names, id->get_type(id), &data); + id->destroy(id); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_id_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_id_hook_create(char *name) +{ + private_log_id_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ke.c b/src/conftest/hooks/log_ke.c new file mode 100644 index 000000000..231c0a8d8 --- /dev/null +++ b/src/conftest/hooks/log_ke.c @@ -0,0 +1,81 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_ke_t private_log_ke_t; + +/** + * Private data of an log_ke_t object. + */ +struct private_log_ke_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ke_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + ke_payload_t *ke; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == KEY_EXCHANGE) + { + ke = (ke_payload_t*)payload; + DBG1(DBG_CFG, "received DH group %N", + diffie_hellman_group_names, ke->get_dh_group_number(ke)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ke_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ke_hook_create(char *name) +{ + private_log_ke_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_proposals.c b/src/conftest/hooks/log_proposals.c new file mode 100644 index 000000000..8c330ab3d --- /dev/null +++ b/src/conftest/hooks/log_proposals.c @@ -0,0 +1,98 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_proposals_t private_log_proposals_t; + +/** + * Private data of an log_proposals_t object. + */ +struct private_log_proposals_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_proposals_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator, *proposals; + payload_t *payload; + linked_list_t *list; + sa_payload_t *sa; + proposal_t *proposal; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + DBG1(DBG_CFG, "received %d proposal%s:", list->get_count(list), + list->get_count(list) == 1 ? "" : "s"); + proposals = list->create_enumerator(list); + while (proposals->enumerate(proposals, &proposal)) + { + u_int64_t spi = proposal->get_spi(proposal); + + if (proposal->get_protocol(proposal) != PROTO_IKE) + { + spi = htonl(spi); + } + DBG1(DBG_CFG, " %d (SPI 0x%llx): %P", + proposal->get_number(proposal), spi, proposal); + } + proposals->destroy(proposals); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_proposals_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_proposals_hook_create(char *name) +{ + private_log_proposals_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/log_ts.c b/src/conftest/hooks/log_ts.c new file mode 100644 index 000000000..dacc7a58c --- /dev/null +++ b/src/conftest/hooks/log_ts.c @@ -0,0 +1,86 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_log_ts_t private_log_ts_t; + +/** + * Private data of an log_ts_t object. + */ +struct private_log_ts_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; +}; + +METHOD(listener_t, message, bool, + private_log_ts_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list; + ts_payload_t *ts; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == TRAFFIC_SELECTOR_INITIATOR || + payload->get_type(payload) == TRAFFIC_SELECTOR_RESPONDER) + { + ts = (ts_payload_t*)payload; + list = ts->get_traffic_selectors(ts); + + DBG1(DBG_CFG, "received %N: %#R", + payload_type_short_names, payload->get_type(payload), list); + list->destroy_offset(list, offsetof(traffic_selector_t, destroy)); + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_log_ts_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *log_ts_hook_create(char *name) +{ + private_log_ts_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/pretend_auth.c b/src/conftest/hooks/pretend_auth.c new file mode 100644 index 000000000..4b7168cac --- /dev/null +++ b/src/conftest/hooks/pretend_auth.c @@ -0,0 +1,386 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include +#include +#include +#include + +typedef struct private_pretend_auth_t private_pretend_auth_t; + +/** + * Private data of an pretend_auth_t object. + */ +struct private_pretend_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * remote peer identity + */ + identification_t *id; + + /** + * reserved bytes of ID payload + */ + char reserved[3]; + + /** + * IKE_SA_INIT data for signature + */ + chunk_t ike_init; + + /** + * Nonce for signature + */ + chunk_t nonce; + + /** + * Selected CHILD_SA proposal + */ + proposal_t *proposal; + + /** + * List of initiators Traffic Selectors + */ + linked_list_t *tsi; + + /** + * List of responders Traffic Selectors + */ + linked_list_t *tsr; +}; + +/** + * Process IKE_SA_INIT request message, outgoing + */ +static void process_init_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } +} + +/** + * Process IKE_AUTH request message, outgoing + */ +static void process_auth_request(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + id_payload_t *id; + sa_payload_t *sa; + ts_payload_t *tsi, *tsr; + linked_list_t *proposals; + + id = (id_payload_t*)message->get_payload(message, ID_RESPONDER); + if (id) + { + this->id->destroy(this->id); + this->id = id->get_identification(id); + } + sa = (sa_payload_t*)message->get_payload(message, SECURITY_ASSOCIATION); + if (sa) + { + proposals = sa->get_proposals(sa); + proposals->remove_first(proposals, (void**)&this->proposal); + if (this->proposal) + { + this->proposal->set_spi(this->proposal, htonl(0x12345678)); + } + proposals->destroy_offset(proposals, offsetof(proposal_t, destroy)); + } + tsi = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_INITIATOR); + if (tsi) + { + this->tsi = tsi->get_traffic_selectors(tsi); + } + tsr = (ts_payload_t*)message->get_payload(message, + TRAFFIC_SELECTOR_RESPONDER); + if (tsr) + { + this->tsr = tsr->get_traffic_selectors(tsr); + } + +} + +/** + * Process IKE_SA_INIT response message, incoming + */ +static void process_init_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + this->ike_init = message->get_packet_data(message); +} + +/** + * Build CERT payloads + */ +static void build_certs(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message, auth_cfg_t *auth) +{ + enumerator_t *enumerator; + cert_payload_t *payload; + certificate_t *cert; + auth_rule_t type; + + /* get subject cert first, then issuing certificates */ + cert = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (cert) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending end entity cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &type, &cert)) + { + if (type == AUTH_RULE_IM_CERT) + { + payload = cert_payload_create_from_cert(cert); + if (payload) + { + DBG1(DBG_IKE, "pretending issuer cert \"%Y\"", + cert->get_subject(cert)); + message->add_payload(message, (payload_t*)payload); + } + } + } + enumerator->destroy(enumerator); +} + +/** + * Build faked AUTH payload + */ +static bool build_auth(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, this->id, auth); + build_certs(this, ike_sa, message, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to pretend AUTH", this->id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, TRUE, this->ike_init, + this->nonce, this->id, this->reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "pretending AUTH payload for '%Y' with %N", + this->id, auth_method_names, auth_method); + return TRUE; +} + +/** + * Process IKE_AUTH response message, incoming + */ +static void process_auth_response(private_pretend_auth_t *this, + ike_sa_t *ike_sa, message_t *message) +{ + enumerator_t *enumerator; + payload_t *payload; + + /* check for, and remove AUTHENTICATION_FAILED notify */ + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + if (payload->get_type(payload) != NOTIFY || + notify->get_notify_type(notify) != AUTHENTICATION_FAILED) + { + DBG1(DBG_CFG, "no %N notify found, disabling AUTH pretending", + notify_type_names, AUTHENTICATION_FAILED); + enumerator->destroy(enumerator); + return; + } + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + enumerator->destroy(enumerator); + + if (!build_auth(this, ike_sa, message)) + { + message->add_notify(message, TRUE, AUTHENTICATION_FAILED, chunk_empty); + return; + } + message->add_payload(message, (payload_t*) + id_payload_create_from_identification(ID_RESPONDER, this->id)); + if (this->proposal) + { + message->add_payload(message, (payload_t*) + sa_payload_create_from_proposal(this->proposal)); + } + if (this->tsi) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(TRUE, this->tsi)); + } + if (this->tsr) + { + message->add_payload(message, (payload_t*) + ts_payload_create_from_traffic_selectors(FALSE, this->tsr)); + } +} + +METHOD(listener_t, message, bool, + private_pretend_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (incoming) + { + if (!message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_response(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_response(this, ike_sa, message); + } + } + } + else + { + if (message->get_request(message)) + { + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + process_init_request(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_AUTH && + message->get_message_id(message) == 1) + { + process_auth_request(this, ike_sa, message); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_pretend_auth_t *this) +{ + if (this->tsi) + { + this->tsi->destroy_offset(this->tsi, offsetof(traffic_selector_t, destroy)); + } + if (this->tsr) + { + this->tsr->destroy_offset(this->tsr, offsetof(traffic_selector_t, destroy)); + } + DESTROY_IF(this->proposal); + this->id->destroy(this->id); + free(this->ike_init.ptr); + free(this->nonce.ptr); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *pretend_auth_hook_create(char *name) +{ + private_pretend_auth_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .id = identification_create_from_string( + conftest->test->get_str(conftest->test, + "hooks.%s.peer", "%any", name)), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/rebuild_auth.c b/src/conftest/hooks/rebuild_auth.c new file mode 100644 index 000000000..993c952e0 --- /dev/null +++ b/src/conftest/hooks/rebuild_auth.c @@ -0,0 +1,243 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include +#include + +typedef struct private_rebuild_auth_t private_rebuild_auth_t; + +/** + * Private data of an rebuild_auth_t object. + */ +struct private_rebuild_auth_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Our IKE_SA_INIT data, required to rebuild AUTH + */ + chunk_t ike_init; + + /** + * Received NONCE, required to rebuild AUTH + */ + chunk_t nonce; + + /** + * ID to use for key lookup, if not from IDi + */ + identification_t *id; +}; + +/** + * Rebuild our AUTH data + */ +static bool rebuild_auth(private_rebuild_auth_t *this, ike_sa_t *ike_sa, + message_t *message) +{ + enumerator_t *enumerator; + chunk_t octets, auth_data; + private_key_t *private; + auth_cfg_t *auth; + payload_t *payload; + auth_payload_t *auth_payload; + auth_method_t auth_method; + signature_scheme_t scheme; + keymat_t *keymat; + identification_t *id; + char reserved[3]; + generator_t *generator; + chunk_t data; + u_int32_t *lenpos; + + payload = message->get_payload(message, + message->get_request(message) ? ID_INITIATOR : ID_RESPONDER); + if (!payload) + { + DBG1(DBG_CFG, "ID payload not found to rebuild AUTH"); + return FALSE; + } + + generator = generator_create(); + generator->generate_payload(generator, payload); + data = generator->get_chunk(generator, &lenpos); + if (data.len < 8) + { + DBG1(DBG_CFG, "ID payload invalid to rebuild AUTH"); + generator->destroy(generator); + return FALSE; + } + memcpy(reserved, data.ptr + 5, 3); + id = identification_create_from_encoding(data.ptr[4], chunk_skip(data, 8)); + generator->destroy(generator); + + auth = auth_cfg_create(); + private = lib->credmgr->get_private(lib->credmgr, KEY_ANY, + this->id ?: id, auth); + auth->destroy(auth); + if (private == NULL) + { + DBG1(DBG_CFG, "no private key found for '%Y' to rebuild AUTH", + this->id ?: id); + id->destroy(id); + return FALSE; + } + + switch (private->get_type(private)) + { + case KEY_RSA: + scheme = SIGN_RSA_EMSA_PKCS1_SHA1; + auth_method = AUTH_RSA; + break; + case KEY_ECDSA: + /* we try to deduct the signature scheme from the keysize */ + switch (private->get_keysize(private)) + { + case 256: + scheme = SIGN_ECDSA_256; + auth_method = AUTH_ECDSA_256; + break; + case 384: + scheme = SIGN_ECDSA_384; + auth_method = AUTH_ECDSA_384; + break; + case 521: + scheme = SIGN_ECDSA_521; + auth_method = AUTH_ECDSA_521; + break; + default: + DBG1(DBG_CFG, "%d bit ECDSA private key size not supported", + private->get_keysize(private)); + id->destroy(id); + return FALSE; + } + break; + default: + DBG1(DBG_CFG, "private key of type %N not supported", + key_type_names, private->get_type(private)); + id->destroy(id); + return FALSE; + } + keymat = ike_sa->get_keymat(ike_sa); + octets = keymat->get_auth_octets(keymat, FALSE, this->ike_init, + this->nonce, id, reserved); + if (!private->sign(private, scheme, octets, &auth_data)) + { + chunk_free(&octets); + private->destroy(private); + id->destroy(id); + return FALSE; + } + auth_payload = auth_payload_create(); + auth_payload->set_auth_method(auth_payload, auth_method); + auth_payload->set_data(auth_payload, auth_data); + chunk_free(&auth_data); + chunk_free(&octets); + private->destroy(private); + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == AUTHENTICATION) + { + message->remove_payload_at(message, enumerator); + payload->destroy(payload); + } + } + enumerator->destroy(enumerator); + + message->add_payload(message, (payload_t*)auth_payload); + DBG1(DBG_CFG, "rebuilding AUTH payload for '%Y' with %N", + id, auth_method_names, auth_method); + id->destroy(id); + return TRUE; +} + +METHOD(listener_t, message, bool, + private_rebuild_auth_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && message->get_message_id(message) == 1) + { + rebuild_auth(this, ike_sa, message); + } + if (message->get_exchange_type(message) == IKE_SA_INIT) + { + if (incoming) + { + nonce_payload_t *nonce; + + nonce = (nonce_payload_t*)message->get_payload(message, NONCE); + if (nonce) + { + free(this->nonce.ptr); + this->nonce = nonce->get_nonce(nonce); + } + } + else + { + packet_t *packet; + + if (message->generate(message, NULL, &packet) == SUCCESS) + { + free(this->ike_init.ptr); + this->ike_init = chunk_clone(packet->get_data(packet)); + packet->destroy(packet); + } + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_rebuild_auth_t *this) +{ + free(this->ike_init.ptr); + free(this->nonce.ptr); + DESTROY_IF(this->id); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *rebuild_auth_hook_create(char *name) +{ + private_rebuild_auth_t *this; + char *id; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + ); + id = conftest->test->get_str(conftest->test, "hooks.%s.key", NULL, name); + if (id) + { + this->id = identification_create_from_string(id); + } + + return &this->hook; +} diff --git a/src/conftest/hooks/reset_seq.c b/src/conftest/hooks/reset_seq.c new file mode 100644 index 000000000..ccf8e997d --- /dev/null +++ b/src/conftest/hooks/reset_seq.c @@ -0,0 +1,158 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include +#include +#include + +#include +#include + +#define XFRM_RTA(nlh, x) ((struct rtattr*)(NLMSG_DATA(nlh) + NLMSG_ALIGN(sizeof(x)))) + +typedef struct private_reset_seq_t private_reset_seq_t; + +/** + * Private data of an reset_seq_t object. + */ +struct private_reset_seq_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Delay for reset + */ + int delay; +}; + +/** + * Callback job + */ +static job_requeue_t reset_cb(struct xfrm_usersa_id *data) +{ + netlink_buf_t request; + struct nlmsghdr *hdr; + struct xfrm_aevent_id *id; + struct rtattr *rthdr; + struct xfrm_replay_state *replay; + struct sockaddr_nl addr; + int s, len; + + DBG1(DBG_CFG, "resetting sequence number of SPI 0x%x", htonl(data->spi)); + + memset(&request, 0, sizeof(request)); + + hdr = (struct nlmsghdr*)request; + hdr->nlmsg_flags = NLM_F_REQUEST | NLM_F_ACK | NLM_F_REPLACE; + hdr->nlmsg_seq = 201; + hdr->nlmsg_pid = getpid(); + hdr->nlmsg_type = XFRM_MSG_NEWAE; + hdr->nlmsg_len = NLMSG_LENGTH(sizeof(struct xfrm_aevent_id)); + + id = (struct xfrm_aevent_id*)NLMSG_DATA(hdr); + id->sa_id = *data; + + rthdr = XFRM_RTA(hdr, struct xfrm_aevent_id); + rthdr->rta_type = XFRMA_REPLAY_VAL; + rthdr->rta_len = RTA_LENGTH(sizeof(struct xfrm_replay_state)); + hdr->nlmsg_len += rthdr->rta_len; + + replay = (struct xfrm_replay_state*)RTA_DATA(rthdr); + + s = socket(AF_NETLINK, SOCK_RAW, NETLINK_XFRM); + if (s == -1) + { + DBG1(DBG_CFG, "opening XFRM socket failed: %s", strerror(errno)); + return JOB_REQUEUE_NONE; + } + memset(&addr, 0, sizeof(addr)); + addr.nl_family = AF_NETLINK; + len = sendto(s, hdr, hdr->nlmsg_len, 0, + (struct sockaddr*)&addr, sizeof(addr)); + if (len != hdr->nlmsg_len) + { + DBG1(DBG_CFG, "sending XFRM aevent failed: %s", strerror(errno)); + } + close(s); + return JOB_REQUEUE_NONE; +} + +/** + * Schedule sequence number reset job + */ +static void schedule_reset_job(private_reset_seq_t *this, host_t *dst, + u_int32_t spi) +{ + struct xfrm_usersa_id *data; + chunk_t chunk; + + INIT(data, + .spi = spi, + .family = dst->get_family(dst), + .proto = IPPROTO_ESP, + ); + + chunk = dst->get_address(dst); + memcpy(&data->daddr, chunk.ptr, min(chunk.len, sizeof(xfrm_address_t))); + + lib->scheduler->schedule_job(lib->scheduler, + (job_t*)callback_job_create( + (void*)reset_cb, data, (void*)free, NULL), + this->delay); +} + +METHOD(listener_t, child_updown, bool, + private_reset_seq_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, + bool up) +{ + if (up) + { + schedule_reset_job(this, ike_sa->get_other_host(ike_sa), + child_sa->get_spi(child_sa, FALSE)); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_reset_seq_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *reset_seq_hook_create(char *name) +{ + private_reset_seq_t *this; + + INIT(this, + .hook = { + .listener = { + .child_updown = _child_updown, + }, + .destroy = _destroy, + }, + .delay = conftest->test->get_int(conftest->test, + "hooks.%s.delay", 10, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_critical.c b/src/conftest/hooks/set_critical.c new file mode 100644 index 000000000..caf2215c3 --- /dev/null +++ b/src/conftest/hooks/set_critical.c @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_critical_t private_set_critical_t; + +/** + * Private data of an set_critical_t object. + */ +struct private_set_critical_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload types, space separated + */ + char *payloads; +}; + +METHOD(listener_t, message, bool, + private_set_critical_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *msg, *types; + payload_t *payload; + payload_type_t type; + bool *critical; + char *name; + + types = enumerator_create_token(this->payloads, " ", ""); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + msg = message->create_payload_enumerator(message); + while (msg->enumerate(msg, &payload)) + { + if (type == payload->get_type(payload)) + { + critical = payload_get_field(payload, FLAG, 0); + if (critical) + { + *critical = TRUE; + } + } + } + msg->destroy(msg); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_critical_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_critical_hook_create(char *name) +{ + private_set_critical_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .payloads = conftest->test->get_str(conftest->test, + "hooks.%s.payloads", "", name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_initiator.c b/src/conftest/hooks/set_ike_initiator.c new file mode 100644 index 000000000..6ba43eaca --- /dev/null +++ b/src/conftest/hooks/set_ike_initiator.c @@ -0,0 +1,87 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_initiator_t private_set_ike_initiator_t; + +/** + * Private data of an set_ike_initiator_t object. + */ +struct private_set_ike_initiator_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_initiator_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "toggling IKE message initiator flag"); + id = message->get_ike_sa_id(message); + id->switch_initiator(id); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_initiator_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_initiator_hook_create(char *name) +{ + private_set_ike_initiator_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_request.c b/src/conftest/hooks/set_ike_request.c new file mode 100644 index 000000000..baabea66a --- /dev/null +++ b/src/conftest/hooks/set_ike_request.c @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_request_t private_set_ike_request_t; + +/** + * Private data of an set_ike_request_t object. + */ +struct private_set_ike_request_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; +}; + +METHOD(listener_t, message, bool, + private_set_ike_request_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "toggling IKE message request flag"); + message->set_request(message, !this->req); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_request_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_request_hook_create(char *name) +{ + private_set_ike_request_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_spi.c b/src/conftest/hooks/set_ike_spi.c new file mode 100644 index 000000000..14a0da9cd --- /dev/null +++ b/src/conftest/hooks/set_ike_spi.c @@ -0,0 +1,104 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_spi_t private_set_ike_spi_t; + +/** + * Private data of an set_ike_spi_t object. + */ +struct private_set_ike_spi_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Initiator SPI + */ + u_int64_t spii; + + /** + * Responder SPI + */ + u_int64_t spir; +}; + +METHOD(listener_t, message, bool, + private_set_ike_spi_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + ike_sa_id_t *id; + + DBG1(DBG_CFG, "setting IKE SPIs to: 0x%llx/0x%llx", + this->spii, this->spir); + + id = message->get_ike_sa_id(message); + id->set_initiator_spi(id, this->spii); + id->set_responder_spi(id, this->spir); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_spi_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_spi_hook_create(char *name) +{ + private_set_ike_spi_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .spii = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spii", "0", name), NULL, 16), + .spir = strtoull(conftest->test->get_str(conftest->test, + "hooks.%s.spir", "0", name), NULL, 16), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_ike_version.c b/src/conftest/hooks/set_ike_version.c new file mode 100644 index 000000000..d2de9dc81 --- /dev/null +++ b/src/conftest/hooks/set_ike_version.c @@ -0,0 +1,111 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_ike_version_t private_set_ike_version_t; + +/** + * Private data of an set_ike_version_t object. + */ +struct private_set_ike_version_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Major version to set + */ + int major; + + /** + * Minor version to set + */ + int minor; + + /** + * Higher version supported? + */ + bool higher; +}; + +METHOD(listener_t, message, bool, + private_set_ike_version_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + DBG1(DBG_CFG, "setting IKE version of message ID %d to %d.%d", + this->id, this->major, this->minor); + message->set_major_version(message, this->major); + message->set_minor_version(message, this->minor); + if (this->higher) + { + message->set_version_flag(message); + } + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_ike_version_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_ike_version_hook_create(char *name) +{ + private_set_ike_version_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .major = conftest->test->get_int(conftest->test, + "hooks.%s.major", 2, name), + .minor = conftest->test->get_int(conftest->test, + "hooks.%s.minor", 0, name), + .higher = conftest->test->get_bool(conftest->test, + "hooks.%s.higher", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_length.c b/src/conftest/hooks/set_length.c new file mode 100644 index 000000000..0379dcb7c --- /dev/null +++ b/src/conftest/hooks/set_length.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_set_length_t private_set_length_t; + +/** + * Private data of an set_length_t object. + */ +struct private_set_length_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Payload type + */ + char *type; + + /** + * Difference to correct length + */ + int diff; +}; + +METHOD(listener_t, message, bool, + private_set_length_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + payload_t *payload; + enumerator_t *enumerator; + payload_type_t type; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(payload_type_short_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown payload: '%s', skipped", this->type); + return TRUE; + } + } + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (type == payload->get_type(payload)) + { + encoding_rule_t *rules; + size_t count; + u_int16_t *len; + int i; + + payload->get_encoding_rules(payload, &rules, &count); + for (i = 0; i < count; i++) + { + if (rules[i].type == PAYLOAD_LENGTH) + { + len = (u_int16_t*)(((void*)payload) + rules[i].offset); + DBG1(DBG_CFG, "adjusting length of %N payload " + "from %d to %d", payload_type_short_names, type, + *len, *len + this->diff); + *len = *len + this->diff; + } + } + } + } + enumerator->destroy(enumerator); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_length_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_length_hook_create(char *name) +{ + private_set_length_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .diff = conftest->test->get_int(conftest->test, + "hooks.%s.diff", 0, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_proposal_number.c b/src/conftest/hooks/set_proposal_number.c new file mode 100644 index 000000000..a59d96b6d --- /dev/null +++ b/src/conftest/hooks/set_proposal_number.c @@ -0,0 +1,163 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_proposal_number_t private_set_proposal_number_t; + +/** + * Private data of an set_proposal_number_t object. + */ +struct private_set_proposal_number_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Proposal number to modify + */ + int from; + + /** + * Proposal number to set + */ + int to; +}; + +/** + * Copy all algs from given type from one proposal to another + */ +static void copy_proposal_algs(proposal_t *from, proposal_t *to, + transform_type_t type) +{ + enumerator_t *enumerator; + u_int16_t alg, key_size; + + enumerator = from->create_enumerator(from, type); + while (enumerator->enumerate(enumerator, &alg, &key_size)) + { + to->add_algorithm(to, type, alg, key_size); + } + enumerator->destroy(enumerator); +} + +METHOD(listener_t, message, bool, + private_set_proposal_number_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator; + payload_t *payload; + linked_list_t *list = NULL, *updated; + sa_payload_t *sa; + proposal_t *proposal, *new; + + updated = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + list = sa->get_proposals(sa); + message->remove_payload_at(message, enumerator); + sa->destroy(sa); + } + } + enumerator->destroy(enumerator); + + if (list) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &proposal)) + { + if (proposal->get_number(proposal) == this->from) + { + DBG1(DBG_CFG, "setting proposal number from %d to %d", + this->from, this->to); + new = proposal_create(proposal->get_protocol(proposal), + this->to); + copy_proposal_algs(proposal, new, ENCRYPTION_ALGORITHM); + copy_proposal_algs(proposal, new, INTEGRITY_ALGORITHM); + copy_proposal_algs(proposal, new, PSEUDO_RANDOM_FUNCTION); + copy_proposal_algs(proposal, new, DIFFIE_HELLMAN_GROUP); + copy_proposal_algs(proposal, new, EXTENDED_SEQUENCE_NUMBERS); + updated->insert_last(updated, new); + } + else + { + list->remove_at(list, enumerator); + updated->insert_last(updated, proposal); + } + } + enumerator->destroy(enumerator); + } + sa = sa_payload_create_from_proposal_list(updated); + list->destroy_offset(list, offsetof(proposal_t, destroy)); + updated->destroy_offset(updated, offsetof(proposal_t, destroy)); + message->add_payload(message, (payload_t*)sa); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_proposal_number_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_proposal_number_hook_create(char *name) +{ + private_set_proposal_number_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .from = conftest->test->get_int(conftest->test, + "hooks.%s.from", 0, name), + .to = conftest->test->get_int(conftest->test, + "hooks.%s.to", 1, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/set_reserved.c b/src/conftest/hooks/set_reserved.c new file mode 100644 index 000000000..77a605d2a --- /dev/null +++ b/src/conftest/hooks/set_reserved.c @@ -0,0 +1,245 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +#include + +typedef struct private_set_reserved_t private_set_reserved_t; + +/** + * Private data of an set_reserved_t object. + */ +struct private_set_reserved_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Hook name + */ + char *name; +}; + +/** + * Set reserved bit of a payload + */ +static void set_bit(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr) +{ + enumerator_t *payloads; + payload_t *payload; + bool *bit; + + if (type == HEADER) + { + message->set_reserved_header_bit(message, nr); + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + bit = payload_get_field(payload, RESERVED_BIT, nr); + if (bit) + { + DBG1(DBG_CFG, "setting reserved bit %d of %N", + nr, payload_type_short_names, type); + *bit = TRUE; + } + } + } + payloads->destroy(payloads); + } +} + +/** + * Set reserved byte of a payload + */ +static void set_byte(private_set_reserved_t *this, message_t *message, + payload_type_t type, u_int nr, u_int8_t byteval) +{ + enumerator_t *payloads; + payload_t *payload; + u_int8_t *byte; + + if (type == TRANSFORM_SUBSTRUCTURE || type == PROPOSAL_SUBSTRUCTURE) + { + enumerator_t *transforms, *proposals; + transform_substructure_t *transform; + proposal_substructure_t *proposal; + sa_payload_t *sa; + + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == SECURITY_ASSOCIATION) + { + sa = (sa_payload_t*)payload; + proposals = sa->create_substructure_enumerator(sa); + while (proposals->enumerate(proposals, &proposal)) + { + if (type == PROPOSAL_SUBSTRUCTURE) + { + byte = payload_get_field(&proposal->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + else if (type == TRANSFORM_SUBSTRUCTURE) + { + transforms = proposal->create_substructure_enumerator( + proposal); + while (transforms->enumerate(transforms, &transform)) + { + byte = payload_get_field(&transform->payload_interface, + RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + transforms->destroy(transforms); + } + } + proposals->destroy(proposals); + } + } + payloads->destroy(payloads); + } + else + { + payloads = message->create_payload_enumerator(message); + while (payloads->enumerate(payloads, &payload)) + { + if (payload->get_type(payload) == type) + { + byte = payload_get_field(payload, RESERVED_BYTE, nr); + if (byte) + { + DBG1(DBG_CFG, "setting reserved byte %d of %N to %d", + nr, payload_type_short_names, type, byteval); + *byte = byteval; + } + } + } + payloads->destroy(payloads); + } +} + +METHOD(listener_t, message, bool, + private_set_reserved_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *bits, *bytes, *types; + payload_type_t type; + char *nr, *name; + u_int8_t byteval; + + types = conftest->test->create_section_enumerator(conftest->test, + "hooks.%s", this->name); + while (types->enumerate(types, &name)) + { + type = atoi(name); + if (!type) + { + type = enum_from_name(payload_type_short_names, name); + if (type == -1) + { + DBG1(DBG_CFG, "invalid payload name '%s'", name); + break; + } + } + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bits", "", this->name, name); + bits = enumerator_create_token(nr, ",", " "); + while (bits->enumerate(bits, &nr)) + { + set_bit(this, message, type, atoi(nr)); + } + bits->destroy(bits); + + nr = conftest->test->get_str(conftest->test, + "hooks.%s.%s.bytes", "", this->name, name); + byteval = conftest->test->get_int(conftest->test, + "hooks.%s.%s.byteval", 255, this->name, name); + bytes = enumerator_create_token(nr, ",", " "); + while (bytes->enumerate(bytes, &nr)) + { + set_byte(this, message, type, atoi(nr), byteval); + } + bytes->destroy(bytes); + } + types->destroy(types); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_set_reserved_t *this) +{ + free(this->name); + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *set_reserved_hook_create(char *name) +{ + private_set_reserved_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .name = strdup(name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unencrypted_notify.c b/src/conftest/hooks/unencrypted_notify.c new file mode 100644 index 000000000..80bdc64b7 --- /dev/null +++ b/src/conftest/hooks/unencrypted_notify.c @@ -0,0 +1,153 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unencrypted_notify_t private_unencrypted_notify_t; + +/** + * Private data of an unencrypted_notify_t object. + */ +struct private_unencrypted_notify_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * ID of message send. + */ + int id; + + /** + * Notify type + */ + char *type; + + /** + * Notify data + */ + char *data; + + /** + * SPI of notify + */ + int spi; + + /** + * TRUE for a ESP protocol notify, FALSE for IKE + */ + bool esp; +}; + +METHOD(listener_t, ike_updown, bool, + private_unencrypted_notify_t *this, ike_sa_t *ike_sa, bool up) +{ + if (up) + { + message_t *message; + host_t *host; + notify_type_t type; + notify_payload_t *notify; + chunk_t data = chunk_empty; + packet_t *packet; + + type = atoi(this->type); + if (!type) + { + type = enum_from_name(notify_type_names, this->type); + if (type == -1) + { + DBG1(DBG_CFG, "unknown notify: '%s', skipped", this->type); + return TRUE; + } + } + if (strncaseeq(this->data, "0x", 2)) + { + data = chunk_skip(chunk_create(this->data, strlen(this->data)), 2); + data = chunk_from_hex(data, NULL); + } + else if (this->data && strlen(this->data)) + { + data = chunk_clone(chunk_create(this->data, strlen(this->data))); + } + notify = notify_payload_create_from_protocol_and_type( + this->esp ? PROTO_ESP : PROTO_IKE, type); + notify->set_spi(notify, this->spi); + if (data.len) + { + notify->set_notification_data(notify, data); + free(data.ptr); + } + + DBG1(DBG_CFG, "injecting unencrypted INFORMATIONAL message"); + + message = message_create(); + message->set_message_id(message, this->id); + message->set_ike_sa_id(message, ike_sa->get_id(ike_sa)); + message->set_exchange_type(message, INFORMATIONAL); + message->set_request(message, TRUE); + host = ike_sa->get_my_host(ike_sa); + message->set_source(message, host->clone(host)); + host = ike_sa->get_other_host(ike_sa); + message->set_destination(message, host->clone(host)); + message->add_payload(message, ¬ify->payload_interface); + if (message->generate(message, NULL, &packet) != SUCCESS) + { + DBG1(DBG_CFG, "generating message failed"); + message->destroy(message); + return TRUE; + } + message->destroy(message); + charon->sender->send(charon->sender, packet); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unencrypted_notify_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unencrypted_notify_hook_create(char *name) +{ + private_unencrypted_notify_t *this; + + INIT(this, + .hook = { + .listener = { + .ike_updown = _ike_updown, + }, + .destroy = _destroy, + }, + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 2, name), + .type = conftest->test->get_str(conftest->test, + "hooks.%s.type", "", name), + .data = conftest->test->get_str(conftest->test, + "hooks.%s.data", "", name), + .spi = conftest->test->get_int(conftest->test, + "hooks.%s.spi", 0, name), + .esp = conftest->test->get_bool(conftest->test, + "hooks.%s.esp", FALSE, name), + ); + + return &this->hook; +} diff --git a/src/conftest/hooks/unsort_message.c b/src/conftest/hooks/unsort_message.c new file mode 100644 index 000000000..b37b261a4 --- /dev/null +++ b/src/conftest/hooks/unsort_message.c @@ -0,0 +1,133 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "hook.h" + +typedef struct private_unsort_message_t private_unsort_message_t; + +/** + * Private data of an unsort_message_t object. + */ +struct private_unsort_message_t { + + /** + * Implements the hook_t interface. + */ + hook_t hook; + + /** + * Alter requests or responses? + */ + bool req; + + /** + * ID of message to alter. + */ + int id; + + /** + * Order of payloads we want + */ + char *order; +}; + +METHOD(listener_t, message, bool, + private_unsort_message_t *this, ike_sa_t *ike_sa, message_t *message, + bool incoming) +{ + if (!incoming && + message->get_request(message) == this->req && + message->get_message_id(message) == this->id) + { + enumerator_t *enumerator, *order; + linked_list_t *list; + payload_type_t type; + payload_t *payload; + char *name; + + list = linked_list_create(); + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + message->remove_payload_at(message, enumerator); + list->insert_last(list, payload); + } + enumerator->destroy(enumerator); + + order = enumerator_create_token(this->order, ", ", " "); + while (order->enumerate(order, &name)) + { + type = enum_from_name(payload_type_short_names, name); + if (type != -1) + { + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &payload)) + { + if (payload->get_type(payload) == type) + { + list->remove_at(list, enumerator); + message->add_payload(message, payload); + } + } + enumerator->destroy(enumerator); + } + else + { + DBG1(DBG_CFG, "unknown payload to sort: '%s', skipped", name); + } + } + order->destroy(order); + + while (list->remove_first(list, (void**)&payload) == SUCCESS) + { + message->add_payload(message, payload); + } + list->destroy(list); + + message->disable_sort(message); + } + return TRUE; +} + +METHOD(hook_t, destroy, void, + private_unsort_message_t *this) +{ + free(this); +} + +/** + * Create the IKE_AUTH fill hook + */ +hook_t *unsort_message_hook_create(char *name) +{ + private_unsort_message_t *this; + + INIT(this, + .hook = { + .listener = { + .message = _message, + }, + .destroy = _destroy, + }, + .req = conftest->test->get_bool(conftest->test, + "hooks.%s.request", TRUE, name), + .id = conftest->test->get_int(conftest->test, + "hooks.%s.id", 0, name), + .order = conftest->test->get_str(conftest->test, + "hooks.%s.order", "", name), + ); + + return &this->hook; +} diff --git a/src/dumm/Makefile.in b/src/dumm/Makefile.in index 7c22f5ec5..79961b916 100644 --- a/src/dumm/Makefile.in +++ b/src/dumm/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/Makefile.in b/src/include/Makefile.in index 498fb17f1..b9b758193 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -172,9 +172,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -213,6 +211,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/include/linux/xfrm.h b/src/include/linux/xfrm.h index b971e3848..930fdd2de 100644 --- a/src/include/linux/xfrm.h +++ b/src/include/linux/xfrm.h @@ -283,6 +283,7 @@ enum xfrm_attr_type_t { XFRMA_KMADDRESS, /* struct xfrm_user_kmaddress */ XFRMA_ALG_AUTH_TRUNC, /* struct xfrm_algo_auth */ XFRMA_MARK, /* struct xfrm_mark */ + XFRMA_TFCPAD, /* __u32 */ __XFRMA_MAX #define XFRMA_MAX (__XFRMA_MAX - 1) diff --git a/src/ipsec/Makefile.in b/src/ipsec/Makefile.in index 276d9f36d..0b4870e94 100644 --- a/src/ipsec/Makefile.in +++ b/src/ipsec/Makefile.in @@ -200,9 +200,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -241,6 +239,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/ipsec/ipsec.8 b/src/ipsec/ipsec.8 index f995119aa..6f4117be7 100644 --- a/src/ipsec/ipsec.8 +++ b/src/ipsec/ipsec.8 @@ -1,4 +1,4 @@ -.TH IPSEC 8 "2010-05-30" "4.5.0rc1" "strongSwan" +.TH IPSEC 8 "2010-05-30" "4.5.1" "strongSwan" .SH NAME ipsec \- invoke IPsec utilities .SH SYNOPSIS diff --git a/src/ipsec/ipsec.in b/src/ipsec/ipsec.in index 0bddc201a..2ea0ef798 100755 --- a/src/ipsec/ipsec.in +++ b/src/ipsec/ipsec.in @@ -65,7 +65,7 @@ case "$1" in echo " rereadsecrets|rereadgroups" echo " rereadcacerts|rereadaacerts|rereadocspcerts" echo " rereadacerts|rereadcrls|rereadall" - echo " purgeocsp|purgeike" + echo " purgeocsp|purgecrls|purgecerts|purgeike" echo " scencrypt|scdecrypt [--inbase ] [--outbase ] [--keyid ]" echo " openac" echo " pluto" @@ -191,11 +191,11 @@ rereadall|purgeocsp) fi exit "$rc" ;; -purgeike) +purgeike|purgecrls|purgecerts) rc=7 if [ -e $IPSEC_CHARON_PID ] then - $IPSEC_STROKE purgeike + $IPSEC_STROKE "$1" rc="$?" fi exit "$rc" diff --git a/src/libcharon/Makefile.am b/src/libcharon/Makefile.am index 2b7646327..1e78c9d79 100644 --- a/src/libcharon/Makefile.am +++ b/src/libcharon/Makefile.am @@ -53,6 +53,7 @@ processing/jobs/rekey_ike_sa_job.c processing/jobs/rekey_ike_sa_job.h \ processing/jobs/retransmit_job.c processing/jobs/retransmit_job.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c processing/jobs/send_keepalive_job.h \ +processing/jobs/start_action_job.c processing/jobs/start_action_job.h \ processing/jobs/roam_job.c processing/jobs/roam_job.h \ processing/jobs/update_sa_job.c processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c processing/jobs/inactivity_job.h \ @@ -87,8 +88,12 @@ sa/tasks/ike_reauth.c sa/tasks/ike_reauth.h \ sa/tasks/ike_auth_lifetime.c sa/tasks/ike_auth_lifetime.h \ sa/tasks/ike_vendor.c sa/tasks/ike_vendor.h \ sa/tasks/task.c sa/tasks/task.h \ -tnccs/tnccs.c tnccs/tnccs.h \ -tnccs/tnccs_manager.h tnccs/tnccs_manager.c +tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ +tnc/imc/imc.h tnc/imc/imc_manager.h \ +tnc/imv/imv.h tnc/imv/imv_manager.h \ +tnc/imv/imv_recommendations.c tnc/imv/imv_recommendations.h \ +tnc/tnccs/tnccs.c tnc/tnccs/tnccs.h \ +tnc/tnccs/tnccs_manager.c tnc/tnccs/tnccs_manager.h daemon.lo : $(top_builddir)/config.status @@ -317,14 +322,14 @@ endif if USE_TNC_IMC SUBDIRS += plugins/tnc_imc if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc_imc.la + libcharon_la_LIBADD += plugins/tnc_imc/libstrongswan-tnc-imc.la endif endif if USE_TNC_IMV SUBDIRS += plugins/tnc_imv if MONOLITHIC - libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc_imv.la + libcharon_la_LIBADD += plugins/tnc_imv/libstrongswan-tnc-imv.la endif endif @@ -342,6 +347,13 @@ if MONOLITHIC endif endif +if USE_TNCCS_DYNAMIC + SUBDIRS += plugins/tnccs_dynamic +if MONOLITHIC + libcharon_la_LIBADD += plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la +endif +endif + if USE_MEDSRV SUBDIRS += plugins/medsrv if MONOLITHIC diff --git a/src/libcharon/Makefile.in b/src/libcharon/Makefile.in index 8a7a99ddd..6ec4c6ca5 100644 --- a/src/libcharon/Makefile.in +++ b/src/libcharon/Makefile.in @@ -96,35 +96,37 @@ host_triplet = @host@ @MONOLITHIC_TRUE@@USE_EAP_TNC_TRUE@am__append_51 = plugins/eap_tnc/libstrongswan-eap-tnc.la @MONOLITHIC_TRUE@@USE_TLS_TRUE@am__append_52 = $(top_builddir)/src/libtls/libtls.la @USE_TNC_IMC_TRUE@am__append_53 = plugins/tnc_imc -@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc_imc.la +@MONOLITHIC_TRUE@@USE_TNC_IMC_TRUE@am__append_54 = plugins/tnc_imc/libstrongswan-tnc-imc.la @USE_TNC_IMV_TRUE@am__append_55 = plugins/tnc_imv -@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc_imv.la +@MONOLITHIC_TRUE@@USE_TNC_IMV_TRUE@am__append_56 = plugins/tnc_imv/libstrongswan-tnc-imv.la @USE_TNCCS_11_TRUE@am__append_57 = plugins/tnccs_11 @MONOLITHIC_TRUE@@USE_TNCCS_11_TRUE@am__append_58 = plugins/tnccs_11/libstrongswan-tnccs-11.la @USE_TNCCS_20_TRUE@am__append_59 = plugins/tnccs_20 @MONOLITHIC_TRUE@@USE_TNCCS_20_TRUE@am__append_60 = plugins/tnccs_20/libstrongswan-tnccs-20.la -@USE_MEDSRV_TRUE@am__append_61 = plugins/medsrv -@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_62 = plugins/medsrv/libstrongswan-medsrv.la -@USE_MEDCLI_TRUE@am__append_63 = plugins/medcli -@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_64 = plugins/medcli/libstrongswan-medcli.la -@USE_NM_TRUE@am__append_65 = plugins/nm -@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_66 = plugins/nm/libstrongswan-nm.la -@USE_DHCP_TRUE@am__append_67 = plugins/dhcp -@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_68 = plugins/dhcp/libstrongswan-dhcp.la -@USE_ANDROID_TRUE@am__append_69 = plugins/android -@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_70 = plugins/android/libstrongswan-android.la -@USE_MAEMO_TRUE@am__append_71 = plugins/maemo -@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_72 = plugins/maemo/libstrongswan-maemo.la -@USE_HA_TRUE@am__append_73 = plugins/ha -@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_74 = plugins/ha/libstrongswan-ha.la -@USE_LED_TRUE@am__append_75 = plugins/led -@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_76 = plugins/led/libstrongswan-led.la -@USE_UCI_TRUE@am__append_77 = plugins/uci -@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_78 = plugins/uci/libstrongswan-uci.la -@USE_ADDRBLOCK_TRUE@am__append_79 = plugins/addrblock -@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_80 = plugins/uci/libstrongswan-addrblock.la -@USE_UNIT_TESTS_TRUE@am__append_81 = plugins/unit_tester -@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_82 = plugins/unit_tester/libstrongswan-unit-tester.la +@USE_TNCCS_DYNAMIC_TRUE@am__append_61 = plugins/tnccs_dynamic +@MONOLITHIC_TRUE@@USE_TNCCS_DYNAMIC_TRUE@am__append_62 = plugins/tnccs_dynamic/libstrongswan-tnccs-dynamic.la +@USE_MEDSRV_TRUE@am__append_63 = plugins/medsrv +@MONOLITHIC_TRUE@@USE_MEDSRV_TRUE@am__append_64 = plugins/medsrv/libstrongswan-medsrv.la +@USE_MEDCLI_TRUE@am__append_65 = plugins/medcli +@MONOLITHIC_TRUE@@USE_MEDCLI_TRUE@am__append_66 = plugins/medcli/libstrongswan-medcli.la +@USE_NM_TRUE@am__append_67 = plugins/nm +@MONOLITHIC_TRUE@@USE_NM_TRUE@am__append_68 = plugins/nm/libstrongswan-nm.la +@USE_DHCP_TRUE@am__append_69 = plugins/dhcp +@MONOLITHIC_TRUE@@USE_DHCP_TRUE@am__append_70 = plugins/dhcp/libstrongswan-dhcp.la +@USE_ANDROID_TRUE@am__append_71 = plugins/android +@MONOLITHIC_TRUE@@USE_ANDROID_TRUE@am__append_72 = plugins/android/libstrongswan-android.la +@USE_MAEMO_TRUE@am__append_73 = plugins/maemo +@MONOLITHIC_TRUE@@USE_MAEMO_TRUE@am__append_74 = plugins/maemo/libstrongswan-maemo.la +@USE_HA_TRUE@am__append_75 = plugins/ha +@MONOLITHIC_TRUE@@USE_HA_TRUE@am__append_76 = plugins/ha/libstrongswan-ha.la +@USE_LED_TRUE@am__append_77 = plugins/led +@MONOLITHIC_TRUE@@USE_LED_TRUE@am__append_78 = plugins/led/libstrongswan-led.la +@USE_UCI_TRUE@am__append_79 = plugins/uci +@MONOLITHIC_TRUE@@USE_UCI_TRUE@am__append_80 = plugins/uci/libstrongswan-uci.la +@USE_ADDRBLOCK_TRUE@am__append_81 = plugins/addrblock +@MONOLITHIC_TRUE@@USE_ADDRBLOCK_TRUE@am__append_82 = plugins/uci/libstrongswan-addrblock.la +@USE_UNIT_TESTS_TRUE@am__append_83 = plugins/unit_tester +@MONOLITHIC_TRUE@@USE_UNIT_TESTS_TRUE@am__append_84 = plugins/unit_tester/libstrongswan-unit-tester.la subdir = src/libcharon DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -181,7 +183,8 @@ libcharon_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_80) $(am__append_82) + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ bus/listeners/listener.h bus/listeners/file_logger.c \ bus/listeners/file_logger.h bus/listeners/sys_logger.c \ @@ -251,8 +254,9 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ - processing/jobs/roam_job.c processing/jobs/roam_job.h \ - processing/jobs/update_sa_job.c \ + processing/jobs/start_action_job.c \ + processing/jobs/start_action_job.h processing/jobs/roam_job.c \ + processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -288,8 +292,12 @@ am__libcharon_la_SOURCES_DIST = bus/bus.c bus/bus.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ - tnccs/tnccs_manager.c encoding/payloads/endpoint_notify.c \ + tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ + tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ + tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ + tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ + tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ + tnc/tnccs/tnccs_manager.h encoding/payloads/endpoint_notify.c \ encoding/payloads/endpoint_notify.h \ processing/jobs/initiate_mediation_job.c \ processing/jobs/initiate_mediation_job.h \ @@ -315,16 +323,17 @@ am_libcharon_la_OBJECTS = bus.lo file_logger.lo sys_logger.lo \ acquire_job.lo delete_child_sa_job.lo delete_ike_sa_job.lo \ migrate_job.lo process_message_job.lo rekey_child_sa_job.lo \ rekey_ike_sa_job.lo retransmit_job.lo send_dpd_job.lo \ - send_keepalive_job.lo roam_job.lo update_sa_job.lo \ - inactivity_job.lo authenticator.lo eap_authenticator.lo \ - eap_method.lo eap_manager.lo sim_manager.lo \ - psk_authenticator.lo pubkey_authenticator.lo child_sa.lo \ - ike_sa.lo ike_sa_id.lo ike_sa_manager.lo task_manager.lo \ - keymat.lo trap_manager.lo child_create.lo child_delete.lo \ - child_rekey.lo ike_auth.lo ike_cert_pre.lo ike_cert_post.lo \ - ike_config.lo ike_delete.lo ike_dpd.lo ike_init.lo ike_natd.lo \ - ike_mobike.lo ike_rekey.lo ike_reauth.lo ike_auth_lifetime.lo \ - ike_vendor.lo task.lo tnccs.lo tnccs_manager.lo \ + send_keepalive_job.lo start_action_job.lo roam_job.lo \ + update_sa_job.lo inactivity_job.lo authenticator.lo \ + eap_authenticator.lo eap_method.lo eap_manager.lo \ + sim_manager.lo psk_authenticator.lo pubkey_authenticator.lo \ + child_sa.lo ike_sa.lo ike_sa_id.lo ike_sa_manager.lo \ + task_manager.lo keymat.lo trap_manager.lo child_create.lo \ + child_delete.lo child_rekey.lo ike_auth.lo ike_cert_pre.lo \ + ike_cert_post.lo ike_config.lo ike_delete.lo ike_dpd.lo \ + ike_init.lo ike_natd.lo ike_mobike.lo ike_rekey.lo \ + ike_reauth.lo ike_auth_lifetime.lo ike_vendor.lo task.lo \ + tncifimv.lo imv_recommendations.lo tnccs.lo tnccs_manager.lo \ $(am__objects_1) libcharon_la_OBJECTS = $(am_libcharon_la_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ @@ -366,9 +375,9 @@ DIST_SUBDIRS = . plugins/load_tester plugins/socket_default \ plugins/eap_mschapv2 plugins/eap_radius plugins/eap_tls \ plugins/eap_ttls plugins/eap_tnc plugins/tnc_imc \ plugins/tnc_imv plugins/tnccs_11 plugins/tnccs_20 \ - plugins/medsrv plugins/medcli plugins/nm plugins/dhcp \ - plugins/android plugins/maemo plugins/ha plugins/led \ - plugins/uci plugins/addrblock plugins/unit_tester + plugins/tnccs_dynamic plugins/medsrv plugins/medcli plugins/nm \ + plugins/dhcp plugins/android plugins/maemo plugins/ha \ + plugins/led plugins/uci plugins/addrblock plugins/unit_tester DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -514,9 +523,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -555,6 +562,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -635,8 +644,9 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ processing/jobs/send_dpd_job.c processing/jobs/send_dpd_job.h \ processing/jobs/send_keepalive_job.c \ processing/jobs/send_keepalive_job.h \ - processing/jobs/roam_job.c processing/jobs/roam_job.h \ - processing/jobs/update_sa_job.c \ + processing/jobs/start_action_job.c \ + processing/jobs/start_action_job.h processing/jobs/roam_job.c \ + processing/jobs/roam_job.h processing/jobs/update_sa_job.c \ processing/jobs/update_sa_job.h \ processing/jobs/inactivity_job.c \ processing/jobs/inactivity_job.h \ @@ -672,8 +682,12 @@ libcharon_la_SOURCES = bus/bus.c bus/bus.h bus/listeners/listener.h \ sa/tasks/ike_reauth.h sa/tasks/ike_auth_lifetime.c \ sa/tasks/ike_auth_lifetime.h sa/tasks/ike_vendor.c \ sa/tasks/ike_vendor.h sa/tasks/task.c sa/tasks/task.h \ - tnccs/tnccs.c tnccs/tnccs.h tnccs/tnccs_manager.h \ - tnccs/tnccs_manager.c $(am__append_1) + tnc/tncif.h tnc/tncifimc.h tnc/tncifimv.h tnc/tncifimv.c \ + tnc/imc/imc.h tnc/imc/imc_manager.h tnc/imv/imv.h \ + tnc/imv/imv_manager.h tnc/imv/imv_recommendations.c \ + tnc/imv/imv_recommendations.h tnc/tnccs/tnccs.c \ + tnc/tnccs/tnccs.h tnc/tnccs/tnccs_manager.c \ + tnc/tnccs/tnccs_manager.h $(am__append_1) INCLUDES = \ -I${linux_headers} \ -I$(top_srcdir)/src/libstrongswan \ @@ -699,7 +713,8 @@ libcharon_la_LIBADD = -lm $(PTHREADLIB) $(DLLIB) $(SOCKLIB) \ $(am__append_60) $(am__append_62) $(am__append_64) \ $(am__append_66) $(am__append_68) $(am__append_70) \ $(am__append_72) $(am__append_74) $(am__append_76) \ - $(am__append_78) $(am__append_80) $(am__append_82) + $(am__append_78) $(am__append_80) $(am__append_82) \ + $(am__append_84) EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@SUBDIRS = . $(am__append_3) $(am__append_5) \ @MONOLITHIC_FALSE@ $(am__append_7) $(am__append_9) \ @@ -720,7 +735,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_FALSE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_FALSE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_FALSE@ $(am__append_77) $(am__append_79) \ -@MONOLITHIC_FALSE@ $(am__append_81) +@MONOLITHIC_FALSE@ $(am__append_81) $(am__append_83) # build optional plugins ######################## @@ -743,7 +758,7 @@ EXTRA_DIST = Android.mk @MONOLITHIC_TRUE@ $(am__append_69) $(am__append_71) \ @MONOLITHIC_TRUE@ $(am__append_73) $(am__append_75) \ @MONOLITHIC_TRUE@ $(am__append_77) $(am__append_79) \ -@MONOLITHIC_TRUE@ $(am__append_81) +@MONOLITHIC_TRUE@ $(am__append_81) $(am__append_83) all: all-recursive .SUFFIXES: @@ -867,6 +882,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_id.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_sa_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ike_vendor.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imv_recommendations.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/inactivity_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initiate_mediation_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ke_payload.Plo@am__quote@ @@ -898,11 +914,13 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sender.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sim_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/socket_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/start_action_job.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sys_logger.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/task_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_manager.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tncifimv.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector_substructure.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_attribute.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform_substructure.Plo@am__quote@ @@ -1283,6 +1301,13 @@ send_keepalive_job.lo: processing/jobs/send_keepalive_job.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o send_keepalive_job.lo `test -f 'processing/jobs/send_keepalive_job.c' || echo '$(srcdir)/'`processing/jobs/send_keepalive_job.c +start_action_job.lo: processing/jobs/start_action_job.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT start_action_job.lo -MD -MP -MF $(DEPDIR)/start_action_job.Tpo -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/start_action_job.Tpo $(DEPDIR)/start_action_job.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='processing/jobs/start_action_job.c' object='start_action_job.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o start_action_job.lo `test -f 'processing/jobs/start_action_job.c' || echo '$(srcdir)/'`processing/jobs/start_action_job.c + roam_job.lo: processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT roam_job.lo -MD -MP -MF $(DEPDIR)/roam_job.Tpo -c -o roam_job.lo `test -f 'processing/jobs/roam_job.c' || echo '$(srcdir)/'`processing/jobs/roam_job.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/roam_job.Tpo $(DEPDIR)/roam_job.Plo @@ -1521,19 +1546,33 @@ task.lo: sa/tasks/task.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o task.lo `test -f 'sa/tasks/task.c' || echo '$(srcdir)/'`sa/tasks/task.c -tnccs.lo: tnccs/tnccs.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +tncifimv.lo: tnc/tncifimv.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tncifimv.lo -MD -MP -MF $(DEPDIR)/tncifimv.Tpo -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tncifimv.Tpo $(DEPDIR)/tncifimv.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tncifimv.c' object='tncifimv.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tncifimv.lo `test -f 'tnc/tncifimv.c' || echo '$(srcdir)/'`tnc/tncifimv.c + +imv_recommendations.lo: tnc/imv/imv_recommendations.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imv_recommendations.lo -MD -MP -MF $(DEPDIR)/imv_recommendations.Tpo -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/imv_recommendations.Tpo $(DEPDIR)/imv_recommendations.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/imv/imv_recommendations.c' object='imv_recommendations.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imv_recommendations.lo `test -f 'tnc/imv/imv_recommendations.c' || echo '$(srcdir)/'`tnc/imv/imv_recommendations.c + +tnccs.lo: tnc/tnccs/tnccs.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs.lo -MD -MP -MF $(DEPDIR)/tnccs.Tpo -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs.Tpo $(DEPDIR)/tnccs.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tnccs/tnccs.c' object='tnccs.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnccs/tnccs.c' || echo '$(srcdir)/'`tnccs/tnccs.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs.lo `test -f 'tnc/tnccs/tnccs.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs.c -tnccs_manager.lo: tnccs/tnccs_manager.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +tnccs_manager.lo: tnc/tnccs/tnccs_manager.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_manager.lo -MD -MP -MF $(DEPDIR)/tnccs_manager.Tpo -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_manager.Tpo $(DEPDIR)/tnccs_manager.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tnc/tnccs/tnccs_manager.c' object='tnccs_manager.lo' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnccs/tnccs_manager.c +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_manager.lo `test -f 'tnc/tnccs/tnccs_manager.c' || echo '$(srcdir)/'`tnc/tnccs/tnccs_manager.c endpoint_notify.lo: encoding/payloads/endpoint_notify.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT endpoint_notify.lo -MD -MP -MF $(DEPDIR)/endpoint_notify.Tpo -c -o endpoint_notify.lo `test -f 'encoding/payloads/endpoint_notify.c' || echo '$(srcdir)/'`encoding/payloads/endpoint_notify.c diff --git a/src/libcharon/bus/bus.c b/src/libcharon/bus/bus.c index ab8d0fc48..23931c47d 100644 --- a/src/libcharon/bus/bus.c +++ b/src/libcharon/bus/bus.c @@ -227,13 +227,13 @@ static bool log_cb(entry_t *entry, log_data_t *data) { entry->blocker = FALSE; entry->condvar->signal(entry->condvar); + entry->calling--; } else { entry_destroy(entry); } va_end(args); - entry->calling--; return TRUE; } va_end(args); diff --git a/src/libcharon/config/backend_manager.c b/src/libcharon/config/backend_manager.c index 90ef58563..e78cb702d 100644 --- a/src/libcharon/config/backend_manager.c +++ b/src/libcharon/config/backend_manager.c @@ -96,6 +96,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } + else + { + me_cand->destroy(me_cand); + return MATCH_NONE; + } me_cand->destroy(me_cand); } else @@ -119,6 +124,11 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) { match += MATCH_ANY; } + else + { + other_cand->destroy(other_cand); + return MATCH_NONE; + } other_cand->destroy(other_cand); } else @@ -128,11 +138,8 @@ static ike_cfg_match_t get_ike_match(ike_cfg_t *cand, host_t *me, host_t *other) return match; } -/** - * implements backend_manager_t.get_ike_cfg. - */ -static ike_cfg_t *get_ike_cfg(private_backend_manager_t *this, - host_t *me, host_t *other) +METHOD(backend_manager_t, get_ike_cfg, ike_cfg_t*, + private_backend_manager_t *this, host_t *me, host_t *other) { ike_cfg_t *current, *found = NULL; enumerator_t *enumerator; @@ -308,12 +315,9 @@ static void insert_sorted(match_entry_t *entry, linked_list_t *list, } } -/** - * Implements backend_manager_t.create_peer_cfg_enumerator. - */ -static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, - host_t *me, host_t *other, identification_t *my_id, - identification_t *other_id) +METHOD(backend_manager_t, create_peer_cfg_enumerator, enumerator_t*, + private_backend_manager_t *this, host_t *me, host_t *other, + identification_t *my_id, identification_t *other_id) { enumerator_t *enumerator; peer_data_t *data; @@ -372,10 +376,8 @@ static enumerator_t *create_peer_cfg_enumerator(private_backend_manager_t *this, (void*)peer_enum_filter_destroy); } -/** - * implements backend_manager_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *name) +METHOD(backend_manager_t, get_peer_cfg_by_name, peer_cfg_t*, + private_backend_manager_t *this, char *name) { backend_t *backend; peer_cfg_t *config = NULL; @@ -392,30 +394,24 @@ static peer_cfg_t *get_peer_cfg_by_name(private_backend_manager_t *this, char *n return config; } -/** - * Implementation of backend_manager_t.remove_backend. - */ -static void remove_backend(private_backend_manager_t *this, backend_t *backend) +METHOD(backend_manager_t, remove_backend, void, + private_backend_manager_t *this, backend_t *backend) { this->lock->write_lock(this->lock); this->backends->remove(this->backends, backend, NULL); this->lock->unlock(this->lock); } -/** - * Implementation of backend_manager_t.add_backend. - */ -static void add_backend(private_backend_manager_t *this, backend_t *backend) +METHOD(backend_manager_t, add_backend, void, + private_backend_manager_t *this, backend_t *backend) { this->lock->write_lock(this->lock); this->backends->insert_last(this->backends, backend); this->lock->unlock(this->lock); } -/** - * Implementation of backend_manager_t.destroy. - */ -static void destroy(private_backend_manager_t *this) +METHOD(backend_manager_t, destroy, void, + private_backend_manager_t *this) { this->backends->destroy(this->backends); this->lock->destroy(this->lock); @@ -424,20 +420,24 @@ static void destroy(private_backend_manager_t *this) /* * Described in header-file + */ backend_manager_t *backend_manager_create() { - private_backend_manager_t *this = malloc_thing(private_backend_manager_t); - - this->public.get_ike_cfg = (ike_cfg_t* (*)(backend_manager_t*, host_t*, host_t*))get_ike_cfg; - this->public.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_manager_t*,char*))get_peer_cfg_by_name; - this->public.create_peer_cfg_enumerator = (enumerator_t* (*)(backend_manager_t*,host_t*,host_t*,identification_t*,identification_t*))create_peer_cfg_enumerator; - this->public.add_backend = (void(*)(backend_manager_t*, backend_t *backend))add_backend; - this->public.remove_backend = (void(*)(backend_manager_t*, backend_t *backend))remove_backend; - this->public.destroy = (void (*)(backend_manager_t*))destroy; + private_backend_manager_t *this; - this->backends = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + INIT(this, + .public = { + .get_ike_cfg = _get_ike_cfg, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .add_backend = _add_backend, + .remove_backend = _remove_backend, + .destroy = _destroy, + }, + .backends = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); return &this->public; } diff --git a/src/libcharon/config/child_cfg.c b/src/libcharon/config/child_cfg.c index 1cdfd5949..74949be3c 100644 --- a/src/libcharon/config/child_cfg.c +++ b/src/libcharon/config/child_cfg.c @@ -79,6 +79,11 @@ struct private_child_cfg_t { */ ipsec_mode_t mode; + /** + * action to take to start CHILD_SA + */ + action_t start_action; + /** * action to take on DPD */ @@ -118,6 +123,12 @@ struct private_child_cfg_t { * Optional mark to install outbound CHILD_SA with */ mark_t mark_out; + + /** + * Traffic Flow Confidentiality padding, if enabled + */ + u_int32_t tfc; + /** * set up IPsec transport SA in MIPv6 proxy mode */ @@ -129,26 +140,20 @@ struct private_child_cfg_t { bool install_policy; }; -/** - * Implementation of child_cfg_t.get_name. - */ -static char *get_name(private_child_cfg_t *this) +METHOD(child_cfg_t, get_name, char*, + private_child_cfg_t *this) { return this->name; } -/** - * Implementation of child_cfg_t.add_proposal. - */ -static void add_proposal(private_child_cfg_t *this, proposal_t *proposal) +METHOD(child_cfg_t, add_proposal, void, + private_child_cfg_t *this, proposal_t *proposal) { this->proposals->insert_last(this->proposals, proposal); } -/** - * Implementation of child_cfg_t.get_proposals. - */ -static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) +METHOD(child_cfg_t, get_proposals, linked_list_t*, + private_child_cfg_t *this, bool strip_dh) { enumerator_t *enumerator; proposal_t *current; @@ -169,12 +174,9 @@ static linked_list_t* get_proposals(private_child_cfg_t *this, bool strip_dh) return proposals; } -/** - * Implementation of child_cfg_t.select_proposal. - */ -static proposal_t* select_proposal(private_child_cfg_t*this, - linked_list_t *proposals, bool strip_dh, - bool private) +METHOD(child_cfg_t, select_proposal, proposal_t*, + private_child_cfg_t*this, linked_list_t *proposals, bool strip_dh, + bool private) { enumerator_t *stored_enum, *supplied_enum; proposal_t *stored, *supplied, *selected = NULL; @@ -219,11 +221,8 @@ static proposal_t* select_proposal(private_child_cfg_t*this, return selected; } -/** - * Implementation of child_cfg_t.add_traffic_selector. - */ -static void add_traffic_selector(private_child_cfg_t *this, bool local, - traffic_selector_t *ts) +METHOD(child_cfg_t, add_traffic_selector, void, + private_child_cfg_t *this, bool local, traffic_selector_t *ts) { if (local) { @@ -235,12 +234,8 @@ static void add_traffic_selector(private_child_cfg_t *this, bool local, } } -/** - * Implementation of child_cfg_t.get_traffic_selectors. - */ -static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool local, - linked_list_t *supplied, - host_t *host) +METHOD(child_cfg_t, get_traffic_selectors, linked_list_t*, + private_child_cfg_t *this, bool local, linked_list_t *supplied, host_t *host) { enumerator_t *e1, *e2; traffic_selector_t *ts1, *ts2, *selected; @@ -346,18 +341,14 @@ static linked_list_t* get_traffic_selectors(private_child_cfg_t *this, bool loca return result; } -/** - * Implementation of child_cfg_t.get_updown. - */ -static char* get_updown(private_child_cfg_t *this) +METHOD(child_cfg_t, get_updown, char*, + private_child_cfg_t *this) { return this->updown; } -/** - * Implementation of child_cfg_t.get_hostaccess. - */ -static bool get_hostaccess(private_child_cfg_t *this) +METHOD(child_cfg_t, get_hostaccess, bool, + private_child_cfg_t *this) { return this->hostaccess; } @@ -378,10 +369,8 @@ static u_int64_t apply_jitter(u_int64_t rekey, u_int64_t jitter) } #define APPLY_JITTER(l) l.rekey = apply_jitter(l.rekey, l.jitter) -/** - * Implementation of child_cfg_t.get_lifetime. - */ -static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) +METHOD(child_cfg_t, get_lifetime, lifetime_cfg_t*, + private_child_cfg_t *this) { lifetime_cfg_t *lft = malloc_thing(lifetime_cfg_t); memcpy(lft, &this->lifetime, sizeof(lifetime_cfg_t)); @@ -391,34 +380,32 @@ static lifetime_cfg_t *get_lifetime(private_child_cfg_t *this) return lft; } -/** - * Implementation of child_cfg_t.get_mode. - */ -static ipsec_mode_t get_mode(private_child_cfg_t *this) +METHOD(child_cfg_t, get_mode, ipsec_mode_t, + private_child_cfg_t *this) { return this->mode; } -/** - * Implementation of child_cfg_t.get_dpd_action. - */ -static action_t get_dpd_action(private_child_cfg_t *this) +METHOD(child_cfg_t, get_start_action, action_t, + private_child_cfg_t *this) +{ + return this->start_action; +} + +METHOD(child_cfg_t, get_dpd_action, action_t, + private_child_cfg_t *this) { return this->dpd_action; } -/** - * Implementation of child_cfg_t.get_close_action. - */ -static action_t get_close_action(private_child_cfg_t *this) +METHOD(child_cfg_t, get_close_action, action_t, + private_child_cfg_t *this) { return this->close_action; } -/** - * Implementation of child_cfg_t.get_dh_group. - */ -static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) +METHOD(child_cfg_t, get_dh_group, diffie_hellman_group_t, + private_child_cfg_t *this) { enumerator_t *enumerator; proposal_t *proposal; @@ -436,77 +423,64 @@ static diffie_hellman_group_t get_dh_group(private_child_cfg_t *this) return dh_group; } -/** - * Implementation of child_cfg_t.use_ipcomp. - */ -static bool use_ipcomp(private_child_cfg_t *this) +METHOD(child_cfg_t, use_ipcomp, bool, + private_child_cfg_t *this) { return this->use_ipcomp; } -/** - * Implementation of child_cfg_t.get_inactivity. - */ -static u_int32_t get_inactivity(private_child_cfg_t *this) +METHOD(child_cfg_t, get_inactivity, u_int32_t, + private_child_cfg_t *this) { return this->inactivity; } -/** - * Implementation of child_cfg_t.get_reqid. - */ -static u_int32_t get_reqid(private_child_cfg_t *this) +METHOD(child_cfg_t, get_reqid, u_int32_t, + private_child_cfg_t *this) { return this->reqid; } -/** - * Implementation of child_cfg_t.get_mark. - */ -static mark_t get_mark(private_child_cfg_t *this, bool inbound) +METHOD(child_cfg_t, get_mark, mark_t, + private_child_cfg_t *this, bool inbound) { return inbound ? this->mark_in : this->mark_out; } -/** - * Implementation of child_cfg_t.set_mipv6_options. - */ -static void set_mipv6_options(private_child_cfg_t *this, bool proxy_mode, - bool install_policy) +METHOD(child_cfg_t, get_tfc, u_int32_t, + private_child_cfg_t *this) +{ + return this->tfc; +} + +METHOD(child_cfg_t, set_mipv6_options, void, + private_child_cfg_t *this, bool proxy_mode, bool install_policy) { this->proxy_mode = proxy_mode; this->install_policy = install_policy; } -/** - * Implementation of child_cfg_t.use_proxy_mode. - */ -static bool use_proxy_mode(private_child_cfg_t *this) +METHOD(child_cfg_t, use_proxy_mode, bool, + private_child_cfg_t *this) { return this->proxy_mode; } -/** - * Implementation of child_cfg_t.install_policy. - */ -static bool install_policy(private_child_cfg_t *this) +METHOD(child_cfg_t, install_policy, bool, + private_child_cfg_t *this) { return this->install_policy; } -/** - * Implementation of child_cfg_t.get_ref. - */ -static child_cfg_t* get_ref(private_child_cfg_t *this) +METHOD(child_cfg_t, get_ref, child_cfg_t*, + private_child_cfg_t *this) { ref_get(&this->refcount); return &this->public; } -/** - * Implements child_cfg_t.destroy. - */ -static void destroy(private_child_cfg_t *this) +METHOD(child_cfg_t, destroy, void, + private_child_cfg_t *this) { if (ref_put(&this->refcount)) { @@ -527,71 +501,67 @@ static void destroy(private_child_cfg_t *this) */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, - ipsec_mode_t mode, action_t dpd_action, - action_t close_action, bool ipcomp, - u_int32_t inactivity, u_int32_t reqid, - mark_t *mark_in, mark_t *mark_out) + ipsec_mode_t mode, action_t start_action, + action_t dpd_action, action_t close_action, + bool ipcomp, u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out, u_int32_t tfc) { - private_child_cfg_t *this = malloc_thing(private_child_cfg_t); - - this->public.get_name = (char* (*) (child_cfg_t*))get_name; - this->public.add_traffic_selector = (void (*)(child_cfg_t*,bool,traffic_selector_t*))add_traffic_selector; - this->public.get_traffic_selectors = (linked_list_t*(*)(child_cfg_t*,bool,linked_list_t*,host_t*))get_traffic_selectors; - this->public.add_proposal = (void (*) (child_cfg_t*,proposal_t*))add_proposal; - this->public.get_proposals = (linked_list_t* (*) (child_cfg_t*,bool))get_proposals; - this->public.select_proposal = (proposal_t* (*) (child_cfg_t*,linked_list_t*,bool,bool))select_proposal; - this->public.get_updown = (char* (*) (child_cfg_t*))get_updown; - this->public.get_hostaccess = (bool (*) (child_cfg_t*))get_hostaccess; - this->public.get_mode = (ipsec_mode_t (*) (child_cfg_t *))get_mode; - this->public.get_dpd_action = (action_t (*) (child_cfg_t *))get_dpd_action; - this->public.get_close_action = (action_t (*) (child_cfg_t *))get_close_action; - this->public.get_lifetime = (lifetime_cfg_t* (*) (child_cfg_t *))get_lifetime; - this->public.get_dh_group = (diffie_hellman_group_t(*)(child_cfg_t*)) get_dh_group; - this->public.set_mipv6_options = (void (*) (child_cfg_t*,bool,bool))set_mipv6_options; - this->public.use_ipcomp = (bool (*) (child_cfg_t *))use_ipcomp; - this->public.get_inactivity = (u_int32_t (*) (child_cfg_t *))get_inactivity; - this->public.get_reqid = (u_int32_t (*) (child_cfg_t *))get_reqid; - this->public.get_mark = (mark_t (*) (child_cfg_t *,bool))get_mark; - this->public.use_proxy_mode = (bool (*) (child_cfg_t *))use_proxy_mode; - this->public.install_policy = (bool (*) (child_cfg_t *))install_policy; - this->public.get_ref = (child_cfg_t* (*) (child_cfg_t*))get_ref; - this->public.destroy = (void (*) (child_cfg_t*))destroy; - - this->name = strdup(name); - this->updown = updown ? strdup(updown) : NULL; - this->hostaccess = hostaccess; - this->mode = mode; - this->dpd_action = dpd_action; - this->close_action = close_action; - this->use_ipcomp = ipcomp; - this->inactivity = inactivity; - this->reqid = reqid; + private_child_cfg_t *this; + + INIT(this, + .public = { + .get_name = _get_name, + .add_traffic_selector = _add_traffic_selector, + .get_traffic_selectors = _get_traffic_selectors, + .add_proposal = _add_proposal, + .get_proposals = _get_proposals, + .select_proposal = _select_proposal, + .get_updown = _get_updown, + .get_hostaccess = _get_hostaccess, + .get_mode = _get_mode, + .get_start_action = _get_start_action, + .get_dpd_action = _get_dpd_action, + .get_close_action = _get_close_action, + .get_lifetime = _get_lifetime, + .get_dh_group = _get_dh_group, + .set_mipv6_options = _set_mipv6_options, + .use_ipcomp = _use_ipcomp, + .get_inactivity = _get_inactivity, + .get_reqid = _get_reqid, + .get_mark = _get_mark, + .get_tfc = _get_tfc, + .use_proxy_mode = _use_proxy_mode, + .install_policy = _install_policy, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .name = strdup(name), + .updown = strdupnull(updown), + .hostaccess = hostaccess, + .mode = mode, + .start_action = start_action, + .dpd_action = dpd_action, + .close_action = close_action, + .use_ipcomp = ipcomp, + .inactivity = inactivity, + .reqid = reqid, + .proxy_mode = FALSE, + .install_policy = TRUE, + .refcount = 1, + .proposals = linked_list_create(), + .my_ts = linked_list_create(), + .other_ts = linked_list_create(), + .tfc = tfc, + ); if (mark_in) { this->mark_in = *mark_in; } - else - { - this->mark_in.value = 0; - this->mark_in.mask = 0; - } if (mark_out) { this->mark_out = *mark_out; } - else - { - this->mark_out.value = 0; - this->mark_out.mask = 0; - } - - this->proxy_mode = FALSE; - this->install_policy = TRUE; - this->refcount = 1; - this->proposals = linked_list_create(); - this->my_ts = linked_list_create(); - this->other_ts = linked_list_create(); memcpy(&this->lifetime, lifetime, sizeof(lifetime_cfg_t)); return &this->public; diff --git a/src/libcharon/config/child_cfg.h b/src/libcharon/config/child_cfg.h index 1e6fe3fe9..175ced76c 100644 --- a/src/libcharon/config/child_cfg.h +++ b/src/libcharon/config/child_cfg.h @@ -32,14 +32,15 @@ typedef struct child_cfg_t child_cfg_t; #include /** - * Action to take when DPD detected/connection gets closed by peer. + * Action to take when connection is loaded, DPD is detected or + * connection gets closed by peer. */ enum action_t { /** No action */ ACTION_NONE, - /** Route config to reestablish on demand */ + /** Route config to establish or reestablish on demand */ ACTION_ROUTE, - /** Restart config immediately */ + /** Start or restart config immediately */ ACTION_RESTART, }; @@ -168,6 +169,13 @@ struct child_cfg_t { */ ipsec_mode_t (*get_mode) (child_cfg_t *this); + /** + * Action to take to start CHILD_SA. + * + * @return start action + */ + action_t (*get_start_action) (child_cfg_t *this); + /** * Action to take on DPD. * @@ -219,6 +227,13 @@ struct child_cfg_t { */ mark_t (*get_mark)(child_cfg_t *this, bool inbound); + /** + * Get the TFC padding value to use for CHILD_SA. + * + * @return TFC padding, 0 to disable, -1 for MTU + */ + u_int32_t (*get_tfc)(child_cfg_t *this); + /** * Sets two options needed for Mobile IPv6 interoperability * @@ -276,6 +291,7 @@ struct child_cfg_t { * @param updown updown script to execute on up/down event * @param hostaccess TRUE to allow access to the local host * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET + * @param start_action start action * @param dpd_action DPD action * @param close_action close action * @param ipcomp use IPComp, if peer supports it @@ -283,13 +299,14 @@ struct child_cfg_t { * @param reqid specific reqid to use for CHILD_SA, 0 for auto assign * @param mark_in optional inbound mark (can be NULL) * @param mark_out optional outbound mark (can be NULL) + * @param tfc TFC padding size, 0 to disable, -1 to pad to PMTU * @return child_cfg_t object */ child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime, char *updown, bool hostaccess, - ipsec_mode_t mode, action_t dpd_action, - action_t close_action, bool ipcomp, - u_int32_t inactivity, u_int32_t reqid, - mark_t *mark_in, mark_t *mark_out); + ipsec_mode_t mode, action_t start_action, + action_t dpd_action, action_t close_action, + bool ipcomp, u_int32_t inactivity, u_int32_t reqid, + mark_t *mark_in, mark_t *mark_out, u_int32_t tfc); #endif /** CHILD_CFG_H_ @}*/ diff --git a/src/libcharon/config/peer_cfg.c b/src/libcharon/config/peer_cfg.c index 9df14c9ae..6f0c87279 100644 --- a/src/libcharon/config/peer_cfg.c +++ b/src/libcharon/config/peer_cfg.c @@ -682,7 +682,7 @@ peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg, this->use_mobike = mobike; this->dpd = dpd; this->virtual_ip = virtual_ip; - this->pool = pool ? strdup(pool) : NULL; + this->pool = strdupnull(pool); this->local_auth = linked_list_create(); this->remote_auth = linked_list_create(); this->refcount = 1; diff --git a/src/libcharon/config/proposal.c b/src/libcharon/config/proposal.c index 5b8294599..86a59bc1b 100644 --- a/src/libcharon/config/proposal.c +++ b/src/libcharon/config/proposal.c @@ -560,6 +560,7 @@ static status_t add_string_algo(private_proposal_t *this, chunk_t alg) if (token == NULL) { + DBG1(DBG_CFG, "algorithm '%.*s' not recognized", alg.len, alg.ptr); return FAILED; } @@ -740,9 +741,10 @@ static void proposal_add_supported_ike(private_proposal_t *this) integrity_algorithm_t integrity; pseudo_random_function_t prf; diffie_hellman_group_t group; + const char *plugin_name; enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { switch (encryption) { @@ -777,7 +779,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity)) + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { switch (integrity) { @@ -796,7 +798,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf)) + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { switch (prf) { @@ -815,7 +817,7 @@ static void proposal_add_supported_ike(private_proposal_t *this) enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group)) + while (enumerator->enumerate(enumerator, &group, &plugin_name)) { switch (group) { diff --git a/src/libcharon/daemon.c b/src/libcharon/daemon.c index 4b8e1fadd..4f2831e42 100644 --- a/src/libcharon/daemon.c +++ b/src/libcharon/daemon.c @@ -19,14 +19,14 @@ #include #include #include -#include #include -#include #ifdef CAPABILITIES -#ifdef HAVE_SYS_CAPABILITY_H -#include -#endif /* HAVE_SYS_CAPABILITY_H */ +# ifdef HAVE_SYS_CAPABILITY_H +# include +# elif defined(CAPABILITIES_NATIVE) +# include +# endif /* CAPABILITIES_NATIVE */ #endif /* CAPABILITIES */ #include "daemon.h" @@ -34,10 +34,7 @@ #include #include #include - -#ifndef LOG_AUTHPRIV /* not defined on OpenSolaris */ -#define LOG_AUTHPRIV LOG_AUTH -#endif +#include typedef struct private_daemon_t private_daemon_t; @@ -62,7 +59,7 @@ struct private_daemon_t { cap_t caps; #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE - struct __user_cap_data_struct caps; + struct __user_cap_data_struct caps[2]; #endif /* CAPABILITIES_NATIVE */ }; @@ -147,9 +144,16 @@ METHOD(daemon_t, keep_cap, void, cap_set_flag(this->caps, CAP_PERMITTED, 1, &cap, CAP_SET); #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE - this->caps.effective |= 1 << cap; - this->caps.permitted |= 1 << cap; - this->caps.inheritable |= 1 << cap; + int i = 0; + + if (cap >= 32) + { + i++; + cap -= 32; + } + this->caps[i].effective |= 1 << cap; + this->caps[i].permitted |= 1 << cap; + this->caps[i].inheritable |= 1 << cap; #endif /* CAPABILITIES_NATIVE */ } @@ -164,9 +168,15 @@ METHOD(daemon_t, drop_capabilities, bool, #endif /* CAPABILITIES_LIBCAP */ #ifdef CAPABILITIES_NATIVE struct __user_cap_header_struct header = { - .version = _LINUX_CAPABILITY_VERSION, +#if defined(_LINUX_CAPABILITY_VERSION_3) + .version = _LINUX_CAPABILITY_VERSION_3, +#elif defined(_LINUX_CAPABILITY_VERSION_2) + .version = _LINUX_CAPABILITY_VERSION_2, +#else + .version = _LINUX_CAPABILITY_VERSION_1, +#endif }; - if (capset(&header, &this->caps) != 0) + if (capset(&header, this->caps) != 0) { return FALSE; } @@ -202,155 +212,9 @@ static void print_plugins() DBG1(DBG_DMN, "loaded plugins: %s", buf); } -/** - * Initialize logging - */ -static void initialize_loggers(private_daemon_t *this, bool use_stderr, - level_t levels[]) -{ - sys_logger_t *sys_logger; - file_logger_t *file_logger; - enumerator_t *enumerator; - char *facility, *filename; - int loggers_defined = 0; - debug_t group; - level_t def; - bool append, ike_name; - FILE *file; - - /* setup sysloggers */ - enumerator = lib->settings->create_section_enumerator(lib->settings, - "charon.syslog"); - while (enumerator->enumerate(enumerator, &facility)) - { - loggers_defined++; - - ike_name = lib->settings->get_bool(lib->settings, - "charon.syslog.%s.ike_name", FALSE, facility); - if (streq(facility, "daemon")) - { - sys_logger = sys_logger_create(LOG_DAEMON, ike_name); - } - else if (streq(facility, "auth")) - { - sys_logger = sys_logger_create(LOG_AUTHPRIV, ike_name); - } - else - { - continue; - } - def = lib->settings->get_int(lib->settings, - "charon.syslog.%s.default", 1, facility); - for (group = 0; group < DBG_MAX; group++) - { - sys_logger->set_level(sys_logger, group, - lib->settings->get_int(lib->settings, - "charon.syslog.%s.%N", def, - facility, debug_lower_names, group)); - } - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - } - enumerator->destroy(enumerator); - - /* and file loggers */ - enumerator = lib->settings->create_section_enumerator(lib->settings, - "charon.filelog"); - while (enumerator->enumerate(enumerator, &filename)) - { - loggers_defined++; - if (streq(filename, "stderr")) - { - file = stderr; - } - else if (streq(filename, "stdout")) - { - file = stdout; - } - else - { - append = lib->settings->get_bool(lib->settings, - "charon.filelog.%s.append", TRUE, filename); - file = fopen(filename, append ? "a" : "w"); - if (file == NULL) - { - DBG1(DBG_DMN, "opening file %s for logging failed: %s", - filename, strerror(errno)); - continue; - } - if (lib->settings->get_bool(lib->settings, - "charon.filelog.%s.flush_line", FALSE, filename)) - { - setlinebuf(file); - } - } - file_logger = file_logger_create(file, - lib->settings->get_str(lib->settings, - "charon.filelog.%s.time_format", NULL, filename), - lib->settings->get_bool(lib->settings, - "charon.filelog.%s.ike_name", FALSE, filename)); - def = lib->settings->get_int(lib->settings, - "charon.filelog.%s.default", 1, filename); - for (group = 0; group < DBG_MAX; group++) - { - file_logger->set_level(file_logger, group, - lib->settings->get_int(lib->settings, - "charon.filelog.%s.%N", def, - filename, debug_lower_names, group)); - } - this->public.file_loggers->insert_last(this->public.file_loggers, - file_logger); - this->public.bus->add_listener(this->public.bus, &file_logger->listener); - - } - enumerator->destroy(enumerator); - - /* set up legacy style default loggers provided via command-line */ - if (!loggers_defined) - { - /* set up default stdout file_logger */ - file_logger = file_logger_create(stdout, NULL, FALSE); - this->public.bus->add_listener(this->public.bus, &file_logger->listener); - this->public.file_loggers->insert_last(this->public.file_loggers, - file_logger); - /* set up default daemon sys_logger */ - sys_logger = sys_logger_create(LOG_DAEMON, FALSE); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - for (group = 0; group < DBG_MAX; group++) - { - sys_logger->set_level(sys_logger, group, levels[group]); - if (use_stderr) - { - file_logger->set_level(file_logger, group, levels[group]); - } - } - - /* set up default auth sys_logger */ - sys_logger = sys_logger_create(LOG_AUTHPRIV, FALSE); - this->public.bus->add_listener(this->public.bus, &sys_logger->listener); - this->public.sys_loggers->insert_last(this->public.sys_loggers, - sys_logger); - sys_logger->set_level(sys_logger, DBG_ANY, LEVEL_AUDIT); - } -} - METHOD(daemon_t, initialize, bool, - private_daemon_t *this, bool syslog, level_t levels[]) + private_daemon_t *this) { - /* for uncritical pseudo random numbers */ - srandom(time(NULL) + getpid()); - - /* setup bus and it's listeners first to enable log output */ - this->public.bus = bus_create(); - /* set up hook to log dbg message in library via charons message bus */ - dbg_old = dbg; - dbg = dbg_bus; - - initialize_loggers(this, !syslog, levels); - DBG1(DBG_DMN, "Starting IKEv2 charon daemon (strongSwan "VERSION")"); if (lib->integrity) @@ -362,16 +226,6 @@ METHOD(daemon_t, initialize, bool, DBG1(DBG_DMN, "daemon 'charon': passed file integrity test"); } - /* load secrets, ca certificates and crls */ - this->public.controller = controller_create(); - this->public.eap = eap_manager_create(); - this->public.sim = sim_manager_create(); - this->public.tnccs = tnccs_manager_create(); - this->public.backends = backend_manager_create(); - this->public.socket = socket_manager_create(); - this->public.traps = trap_manager_create(); - this->kernel_handler = kernel_handler_create(); - /* load plugins, further infrastructure may need it */ if (!lib->plugins->load(lib->plugins, NULL, lib->settings->get_str(lib->settings, "charon.load", PLUGINS))) @@ -393,6 +247,9 @@ METHOD(daemon_t, initialize, bool, return FALSE; } + /* Queue start_action job */ + lib->processor->queue_job(lib->processor, (job_t*)start_action_job_create()); + #ifdef ME this->public.connect_manager = connect_manager_create(); if (this->public.connect_manager == NULL) @@ -418,10 +275,20 @@ private_daemon_t *daemon_create() .drop_capabilities = _drop_capabilities, .initialize = _initialize, .start = _start, + .bus = bus_create(), .file_loggers = linked_list_create(), .sys_loggers = linked_list_create(), }, ); + charon = &this->public; + this->public.controller = controller_create(); + this->public.eap = eap_manager_create(); + this->public.sim = sim_manager_create(); + this->public.tnccs = tnccs_manager_create(); + this->public.backends = backend_manager_create(); + this->public.socket = socket_manager_create(); + this->public.traps = trap_manager_create(); + this->kernel_handler = kernel_handler_create(); #ifdef CAPABILITIES #ifdef CAPABILITIES_LIBCAP @@ -442,7 +309,6 @@ private_daemon_t *daemon_create() */ void libcharon_deinit() { - destroy((private_daemon_t*)charon); charon = NULL; } @@ -455,7 +321,13 @@ bool libcharon_init() private_daemon_t *this; this = daemon_create(); - charon = &this->public; + + /* for uncritical pseudo random numbers */ + srandom(time(NULL) + getpid()); + + /* set up hook to log dbg message in library via charons message bus */ + dbg_old = dbg; + dbg = dbg_bus; lib->printf_hook->add_handler(lib->printf_hook, 'P', proposal_printf_hook, diff --git a/src/libcharon/daemon.h b/src/libcharon/daemon.h index c0c834b43..04f1fc249 100644 --- a/src/libcharon/daemon.h +++ b/src/libcharon/daemon.h @@ -149,7 +149,9 @@ typedef struct daemon_t daemon_t; #include #include #include -#include +#include +#include +#include #ifdef ME #include @@ -236,6 +238,16 @@ struct daemon_t { */ sim_manager_t *sim; + /** + * TNC IMC manager controlling Integrity Measurement Collectors + */ + imc_manager_t *imcs; + + /** + * TNC IMV manager controlling Integrity Measurement Verifiers + */ + imv_manager_t *imvs; + /** * TNCCS manager to maintain registered TNCCS protocols */ @@ -286,7 +298,7 @@ struct daemon_t { /** * Initialize the daemon. */ - bool (*initialize)(daemon_t *this, bool syslog, level_t levels[]); + bool (*initialize)(daemon_t *this); /** * Starts the daemon, i.e. spawns the threads of the thread pool. @@ -305,6 +317,9 @@ extern daemon_t *charon; /** * Initialize libcharon and create the "charon" instance of daemon_t. * + * This function initializes the bus, listeners can be registered before + * calling initialize(). + * * @return FALSE if integrity check failed */ bool libcharon_init(); diff --git a/src/libcharon/encoding/generator.c b/src/libcharon/encoding/generator.c index 224f76fce..ce3844361 100644 --- a/src/libcharon/encoding/generator.c +++ b/src/libcharon/encoding/generator.c @@ -41,6 +41,7 @@ #include #include #include +#include /** * Generating is done in a data buffer. @@ -89,20 +90,10 @@ struct private_generator_t { */ void *data_struct; - /* - * Last payload length position offset in the buffer. - */ - u_int32_t last_payload_length_position_offset; - /** * Offset of the header length field in the buffer. */ - u_int32_t header_length_position_offset; - - /** - * Last SPI size. - */ - u_int8_t last_spi_size; + u_int32_t header_length_offset; /** * Attribute format of the last generated transform attribute. @@ -192,33 +183,6 @@ static void write_bytes_to_buffer(private_generator_t *this, void *bytes, } } -/** - * Writes a specific amount of byte into the buffer at a specific offset. - */ -static void write_bytes_to_buffer_at_offset(private_generator_t *this, - void *bytes, int number_of_bytes, u_int32_t offset) -{ - int i; - u_int8_t *read_position = (u_int8_t *)bytes; - u_int8_t *write_position; - u_int32_t free_space_after_offset = get_size(this) - offset; - - /* check first if enough space for new data is available */ - if (number_of_bytes > free_space_after_offset) - { - make_space_available(this, - (number_of_bytes - free_space_after_offset) * 8); - } - - write_position = this->buffer + offset; - for (i = 0; i < number_of_bytes; i++) - { - *write_position = *read_position; - read_position++; - write_position++; - } -} - /** * Generates a U_INT-Field type and writes it to buffer. */ @@ -234,10 +198,13 @@ static void generate_u_int_type(private_generator_t *this, number_of_bits = 4; break; case TS_TYPE: + case RESERVED_BYTE: + case SPI_SIZE: case U_INT_8: number_of_bits = 8; break; case U_INT_16: + case PAYLOAD_LENGTH: case CONFIGURATION_ATTRIBUTE_LENGTH: number_of_bits = 16; break; @@ -301,6 +268,8 @@ static void generate_u_int_type(private_generator_t *this, break; } case TS_TYPE: + case RESERVED_BYTE: + case SPI_SIZE: case U_INT_8: { /* 8 bit values are written as they are */ @@ -338,6 +307,7 @@ static void generate_u_int_type(private_generator_t *this, } case U_INT_16: + case PAYLOAD_LENGTH: case CONFIGURATION_ATTRIBUTE_LENGTH: { u_int16_t val = htons(*((u_int16_t*)(this->data_struct + offset))); @@ -370,49 +340,6 @@ static void generate_u_int_type(private_generator_t *this, } } -/** - * Generate a reserved bit or byte - */ -static void generate_reserved_field(private_generator_t *this, int bits) -{ - /* only one bit or 8 bit fields are supported */ - if (bits != 1 && bits != 8) - { - DBG1(DBG_ENC, "reserved field of %d bits cannot be generated", bits); - return ; - } - make_space_available(this, bits); - - if (bits == 1) - { - u_int8_t reserved_bit = ~(1 << (7 - this->current_bit)); - - *(this->out_position) = *(this->out_position) & reserved_bit; - if (this->current_bit == 0) - { - /* memory must be zero */ - *(this->out_position) = 0x00; - } - this->current_bit++; - if (this->current_bit >= 8) - { - this->current_bit = this->current_bit % 8; - this->out_position++; - } - } - else - { - if (this->current_bit > 0) - { - DBG1(DBG_ENC, "reserved field cannot be written cause " - "alignement of current bit is %d", this->current_bit); - return; - } - *(this->out_position) = 0x00; - this->out_position++; - } -} - /** * Generate a FLAG filed */ @@ -468,7 +395,7 @@ METHOD(generator_t, get_chunk, chunk_t, { chunk_t data; - *lenpos = (u_int32_t*)(this->buffer + this->header_length_position_offset); + *lenpos = (u_int32_t*)(this->buffer + this->header_length_offset); data = chunk_create(this->buffer, get_length(this)); DBG3(DBG_ENC, "generated data of this generator %B", &data); return data; @@ -484,8 +411,6 @@ METHOD(generator_t, generate_payload, void, this->data_struct = payload; payload_type = payload->get_type(payload); - /* spi size has to get reseted */ - this->last_spi_size = 0; offset_start = this->out_position - this->buffer; @@ -505,56 +430,25 @@ METHOD(generator_t, generate_payload, void, case U_INT_8: case U_INT_16: case U_INT_32: + case PAYLOAD_LENGTH: case IKE_SPI: + case RESERVED_BYTE: + case SPI_SIZE: case TS_TYPE: case ATTRIBUTE_TYPE: case CONFIGURATION_ATTRIBUTE_LENGTH: - { generate_u_int_type(this, rules[i].type, rules[i].offset); break; - } case RESERVED_BIT: - { - generate_reserved_field(this, 1); - break; - } - case RESERVED_BYTE: - { - generate_reserved_field(this, 8); - break; - } case FLAG: - { generate_flag(this, rules[i].offset); break; - } - case PAYLOAD_LENGTH: - { - this->last_payload_length_position_offset = get_offset(this); - generate_u_int_type(this, U_INT_16,rules[i].offset); - break; - } case HEADER_LENGTH: - { - this->header_length_position_offset = get_offset(this); - generate_u_int_type(this ,U_INT_32, rules[i].offset); - break; - } - case SPI_SIZE: - generate_u_int_type(this, U_INT_8, rules[i].offset); - this->last_spi_size = *((u_int8_t *)(this->data_struct + - rules[i].offset)); + this->header_length_offset = get_offset(this); + generate_u_int_type(this, U_INT_32, rules[i].offset); break; case ADDRESS: - { - generate_from_chunk(this, rules[i].offset); - break; - } case SPI: - { - generate_from_chunk(this, rules[i].offset); - break; - } case KEY_EXCHANGE_DATA: case NOTIFICATION_DATA: case NONCE_DATA: @@ -566,221 +460,52 @@ METHOD(generator_t, generate_payload, void, case CONFIGURATION_ATTRIBUTE_VALUE: case VID_DATA: case EAP_DATA: - { - u_int32_t payload_length_position_offset; - u_int16_t length_of_payload; - u_int16_t header_length = 0; - u_int16_t length_in_network_order; - - switch(rules[i].type) - { - case KEY_EXCHANGE_DATA: - header_length = KE_PAYLOAD_HEADER_LENGTH; - break; - case NOTIFICATION_DATA: - header_length = NOTIFY_PAYLOAD_HEADER_LENGTH + - this->last_spi_size; - break; - case NONCE_DATA: - header_length = NONCE_PAYLOAD_HEADER_LENGTH; - break; - case ID_DATA: - header_length = ID_PAYLOAD_HEADER_LENGTH; - break; - case AUTH_DATA: - header_length = AUTH_PAYLOAD_HEADER_LENGTH; - break; - case CERT_DATA: - header_length = CERT_PAYLOAD_HEADER_LENGTH; - break; - case CERTREQ_DATA: - header_length = CERTREQ_PAYLOAD_HEADER_LENGTH; - break; - case SPIS: - header_length = DELETE_PAYLOAD_HEADER_LENGTH; - break; - case VID_DATA: - header_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; - break; - case CONFIGURATION_ATTRIBUTE_VALUE: - header_length = CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; - break; - case EAP_DATA: - header_length = EAP_PAYLOAD_HEADER_LENGTH; - break; - default: - break; - } + case ENCRYPTED_DATA: + case UNKNOWN_DATA: generate_from_chunk(this, rules[i].offset); - - payload_length_position_offset = - this->last_payload_length_position_offset; - - length_of_payload = header_length + - ((chunk_t *)(this->data_struct + rules[i].offset))->len; - - length_in_network_order = htons(length_of_payload); - write_bytes_to_buffer_at_offset(this, &length_in_network_order, - sizeof(u_int16_t), payload_length_position_offset); break; - } case PROPOSALS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - /* Length of SA_PAYLOAD is calculated */ - u_int16_t length_of_sa_payload = SA_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *proposals = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_proposal; - - iterator = proposals->create_iterator(proposals,TRUE); - while (iterator->iterate(iterator, (void**)¤t_proposal)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_proposal); - after_generate_position_offset = get_offset(this); - length_of_sa_payload += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_sa_payload); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),payload_length_position_offset); - break; - } case TRANSFORMS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_proposal = - PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->last_spi_size; - u_int16_t int16_val; - linked_list_t *transforms = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_transform; - - iterator = transforms->create_iterator(transforms,TRUE); - while (iterator->iterate(iterator, (void**)¤t_transform)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_transform); - after_generate_position_offset = get_offset(this); - - length_of_proposal += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_proposal); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t), payload_length_position_offset); - break; - } case TRANSFORM_ATTRIBUTES: - { - u_int32_t transform_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_transform = - TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *transform_attributes =*((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_attribute; - - iterator = transform_attributes->create_iterator( - transform_attributes, TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_attribute); - after_generate_position_offset = get_offset(this); - - length_of_transform += (after_generate_position_offset - - before_generate_position_offset); - } - - iterator->destroy(iterator); - - int16_val = htons(length_of_transform); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),transform_length_position_offset); - break; - } case CONFIGURATION_ATTRIBUTES: + case TRAFFIC_SELECTORS: { - u_int32_t configurations_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_configurations = CP_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *configuration_attributes = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_attribute; + linked_list_t *proposals; + enumerator_t *enumerator; + payload_t *proposal; - iterator = configuration_attributes->create_iterator( - configuration_attributes,TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) + proposals = *((linked_list_t **) + (this->data_struct + rules[i].offset)); + enumerator = proposals->create_enumerator(proposals); + while (enumerator->enumerate(enumerator, &proposal)) { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_attribute); - after_generate_position_offset = get_offset(this); - - length_of_configurations += after_generate_position_offset - - before_generate_position_offset; + generate_payload(this, proposal); } - - iterator->destroy(iterator); - - int16_val = htons(length_of_configurations); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),configurations_length_position_offset); + enumerator->destroy(enumerator); break; } case ATTRIBUTE_FORMAT: - { generate_flag(this, rules[i].offset); /* Attribute format is a flag which is stored in context*/ this->attribute_format = *((bool *)(this->data_struct + rules[i].offset)); break; - } - case ATTRIBUTE_LENGTH_OR_VALUE: - { - if (this->attribute_format == FALSE) + if (this->attribute_format) { generate_u_int_type(this, U_INT_16, rules[i].offset); - /* this field hold the length of the attribute */ - this->attribute_length = - *((u_int16_t *)(this->data_struct + rules[i].offset)); } else { generate_u_int_type(this, U_INT_16, rules[i].offset); + /* this field hold the length of the attribute */ + this->attribute_length = + *((u_int16_t *)(this->data_struct + rules[i].offset)); } break; - } case ATTRIBUTE_VALUE: { - if (this->attribute_format == FALSE) + if (!this->attribute_format) { DBG2(DBG_ENC, "attribute value has not fixed size"); /* the attribute value is generated */ @@ -788,44 +513,6 @@ METHOD(generator_t, generate_payload, void, } break; } - case TRAFFIC_SELECTORS: - { - u_int32_t payload_length_position_offset = - this->last_payload_length_position_offset; - u_int16_t length_of_ts_payload = TS_PAYLOAD_HEADER_LENGTH; - u_int16_t int16_val; - linked_list_t *traffic_selectors = *((linked_list_t **) - (this->data_struct + rules[i].offset)); - iterator_t *iterator; - payload_t *current_tss; - - iterator = traffic_selectors->create_iterator( - traffic_selectors,TRUE); - while (iterator->iterate(iterator, (void **)¤t_tss)) - { - u_int32_t before_generate_position_offset; - u_int32_t after_generate_position_offset; - - before_generate_position_offset = get_offset(this); - generate_payload(this, current_tss); - after_generate_position_offset = get_offset(this); - - length_of_ts_payload += (after_generate_position_offset - - before_generate_position_offset); - } - iterator->destroy(iterator); - - int16_val = htons(length_of_ts_payload); - write_bytes_to_buffer_at_offset(this, &int16_val, - sizeof(u_int16_t),payload_length_position_offset); - break; - } - - case ENCRYPTED_DATA: - { - generate_from_chunk(this, rules[i].offset); - break; - } default: DBG1(DBG_ENC, "field type %N is not supported", encoding_type_names, rules[i].type); diff --git a/src/libcharon/encoding/message.c b/src/libcharon/encoding/message.c index d41ad4697..dbef340ab 100644 --- a/src/libcharon/encoding/message.c +++ b/src/libcharon/encoding/message.c @@ -131,6 +131,7 @@ static payload_rule_t ike_sa_init_r_rules[] = { {SECURITY_ASSOCIATION, 1, 1, FALSE, FALSE}, {KEY_EXCHANGE, 1, 1, FALSE, FALSE}, {NONCE, 1, 1, FALSE, FALSE}, + {CERTIFICATE_REQUEST, 1, 1, FALSE, FALSE}, {VENDOR_ID, 0, 10, FALSE, FALSE}, }; @@ -489,6 +490,21 @@ struct private_message_t { */ bool is_request; + /** + * Higher version supported? + */ + bool version_flag; + + /** + * Reserved bits in IKE header + */ + bool reserved[5]; + + /** + * Sorting of message disabled? + */ + bool sort_disabled; + /** * Message ID of this message. */ @@ -647,18 +663,35 @@ METHOD(message_t, get_request, bool, return this->is_request; } -/** - * Is this message in an encoded form? - */ -static bool is_encoded(private_message_t *this) +METHOD(message_t, set_version_flag, void, + private_message_t *this) { - chunk_t data = this->packet->get_data(this->packet); + this->version_flag = TRUE; +} - if (data.ptr == NULL) +METHOD(message_t, get_reserved_header_bit, bool, + private_message_t *this, u_int nr) +{ + if (nr < countof(this->reserved)) { - return FALSE; + return this->reserved[nr]; } - return TRUE; + return FALSE; +} + +METHOD(message_t, set_reserved_header_bit, void, + private_message_t *this, u_int nr) +{ + if (nr < countof(this->reserved)) + { + this->reserved[nr] = TRUE; + } +} + +METHOD(message_t, is_encoded, bool, + private_message_t *this) +{ + return this->packet->get_data(this->packet).ptr != NULL; } METHOD(message_t, add_payload, void, @@ -732,6 +765,12 @@ METHOD(message_t, create_payload_enumerator, enumerator_t*, return this->payloads->create_enumerator(this->payloads); } +METHOD(message_t, remove_payload_at, void, + private_message_t *this, enumerator_t *enumerator) +{ + this->payloads->remove_at(this->payloads, enumerator); +} + METHOD(message_t, get_payload, payload_t*, private_message_t *this, payload_type_t type) { @@ -1001,6 +1040,12 @@ static encryption_payload_t* wrap_payloads(private_message_t *this) return encryption; } +METHOD(message_t, disable_sort, void, + private_message_t *this) +{ + this->sort_disabled = TRUE; +} + METHOD(message_t, generate, status_t, private_message_t *this, aead_t *aead, packet_t **packet) { @@ -1012,12 +1057,8 @@ METHOD(message_t, generate, status_t, chunk_t chunk; char str[256]; u_int32_t *lenpos; - - if (is_encoded(this)) - { /* already generated, return a new packet clone */ - *packet = this->packet->clone(this->packet); - return SUCCESS; - } + bool *reserved; + int i; if (this->exchange_type == EXCHANGE_TYPE_UNDEFINED) { @@ -1039,7 +1080,10 @@ METHOD(message_t, generate, status_t, return NOT_SUPPORTED; } - order_payloads(this); + if (!this->sort_disabled) + { + order_payloads(this); + } DBG1(DBG_ENC, "generating %s", get_string(this, str, sizeof(str))); @@ -1053,9 +1097,12 @@ METHOD(message_t, generate, status_t, } ike_header = ike_header_create(); + ike_header->set_maj_version(ike_header, this->major_version); + ike_header->set_min_version(ike_header, this->minor_version); ike_header->set_exchange_type(ike_header, this->exchange_type); ike_header->set_message_id(ike_header, this->message_id); ike_header->set_response_flag(ike_header, !this->is_request); + ike_header->set_version_flag(ike_header, this->version_flag); ike_header->set_initiator_flag(ike_header, this->ike_sa_id->is_initiator(this->ike_sa_id)); ike_header->set_initiator_spi(ike_header, @@ -1063,6 +1110,16 @@ METHOD(message_t, generate, status_t, ike_header->set_responder_spi(ike_header, this->ike_sa_id->get_responder_spi(this->ike_sa_id)); + for (i = 0; i < countof(this->reserved); i++) + { + reserved = payload_get_field(&ike_header->payload_interface, + RESERVED_BIT, i); + if (reserved) + { + *reserved = this->reserved[i]; + } + } + generator = generator_create(); /* generate all payloads with proper next type */ @@ -1131,6 +1188,8 @@ METHOD(message_t, parse_header, status_t, { ike_header_t *ike_header; status_t status; + bool *reserved; + int i; DBG2(DBG_ENC, "parsing header of message"); @@ -1165,7 +1224,15 @@ METHOD(message_t, parse_header, status_t, this->minor_version = ike_header->get_min_version(ike_header); this->first_payload = ike_header->payload_interface.get_next_type( &ike_header->payload_interface); - + for (i = 0; i < countof(this->reserved); i++) + { + reserved = payload_get_field(&ike_header->payload_interface, + RESERVED_BIT, i); + if (reserved) + { + this->reserved[i] = *reserved; + } + } DBG2(DBG_ENC, "parsed a %N %s", exchange_type_names, this->exchange_type, this->is_request ? "request" : "response"); @@ -1181,6 +1248,31 @@ METHOD(message_t, parse_header, status_t, return status; } +/** + * Check if a payload is for a mediation extension connectivity check + */ +static bool is_connectivity_check(private_message_t *this, payload_t *payload) +{ +#ifdef ME + if (this->exchange_type == INFORMATIONAL && + payload->get_type(payload) == NOTIFY) + { + notify_payload_t *notify = (notify_payload_t*)payload; + + switch (notify->get_notify_type(notify)) + { + case ME_CONNECTID: + case ME_ENDPOINT: + case ME_CONNECTAUTH: + return TRUE; + default: + break; + } + } +#endif /* !ME */ + return FALSE; +} + /** * Decrypt payload from the encryption payload */ @@ -1252,14 +1344,15 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) } encryption->destroy(encryption); } - if (type != UNKNOWN_PAYLOAD && !was_encrypted) + if (payload_is_known(type) && !was_encrypted && + !is_connectivity_check(this, payload)) { rule = get_payload_rule(this, type); if (!rule || rule->encrypted) { DBG1(DBG_ENC, "payload type %N was not encrypted", payload_type_names, type); - status = VERIFY_ERROR; + status = FAILED; break; } } @@ -1274,6 +1367,7 @@ static status_t decrypt_payloads(private_message_t *this, aead_t *aead) */ static status_t verify(private_message_t *this) { + bool complete = FALSE; int i; DBG2(DBG_ENC, "verifying message structure"); @@ -1291,22 +1385,9 @@ static status_t verify(private_message_t *this) while (enumerator->enumerate(enumerator, &payload)) { payload_type_t type; - unknown_payload_t *unknown; type = payload->get_type(payload); - if (type == UNKNOWN_PAYLOAD) - { - /* unknown payloads are ignored if they are not critical */ - unknown = (unknown_payload_t*)payload; - if (unknown->is_critical(unknown)) - { - DBG1(DBG_ENC, "%N is not supported, but its critical!", - payload_type_names, type); - enumerator->destroy(enumerator); - return NOT_SUPPORTED; - } - } - else if (type == rule->type) + if (type == rule->type) { found++; DBG2(DBG_ENC, "found payload of type %N", @@ -1323,15 +1404,15 @@ static status_t verify(private_message_t *this) } enumerator->destroy(enumerator); - if (found < rule->min_occurence) + if (!complete && found < rule->min_occurence) { DBG1(DBG_ENC, "payload of type %N not occured %d times (%d)", payload_type_names, rule->type, rule->min_occurence, found); return VERIFY_ERROR; } - if (rule->sufficient) + if (found && rule->sufficient) { - return SUCCESS; + complete = TRUE; } } return SUCCESS; @@ -1360,7 +1441,7 @@ METHOD(message_t, parse_body, status_t, { DBG1(DBG_ENC, "payload type %N could not be parsed", payload_type_names, type); - return PARSE_ERROR; + return this->exchange_type == IKE_SA_INIT ? PARSE_ERROR : FAILED; } DBG2(DBG_ENC, "verifying payload of type %N", payload_type_names, type); @@ -1370,7 +1451,7 @@ METHOD(message_t, parse_body, status_t, DBG1(DBG_ENC, "%N payload verification failed", payload_type_names, type); payload->destroy(payload); - return VERIFY_ERROR; + return this->exchange_type == IKE_SA_INIT ? VERIFY_ERROR : FAILED; } DBG2(DBG_ENC, "%N payload verified. Adding to payload list", @@ -1388,14 +1469,11 @@ METHOD(message_t, parse_body, status_t, type = payload->get_next_type(payload); } - if (type == ENCRYPTED) + status = decrypt_payloads(this, aead); + if (status != SUCCESS) { - status = decrypt_payloads(this, aead); - if (status != SUCCESS) - { - DBG1(DBG_ENC, "could not decrypt payloads"); - return status; - } + DBG1(DBG_ENC, "could not decrypt payloads"); + return status; } status = verify(this); @@ -1443,14 +1521,20 @@ message_t *message_create_from_packet(packet_t *packet) .get_first_payload_type = _get_first_payload_type, .set_request = _set_request, .get_request = _get_request, + .set_version_flag = _set_version_flag, + .get_reserved_header_bit = _get_reserved_header_bit, + .set_reserved_header_bit = _set_reserved_header_bit, .add_payload = _add_payload, .add_notify = _add_notify, + .disable_sort = _disable_sort, .generate = _generate, + .is_encoded = _is_encoded, .set_source = _set_source, .get_source = _get_source, .set_destination = _set_destination, .get_destination = _get_destination, .create_payload_enumerator = _create_payload_enumerator, + .remove_payload_at = _remove_payload_at, .get_payload = _get_payload, .get_notify = _get_notify, .parse_header = _parse_header, @@ -1459,6 +1543,8 @@ message_t *message_create_from_packet(packet_t *packet) .get_packet_data = _get_packet_data, .destroy = _destroy, }, + .major_version = IKE_MAJOR_VERSION, + .minor_version = IKE_MINOR_VERSION, .exchange_type = EXCHANGE_TYPE_UNDEFINED, .is_request = TRUE, .first_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/message.h b/src/libcharon/encoding/message.h index 8c1cbcd09..51197308c 100644 --- a/src/libcharon/encoding/message.h +++ b/src/libcharon/encoding/message.h @@ -153,6 +153,26 @@ struct message_t { */ bool (*get_request) (message_t *this); + /** + * Set the version flag in the IKE header. + */ + void (*set_version_flag)(message_t *this); + + /** + * Get a reserved bit in the IKE header. + * + * @param nr reserved bit to get in IKE header, 0-4 + * @return TRUE if bit is set + */ + bool (*get_reserved_header_bit)(message_t *this, u_int nr); + + /** + * Set a reserved bit in the IKE header. + * + * @param nr reserved bit to set in IKE header, 0-4 + */ + void (*set_reserved_header_bit)(message_t *this, u_int nr); + /** * Append a payload to the message. * @@ -180,6 +200,11 @@ struct message_t { void (*add_notify) (message_t *this, bool flush, notify_type_t type, chunk_t data); + /** + * Disable automatic payload sorting for this message. + */ + void (*disable_sort)(message_t *this); + /** * Parses header of message. * @@ -206,8 +231,6 @@ struct message_t { * @param aead aead transform to verify/decrypt message * @return * - SUCCESS if parsing successful - * - NOT_SUPPORTED if ciritcal unknown payloads found - * - NOT_SUPPORTED if message type is not supported! * - PARSE_ERROR if message parsing failed * - VERIFY_ERROR if message verification failed (bad syntax) * - FAILED if integrity check failed @@ -234,6 +257,13 @@ struct message_t { */ status_t (*generate) (message_t *this, aead_t *aead, packet_t **packet); + /** + * Check if the message has already been encoded using generate(). + * + * @return TRUE if message has been encoded + */ + bool (*is_encoded)(message_t *this); + /** * Gets the source host informations. * @@ -281,6 +311,13 @@ struct message_t { */ enumerator_t * (*create_payload_enumerator) (message_t *this); + /** + * Remove the payload at the current enumerator position. + * + * @param enumerator enumerator created by create_payload_enumerator() + */ + void (*remove_payload_at)(message_t *this, enumerator_t *enumerator); + /** * Find a payload of a specific type. * diff --git a/src/libcharon/encoding/parser.c b/src/libcharon/encoding/parser.c index 9aa34b1bc..32cefb9e7 100644 --- a/src/libcharon/encoding/parser.c +++ b/src/libcharon/encoding/parser.c @@ -387,12 +387,6 @@ static status_t parse_payload(private_parser_t *this, DBG3(DBG_ENC, "parsing payload from %b", this->byte_pos, this->input_roof - this->byte_pos); - if (pld->get_type(pld) == UNKNOWN_PAYLOAD) - { - DBG1(DBG_ENC, " payload type %d is unknown, handling as %N", - payload_type, payload_type_names, UNKNOWN_PAYLOAD); - } - /* base pointer for output, avoids casting in every rule */ output = pld; @@ -415,6 +409,7 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_8: + case RESERVED_BYTE: { if (!parse_uint8(this, rule_number, output + rule->offset)) { @@ -433,6 +428,7 @@ static status_t parse_payload(private_parser_t *this, break; } case U_INT_32: + case HEADER_LENGTH: { if (!parse_uint32(this, rule_number, output + rule->offset)) { @@ -451,23 +447,6 @@ static status_t parse_payload(private_parser_t *this, break; } case RESERVED_BIT: - { - if (!parse_bit(this, rule_number, NULL)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } - case RESERVED_BYTE: - { - if (!parse_uint8(this, rule_number, NULL)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } case FLAG: { if (!parse_bit(this, rule_number, output + rule->offset)) @@ -493,15 +472,6 @@ static status_t parse_payload(private_parser_t *this, } break; } - case HEADER_LENGTH: - { - if (!parse_uint32(this, rule_number, output + rule->offset)) - { - pld->destroy(pld); - return PARSE_ERROR; - } - break; - } case SPI_SIZE: { if (!parse_uint8(this, rule_number, output + rule->offset)) diff --git a/src/libcharon/encoding/payloads/auth_payload.c b/src/libcharon/encoding/payloads/auth_payload.c index d31208abb..cb44a997c 100644 --- a/src/libcharon/encoding/payloads/auth_payload.c +++ b/src/libcharon/encoding/payloads/auth_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -18,7 +19,6 @@ #include - typedef struct private_auth_payload_t private_auth_payload_t; /** @@ -42,6 +42,16 @@ struct private_auth_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -66,27 +76,27 @@ struct private_auth_payload_t { */ encoding_rule_t auth_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, + { U_INT_8, offsetof(private_auth_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_auth_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_auth_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_auth_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_auth_payload_t, payload_length) }, /* 1 Byte AUTH type*/ - { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, + { U_INT_8, offsetof(private_auth_payload_t, auth_method) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[0]) }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[1]) }, + { RESERVED_BYTE, offsetof(private_auth_payload_t, reserved_byte[2]) }, /* some auth data bytes, length is defined in PAYLOAD_LENGTH */ - { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } + { AUTH_DATA, offsetof(private_auth_payload_t, auth_data) } }; /* @@ -103,125 +113,73 @@ encoding_rule_t auth_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_auth_payload_t *this) +METHOD(payload_t, verify, status_t, + private_auth_payload_t *this) { - if (this->auth_method == 0 || - (this->auth_method >= 4 && this->auth_method <= 8) || - (this->auth_method >= 12 && this->auth_method <= 200)) - { - /* reserved IDs */ - return FAILED; - } return SUCCESS; } -/** - * Implementation of auth_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_auth_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = auth_payload_encodings; - *rule_count = sizeof(auth_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(auth_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_auth_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_auth_payload_t *this) { return AUTHENTICATION; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_auth_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_auth_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_auth_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_auth_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_auth_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_auth_payload_t *this) { return this->payload_length; } -/** - * Implementation of auth_payload_t.set_auth_method. - */ -static void set_auth_method (private_auth_payload_t *this, auth_method_t method) +METHOD(auth_payload_t, set_auth_method, void, + private_auth_payload_t *this, auth_method_t method) { this->auth_method = method; } -/** - * Implementation of auth_payload_t.get_auth_method. - */ -static auth_method_t get_auth_method (private_auth_payload_t *this) +METHOD(auth_payload_t, get_auth_method, auth_method_t, + private_auth_payload_t *this) { - return (this->auth_method); + return this->auth_method; } -/** - * Implementation of auth_payload_t.set_data. - */ -static void set_data (private_auth_payload_t *this, chunk_t data) +METHOD(auth_payload_t, set_data, void, + private_auth_payload_t *this, chunk_t data) { - if (this->auth_data.ptr != NULL) - { - chunk_free(&(this->auth_data)); - } - this->auth_data.ptr = clalloc(data.ptr,data.len); - this->auth_data.len = data.len; + free(this->auth_data.ptr); + this->auth_data = chunk_clone(data); this->payload_length = AUTH_PAYLOAD_HEADER_LENGTH + this->auth_data.len; } -/** - * Implementation of auth_payload_t.get_data. - */ -static chunk_t get_data (private_auth_payload_t *this) +METHOD(auth_payload_t, get_data, chunk_t, + private_auth_payload_t *this) { - return (this->auth_data); + return this->auth_data; } -/** - * Implementation of auth_payload_t.get_data_clone. - */ -static chunk_t get_data_clone (private_auth_payload_t *this) +METHOD2(payload_t, auth_payload_t, destroy, void, + private_auth_payload_t *this) { - chunk_t cloned_data; - if (this->auth_data.ptr == NULL) - { - return (this->auth_data); - } - cloned_data.ptr = clalloc(this->auth_data.ptr,this->auth_data.len); - cloned_data.len = this->auth_data.len; - return cloned_data; -} - -/** - * Implementation of payload_t.destroy and auth_payload_t.destroy. - */ -static void destroy(private_auth_payload_t *this) -{ - if (this->auth_data.ptr != NULL) - { - chunk_free(&(this->auth_data)); - } - + free(this->auth_data.ptr); free(this); } @@ -230,30 +188,27 @@ static void destroy(private_auth_payload_t *this) */ auth_payload_t *auth_payload_create() { - private_auth_payload_t *this = malloc_thing(private_auth_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (auth_payload_t *)) destroy; - this->public.set_auth_method = (void (*) (auth_payload_t *,auth_method_t)) set_auth_method; - this->public.get_auth_method = (auth_method_t (*) (auth_payload_t *)) get_auth_method; - this->public.set_data = (void (*) (auth_payload_t *,chunk_t)) set_data; - this->public.get_data_clone = (chunk_t (*) (auth_payload_t *)) get_data_clone; - this->public.get_data = (chunk_t (*) (auth_payload_t *)) get_data; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =AUTH_PAYLOAD_HEADER_LENGTH; - this->auth_data = chunk_empty; - - return (&(this->public)); + private_auth_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_auth_method = _set_auth_method, + .get_auth_method = _get_auth_method, + .set_data = _set_data, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = AUTH_PAYLOAD_HEADER_LENGTH, + ); + return &this->public; } diff --git a/src/libcharon/encoding/payloads/auth_payload.h b/src/libcharon/encoding/payloads/auth_payload.h index 37ee149db..e4c4e6ae3 100644 --- a/src/libcharon/encoding/payloads/auth_payload.h +++ b/src/libcharon/encoding/payloads/auth_payload.h @@ -62,29 +62,31 @@ struct auth_payload_t { /** * Set the AUTH data. * - * Data gets cloned. - * - * @param data AUTH data as chunk_t + * @param data AUTH data as chunk_t, gets cloned */ void (*set_data) (auth_payload_t *this, chunk_t data); /** * Get the AUTH data. * - * Returned data are a copy of the internal one. - * - * @return AUTH data as chunk_t + * @return AUTH data as chunk_t, internal data */ - chunk_t (*get_data_clone) (auth_payload_t *this); + chunk_t (*get_data) (auth_payload_t *this); /** - * Get the AUTH data. + * Get the value of a reserved bit. * - * Returned data are NOT copied + * @param nr number of the reserved bit, 0-6 + * @return TRUE if bit was set, FALSE to clear + */ + bool (*get_reserved_bit)(auth_payload_t *this, u_int nr); + + /** + * Set one of the reserved bits. * - * @return AUTH data as chunk_t + * @param nr number of the reserved bit, 0-6 */ - chunk_t (*get_data) (auth_payload_t *this); + void (*set_reserved_bit)(auth_payload_t *this, u_int nr); /** * Destroys an auth_payload_t object. diff --git a/src/libcharon/encoding/payloads/cert_payload.c b/src/libcharon/encoding/payloads/cert_payload.c index 80239f654..c42cec680 100644 --- a/src/libcharon/encoding/payloads/cert_payload.c +++ b/src/libcharon/encoding/payloads/cert_payload.c @@ -1,6 +1,7 @@ /* * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2007 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -43,9 +44,9 @@ typedef struct private_cert_payload_t private_cert_payload_t; /** * Private data of an cert_payload_t object. - * */ struct private_cert_payload_t { + /** * Public cert_payload_t interface. */ @@ -61,6 +62,11 @@ struct private_cert_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -91,23 +97,23 @@ struct private_cert_payload_t { */ encoding_rule_t cert_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, + { U_INT_8, offsetof(private_cert_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_cert_payload_t, critical) }, + { FLAG, offsetof(private_cert_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_cert_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_cert_payload_t, payload_length)}, /* 1 Byte CERT type*/ { U_INT_8, offsetof(private_cert_payload_t, encoding) }, /* some cert data bytes, length is defined in PAYLOAD_LENGTH */ - { CERT_DATA, offsetof(private_cert_payload_t, data) } + { CERT_DATA, offsetof(private_cert_payload_t, data) } }; /* @@ -123,25 +129,23 @@ encoding_rule_t cert_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_cert_payload_t *this) +METHOD(payload_t, verify, status_t, + private_cert_payload_t *this) { if (this->encoding == ENC_X509_HASH_AND_URL || this->encoding == ENC_X509_HASH_AND_URL_BUNDLE) { + int i; + /* coarse verification of "Hash and URL" encoded certificates */ if (this->data.len <= 20) { DBG1(DBG_ENC, "invalid payload length for hash-and-url (%d), ignore", - this->data.len); + this->data.len); this->invalid_hash_and_url = TRUE; return SUCCESS; } - - int i = 20; /* skipping the hash */ - for (; i < this->data.len; ++i) + for (i = 20; i < this->data.len; ++i) { if (this->data.ptr[i] == '\0') { @@ -151,94 +155,81 @@ static status_t verify(private_cert_payload_t *this) else if (!isprint(this->data.ptr[i])) { DBG1(DBG_ENC, "non printable characters in url of hash-and-url" - " encoded certificate payload, ignore"); + " encoded certificate payload, ignore"); this->invalid_hash_and_url = TRUE; return SUCCESS; } } - /* URL is not null terminated, correct that */ - chunk_t data = chunk_alloc(this->data.len + 1); - memcpy(data.ptr, this->data.ptr, this->data.len); - data.ptr[this->data.len] = '\0'; - chunk_free(&this->data); - this->data = data; + this->data = chunk_cat("mc", this->data, chunk_from_chars(0)); } return SUCCESS; } -/** - * Implementation of cert_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_cert_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_cert_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = cert_payload_encodings; - *rule_count = sizeof(cert_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(cert_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_cert_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_cert_payload_t *this) { return CERTIFICATE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_cert_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_cert_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_cert_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_cert_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_cert_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_cert_payload_t *this) { return this->payload_length; } -/** - * Implementation of cert_payload_t.get_cert_encoding. - */ -static cert_encoding_t get_cert_encoding(private_cert_payload_t *this) +METHOD(cert_payload_t, get_cert_encoding, cert_encoding_t, + private_cert_payload_t *this) { return this->encoding; } -/** - * Implementation of cert_payload_t.get_cert. - */ -static certificate_t *get_cert(private_cert_payload_t *this) +METHOD(cert_payload_t, get_cert, certificate_t*, + private_cert_payload_t *this) { - if (this->encoding != ENC_X509_SIGNATURE) + int type; + + switch (this->encoding) { - return NULL; + case ENC_X509_SIGNATURE: + type = CERT_X509; + break; + case ENC_CRL: + type = CERT_X509_CRL; + break; + default: + return NULL; } - return lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509, - BUILD_BLOB_ASN1_DER, this->data, - BUILD_END); + return lib->creds->create(lib->creds, CRED_CERTIFICATE, type, + BUILD_BLOB_ASN1_DER, this->data, BUILD_END); } -/** - * Implementation of cert_payload_t.get_hash. - */ -static chunk_t get_hash(private_cert_payload_t *this) +METHOD(cert_payload_t, get_hash, chunk_t, + private_cert_payload_t *this) { chunk_t hash = chunk_empty; + if ((this->encoding != ENC_X509_HASH_AND_URL && - this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || this->invalid_hash_and_url) { return hash; @@ -248,13 +239,11 @@ static chunk_t get_hash(private_cert_payload_t *this) return hash; } -/** - * Implementation of cert_payload_t.get_url. - */ -static char *get_url(private_cert_payload_t *this) +METHOD(cert_payload_t, get_url, char*, + private_cert_payload_t *this) { if ((this->encoding != ENC_X509_HASH_AND_URL && - this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || + this->encoding != ENC_X509_HASH_AND_URL_BUNDLE) || this->invalid_hash_and_url) { return NULL; @@ -262,12 +251,10 @@ static char *get_url(private_cert_payload_t *this) return (char*)this->data.ptr + 20; } -/** - * Implementation of payload_t.destroy and cert_payload_t.destroy. - */ -static void destroy(private_cert_payload_t *this) +METHOD2(payload_t, cert_payload_t, destroy, void, + private_cert_payload_t *this) { - chunk_free(&this->data); + free(this->data.ptr); free(this); } @@ -276,29 +263,28 @@ static void destroy(private_cert_payload_t *this) */ cert_payload_t *cert_payload_create() { - private_cert_payload_t *this = malloc_thing(private_cert_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**, size_t*))get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; - - this->public.destroy = (void (*) (cert_payload_t*))destroy; - this->public.get_cert = (certificate_t* (*) (cert_payload_t*))get_cert; - this->public.get_cert_encoding = (cert_encoding_t (*) (cert_payload_t*))get_cert_encoding; - this->public.get_hash = (chunk_t (*) (cert_payload_t*))get_hash; - this->public.get_url = (char* (*) (cert_payload_t*))get_url; - - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CERT_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - this->encoding = 0; - this->invalid_hash_and_url = FALSE; - + private_cert_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_cert = _get_cert, + .get_cert_encoding = _get_cert_encoding, + .get_hash = _get_hash, + .get_url = _get_url, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CERT_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } @@ -343,3 +329,15 @@ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url) return &this->public; } +/* + * Described in header + */ +cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data) +{ + private_cert_payload_t *this = (private_cert_payload_t*)cert_payload_create(); + + this->encoding = type; + this->data = data; + this->payload_length = CERT_PAYLOAD_HEADER_LENGTH + this->data.len; + return &this->public; +} diff --git a/src/libcharon/encoding/payloads/cert_payload.h b/src/libcharon/encoding/payloads/cert_payload.h index aa1c7bf5a..21b503a40 100644 --- a/src/libcharon/encoding/payloads/cert_payload.h +++ b/src/libcharon/encoding/payloads/cert_payload.h @@ -134,4 +134,13 @@ cert_payload_t *cert_payload_create_from_cert(certificate_t *cert); */ cert_payload_t *cert_payload_create_from_hash_and_url(chunk_t hash, char *url); +/** + * Creates a custom certificate payload using type and associated data. + * + * @param type encoding type of certificate + * @param data associated data (gets owned) + * @return cert_payload_t object + */ +cert_payload_t *cert_payload_create_custom(cert_encoding_t type, chunk_t data); + #endif /** CERT_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/certreq_payload.c b/src/libcharon/encoding/payloads/certreq_payload.c index 9ff0bdde0..8e0836f0e 100644 --- a/src/libcharon/encoding/payloads/certreq_payload.c +++ b/src/libcharon/encoding/payloads/certreq_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -22,14 +23,13 @@ #include "certreq_payload.h" - typedef struct private_certreq_payload_t private_certreq_payload_t; /** * Private data of an certreq_payload_t object. - * */ struct private_certreq_payload_t { + /** * Public certreq_payload_t interface. */ @@ -45,6 +45,11 @@ struct private_certreq_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -66,21 +71,20 @@ struct private_certreq_payload_t { * * The defined offsets are the positions in a object of type * private_certreq_payload_t. - * */ encoding_rule_t certreq_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_certreq_payload_t, next_payload) }, + { U_INT_8, offsetof(private_certreq_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_certreq_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_certreq_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_certreq_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_certreq_payload_t, payload_length) }, /* 1 Byte CERTREQ type*/ @@ -102,10 +106,8 @@ encoding_rule_t certreq_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_certreq_payload_t *this) +METHOD(payload_t, verify, status_t, + private_certreq_payload_t *this) { if (this->encoding == ENC_X509_SIGNATURE) { @@ -120,51 +122,39 @@ static status_t verify(private_certreq_payload_t *this) return SUCCESS; } -/** - * Implementation of certreq_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_certreq_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = certreq_payload_encodings; - *rule_count = sizeof(certreq_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(certreq_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_certreq_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_certreq_payload_t *this) { return CERTIFICATE_REQUEST; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_certreq_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_certreq_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_certreq_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_certreq_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_certreq_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_certreq_payload_t *this) { return this->payload_length; } -/** - * Implementation of certreq_payload_t.add_keyid. - */ -static void add_keyid(private_certreq_payload_t *this, chunk_t keyid) +METHOD(certreq_payload_t, add_keyid, void, + private_certreq_payload_t *this, chunk_t keyid) { this->data = chunk_cat("mc", this->data, keyid); this->payload_length += keyid.len; @@ -181,10 +171,8 @@ struct keyid_enumerator_t { u_char *pos; }; -/** - * enumerate function for keyid_enumerator - */ -static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk) +METHOD(enumerator_t, keyid_enumerate, bool, + keyid_enumerator_t *this, chunk_t *chunk) { if (this->pos == NULL) { @@ -207,23 +195,23 @@ static bool keyid_enumerate(keyid_enumerator_t *this, chunk_t *chunk) return FALSE; } -/** - * Implementation of certreq_payload_t.create_keyid_enumerator. - */ -static enumerator_t* create_keyid_enumerator(private_certreq_payload_t *this) +METHOD(certreq_payload_t, create_keyid_enumerator, enumerator_t*, + private_certreq_payload_t *this) { - keyid_enumerator_t *enumerator = malloc_thing(keyid_enumerator_t); - enumerator->public.enumerate = (void*)keyid_enumerate; - enumerator->public.destroy = (void*)free; - enumerator->full = this->data; - enumerator->pos = NULL; + keyid_enumerator_t *enumerator; + + INIT(enumerator, + .public = { + .enumerate = (void*)_keyid_enumerate, + .destroy = (void*)free, + }, + .full = this->data, + ); return &enumerator->public; } -/** - * Implementation of certreq_payload_t.get_cert_type. - */ -static certificate_type_t get_cert_type(private_certreq_payload_t *this) +METHOD(certreq_payload_t, get_cert_type, certificate_type_t, + private_certreq_payload_t *this) { switch (this->encoding) { @@ -234,10 +222,8 @@ static certificate_type_t get_cert_type(private_certreq_payload_t *this) } } -/** - * Implementation of payload_t.destroy and certreq_payload_t.destroy. - */ -static void destroy(private_certreq_payload_t *this) +METHOD2(payload_t, certreq_payload_t, destroy, void, + private_certreq_payload_t *this) { chunk_free(&this->data); free(this); @@ -248,30 +234,27 @@ static void destroy(private_certreq_payload_t *this) */ certreq_payload_t *certreq_payload_create() { - private_certreq_payload_t *this = malloc_thing(private_certreq_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t*))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t*,encoding_rule_t**,size_t*))get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t*))get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t*))get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t*,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t*))get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t*))destroy; - - /* public functions */ - this->public.destroy = (void (*) (certreq_payload_t*)) destroy; - this->public.create_keyid_enumerator = (enumerator_t*(*)(certreq_payload_t*))create_keyid_enumerator; - this->public.get_cert_type = (certificate_type_t(*)(certreq_payload_t*))get_cert_type; - this->public.add_keyid = (void(*)(certreq_payload_t*, chunk_t keyid))add_keyid; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - this->encoding = 0; - + private_certreq_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .create_keyid_enumerator = _create_keyid_enumerator, + .get_cert_type = _get_cert_type, + .add_keyid = _add_keyid, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CERTREQ_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } diff --git a/src/libcharon/encoding/payloads/configuration_attribute.c b/src/libcharon/encoding/payloads/configuration_attribute.c index 9094fd44d..e608497bd 100644 --- a/src/libcharon/encoding/payloads/configuration_attribute.c +++ b/src/libcharon/encoding/payloads/configuration_attribute.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -22,19 +23,23 @@ #include #include - typedef struct private_configuration_attribute_t private_configuration_attribute_t; /** * Private data of an configuration_attribute_t object. - * */ struct private_configuration_attribute_t { + /** * Public configuration_attribute_t interface. */ configuration_attribute_t public; + /** + * Reserved bit + */ + bool reserved; + /** * Type of the attribute. */ @@ -58,8 +63,8 @@ struct private_configuration_attribute_t { * private_configuration_attribute_t. */ encoding_rule_t configuration_attribute_encodings[] = { - - { RESERVED_BIT, 0 }, + /* 1 reserved bit */ + { RESERVED_BIT, offsetof(private_configuration_attribute_t, reserved)}, /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_configuration_attribute_t, type) }, /* Length of attribute value */ @@ -80,10 +85,8 @@ encoding_rule_t configuration_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_configuration_attribute_t *this) +METHOD(payload_t, verify, status_t, + private_configuration_attribute_t *this) { bool failed = FALSE; @@ -151,69 +154,51 @@ static status_t verify(private_configuration_attribute_t *this) return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_configuration_attribute_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_configuration_attribute_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = configuration_attribute_encodings; - *rule_count = sizeof(configuration_attribute_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(configuration_attribute_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_configuration_attribute_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_configuration_attribute_t *this) { return CONFIGURATION_ATTRIBUTE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_configuration_attribute_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_configuration_attribute_t *this) { return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_configuration_attribute_t *this, - payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_configuration_attribute_t *this, payload_type_t type) { } -/** - * Implementation of configuration_attribute_t.get_length. - */ -static size_t get_length(private_configuration_attribute_t *this) +METHOD(payload_t, get_length, size_t, + private_configuration_attribute_t *this) { return this->value.len + CONFIGURATION_ATTRIBUTE_HEADER_LENGTH; } -/** - * Implementation of configuration_attribute_t.get_type. - */ -static configuration_attribute_type_t get_configuration_attribute_type( - private_configuration_attribute_t *this) +METHOD(configuration_attribute_t, get_cattr_type, configuration_attribute_type_t, + private_configuration_attribute_t *this) { return this->type; } -/** - * Implementation of configuration_attribute_t.get_value. - */ -static chunk_t get_value(private_configuration_attribute_t *this) +METHOD(configuration_attribute_t, get_value, chunk_t, + private_configuration_attribute_t *this) { return this->value; } -/** - * Implementation of configuration_attribute_t.destroy and payload_t.destroy. - */ -static void destroy(private_configuration_attribute_t *this) +METHOD2(payload_t, configuration_attribute_t, destroy, void, + private_configuration_attribute_t *this) { free(this->value.ptr); free(this); @@ -226,23 +211,22 @@ configuration_attribute_t *configuration_attribute_create() { private_configuration_attribute_t *this; - this = malloc_thing(private_configuration_attribute_t); - this->public.payload_interface.verify = (status_t(*)(payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void(*)(payload_t *, encoding_rule_t **, size_t *) )get_encoding_rules; - this->public.payload_interface.get_length = (size_t(*)(payload_t *))get_length; - this->public.payload_interface.get_next_type = (payload_type_t(*)(payload_t *))get_next_type; - this->public.payload_interface.set_next_type = (void(*)(payload_t *,payload_type_t))set_next_type; - this->public.payload_interface.get_type = (payload_type_t(*)(payload_t *))get_type; - this->public.payload_interface.destroy = (void(*)(payload_t*))destroy; - - this->public.get_value = (chunk_t(*)(configuration_attribute_t *))get_value; - this->public.get_type = (configuration_attribute_type_t(*)(configuration_attribute_t *))get_configuration_attribute_type; - this->public.destroy = (void (*)(configuration_attribute_t*))destroy; - - this->type = 0; - this->value = chunk_empty; - this->length = 0; - + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_value = _get_value, + .get_type = _get_cattr_type, + .destroy = _destroy, + }, + ); return &this->public; } diff --git a/src/libcharon/encoding/payloads/cp_payload.c b/src/libcharon/encoding/payloads/cp_payload.c index f0a26eee2..82e9e51b7 100644 --- a/src/libcharon/encoding/payloads/cp_payload.c +++ b/src/libcharon/encoding/payloads/cp_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -32,9 +33,9 @@ typedef struct private_cp_payload_t private_cp_payload_t; /** * Private data of an cp_payload_t object. - * */ struct private_cp_payload_t { + /** * Public cp_payload_t interface. */ @@ -50,6 +51,16 @@ struct private_cp_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -71,30 +82,30 @@ struct private_cp_payload_t { * * The defined offsets are the positions in a object of type * private_cp_payload_t. - * */ encoding_rule_t cp_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_cp_payload_t, next_payload) }, + { U_INT_8, offsetof(private_cp_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_cp_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_cp_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_cp_payload_t, reserved_bit[6]) }, /* Length of the whole CP payload*/ - { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_cp_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, offset points to a linked_list_t pointer */ - { U_INT_8, offsetof(private_cp_payload_t, type) }, - { RESERVED_BYTE,0 }, - { RESERVED_BYTE,0 }, - { RESERVED_BYTE,0 }, - { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } + { U_INT_8, offsetof(private_cp_payload_t, type) }, + /* 3 reserved bytes */ + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_cp_payload_t, reserved_byte[2])}, + { CONFIGURATION_ATTRIBUTES, offsetof(private_cp_payload_t, attributes) } }; /* @@ -111,10 +122,8 @@ encoding_rule_t cp_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_cp_payload_t *this) +METHOD(payload_t, verify, status_t, + private_cp_payload_t *this) { status_t status = SUCCESS; enumerator_t *enumerator; @@ -133,36 +142,27 @@ static status_t verify(private_cp_payload_t *this) return status; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_cp_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_cp_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = cp_payload_encodings; - *rule_count = sizeof(cp_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(cp_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_cp_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_cp_payload_t *this) { return CONFIGURATION; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_cp_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_cp_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_cp_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_cp_payload_t *this,payload_type_t type) { this->next_payload = type; } @@ -185,44 +185,33 @@ static void compute_length(private_cp_payload_t *this) enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_cp_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_cp_payload_t *this) { return this->payload_length; } -/** - * Implementation of cp_payload_t.create_attribute_enumerator. - */ -static enumerator_t *create_attribute_enumerator(private_cp_payload_t *this) +METHOD(cp_payload_t, create_attribute_enumerator, enumerator_t*, + private_cp_payload_t *this) { return this->attributes->create_enumerator(this->attributes); } -/** - * Implementation of cp_payload_t.add_attribute. - */ -static void add_attribute(private_cp_payload_t *this, - configuration_attribute_t *attribute) +METHOD(cp_payload_t, add_attribute, void, + private_cp_payload_t *this, configuration_attribute_t *attribute) { this->attributes->insert_last(this->attributes, attribute); compute_length(this); } -/** - * Implementation of cp_payload_t.get_type. - */ -static config_type_t get_config_type(private_cp_payload_t *this) +METHOD(cp_payload_t, get_config_type, config_type_t, + private_cp_payload_t *this) { return this->type; } -/** - * Implementation of payload_t.destroy and cp_payload_t.destroy. - */ -static void destroy(private_cp_payload_t *this) +METHOD2(payload_t, cp_payload_t, destroy, void, + private_cp_payload_t *this) { this->attributes->destroy_offset(this->attributes, offsetof(configuration_attribute_t, destroy)); @@ -232,42 +221,38 @@ static void destroy(private_cp_payload_t *this) /* * Described in header. */ -cp_payload_t *cp_payload_create() +cp_payload_t *cp_payload_create_type(config_type_t type) { - private_cp_payload_t *this = malloc_thing(private_cp_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - this->public.create_attribute_enumerator = (enumerator_t*(*)(cp_payload_t *))create_attribute_enumerator; - this->public.add_attribute = (void (*) (cp_payload_t *,configuration_attribute_t*))add_attribute; - this->public.get_type = (config_type_t (*) (cp_payload_t *))get_config_type; - this->public.destroy = (void (*)(cp_payload_t *))destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = CP_PAYLOAD_HEADER_LENGTH; - this->attributes = linked_list_create(); - this->type = CFG_REQUEST; - + private_cp_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .create_attribute_enumerator = _create_attribute_enumerator, + .add_attribute = _add_attribute, + .get_type = _get_config_type, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = CP_PAYLOAD_HEADER_LENGTH, + .attributes = linked_list_create(), + .type = type, + ); return &this->public; } /* * Described in header. */ -cp_payload_t *cp_payload_create_type(config_type_t type) +cp_payload_t *cp_payload_create() { - private_cp_payload_t *this = (private_cp_payload_t*)cp_payload_create(); - - this->type = type; - - return &this->public; + return cp_payload_create_type(CFG_REQUEST); } - diff --git a/src/libcharon/encoding/payloads/delete_payload.c b/src/libcharon/encoding/payloads/delete_payload.c index 5fc3b7c88..e6ee07d39 100644 --- a/src/libcharon/encoding/payloads/delete_payload.c +++ b/src/libcharon/encoding/payloads/delete_payload.c @@ -42,6 +42,11 @@ struct private_delete_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -79,14 +84,14 @@ encoding_rule_t delete_payload_encodings[] = { { U_INT_8, offsetof(private_delete_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_delete_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_delete_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_delete_payload_t, payload_length) }, { U_INT_8, offsetof(private_delete_payload_t, protocol_id) }, diff --git a/src/libcharon/encoding/payloads/eap_payload.c b/src/libcharon/encoding/payloads/eap_payload.c index 21f34a642..eafb668b6 100644 --- a/src/libcharon/encoding/payloads/eap_payload.c +++ b/src/libcharon/encoding/payloads/eap_payload.c @@ -42,6 +42,11 @@ struct private_eap_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -66,13 +71,13 @@ static encoding_rule_t eap_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_eap_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_eap_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_eap_payload_t, payload_length) }, /* chunt to data, starting at "code" */ diff --git a/src/libcharon/encoding/payloads/id_payload.c b/src/libcharon/encoding/payloads/id_payload.c index 4158c3e07..3befadfe2 100644 --- a/src/libcharon/encoding/payloads/id_payload.c +++ b/src/libcharon/encoding/payloads/id_payload.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2007 Tobias Brunner - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * * Hochschule fuer Technik Rapperswil @@ -50,6 +51,16 @@ struct private_id_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[3]; + /** * Length of this payload. */ @@ -71,31 +82,30 @@ struct private_id_payload_t { * * The defined offsets are the positions in a object of type * private_id_payload_t. - * */ encoding_rule_t id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_id_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_id_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_id_payload_t, payload_length) }, /* 1 Byte ID type*/ { U_INT_8, offsetof(private_id_payload_t, id_type) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_id_payload_t, reserved_byte[2])}, /* some id data bytes, length is defined in PAYLOAD_LENGTH */ - { ID_DATA, offsetof(private_id_payload_t, id_data) } + { ID_DATA, offsetof(private_id_payload_t, id_data) } }; /* @@ -112,136 +122,59 @@ encoding_rule_t id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_id_payload_t *this) +METHOD(payload_t, verify, status_t, + private_id_payload_t *this) { - if ((this->id_type == 0) || - (this->id_type == 4) || - ((this->id_type >= 6) && (this->id_type <= 8)) || - ((this->id_type >= 12) && (this->id_type <= 200))) + if (this->id_type == 0 || this->id_type == 4) { /* reserved IDs */ DBG1(DBG_ENC, "received ID with reserved type %d", this->id_type); return FAILED; } - return SUCCESS; } -/** - * Implementation of id_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_id_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = id_payload_encodings; - *rule_count = sizeof(id_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(id_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_id_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_id_payload_t *this) { return this->payload_type; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_id_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_id_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_id_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_id_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_id_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_id_payload_t *this) { return this->payload_length; } -/** - * Implementation of id_payload_t.set_type. - */ -static void set_id_type (private_id_payload_t *this, id_type_t type) -{ - this->id_type = type; -} - -/** - * Implementation of id_payload_t.get_id_type. - */ -static id_type_t get_id_type (private_id_payload_t *this) +METHOD(id_payload_t, get_identification, identification_t*, + private_id_payload_t *this) { - return (this->id_type); + return identification_create_from_encoding(this->id_type, this->id_data); } -/** - * Implementation of id_payload_t.set_data. - */ -static void set_data (private_id_payload_t *this, chunk_t data) +METHOD2(payload_t, id_payload_t, destroy, void, + private_id_payload_t *this) { - if (this->id_data.ptr != NULL) - { - chunk_free(&(this->id_data)); - } - this->id_data.ptr = clalloc(data.ptr,data.len); - this->id_data.len = data.len; - this->payload_length = ID_PAYLOAD_HEADER_LENGTH + this->id_data.len; -} - - -/** - * Implementation of id_payload_t.get_data_clone. - */ -static chunk_t get_data (private_id_payload_t *this) -{ - return (this->id_data); -} - -/** - * Implementation of id_payload_t.get_data_clone. - */ -static chunk_t get_data_clone (private_id_payload_t *this) -{ - chunk_t cloned_data; - if (this->id_data.ptr == NULL) - { - return (this->id_data); - } - cloned_data.ptr = clalloc(this->id_data.ptr,this->id_data.len); - cloned_data.len = this->id_data.len; - return cloned_data; -} - -/** - * Implementation of id_payload_t.get_identification. - */ -static identification_t *get_identification (private_id_payload_t *this) -{ - return identification_create_from_encoding(this->id_type,this->id_data); -} - -/** - * Implementation of payload_t.destroy and id_payload_t.destroy. - */ -static void destroy(private_id_payload_t *this) -{ - if (this->id_data.ptr != NULL) - { - chunk_free(&(this->id_data)); - } + free(this->id_data.ptr); free(this); } @@ -250,44 +183,41 @@ static void destroy(private_id_payload_t *this) */ id_payload_t *id_payload_create(payload_type_t payload_type) { - private_id_payload_t *this = malloc_thing(private_id_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (id_payload_t *)) destroy; - this->public.set_id_type = (void (*) (id_payload_t *,id_type_t)) set_id_type; - this->public.get_id_type = (id_type_t (*) (id_payload_t *)) get_id_type; - this->public.set_data = (void (*) (id_payload_t *,chunk_t)) set_data; - this->public.get_data = (chunk_t (*) (id_payload_t *)) get_data; - this->public.get_data_clone = (chunk_t (*) (id_payload_t *)) get_data_clone; - - this->public.get_identification = (identification_t * (*) (id_payload_t *this)) get_identification; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =ID_PAYLOAD_HEADER_LENGTH; - this->id_data = chunk_empty; - this->payload_type = payload_type; - - return (&(this->public)); + private_id_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_identification = _get_identification, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = ID_PAYLOAD_HEADER_LENGTH, + .payload_type = payload_type, + ); + return &this->public; } /* * Described in header. */ -id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, identification_t *identification) +id_payload_t *id_payload_create_from_identification(payload_type_t payload_type, + identification_t *id) { - id_payload_t *this= id_payload_create(payload_type); - this->set_data(this,identification->get_encoding(identification)); - this->set_id_type(this,identification->get_type(identification)); - return this; + private_id_payload_t *this; + + this = (private_id_payload_t*)id_payload_create(payload_type); + this->id_data = chunk_clone(id->get_encoding(id)); + this->id_type = id->get_type(id); + this->payload_length += this->id_data.len; + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/id_payload.h b/src/libcharon/encoding/payloads/id_payload.h index 5502dc961..99831f85f 100644 --- a/src/libcharon/encoding/payloads/id_payload.h +++ b/src/libcharon/encoding/payloads/id_payload.h @@ -40,57 +40,15 @@ typedef struct id_payload_t id_payload_t; * The ID payload format is described in RFC section 3.5. */ struct id_payload_t { + /** * The payload_t interface. */ payload_t payload_interface; - /** - * Set the ID type. - * - * @param type Type of ID - */ - void (*set_id_type) (id_payload_t *this, id_type_t type); - - /** - * Get the ID type. - * - * @return type of the ID - */ - id_type_t (*get_id_type) (id_payload_t *this); - - /** - * Set the ID data. - * - * Data are getting cloned. - * - * @param data ID data as chunk_t - */ - void (*set_data) (id_payload_t *this, chunk_t data); - - /** - * Get the ID data. - * - * Returned data are a copy of the internal one - * - * @return ID data as chunk_t - */ - chunk_t (*get_data_clone) (id_payload_t *this); - - /** - * Get the ID data. - * - * Returned data are NOT copied. - * - * @return ID data as chunk_t - */ - chunk_t (*get_data) (id_payload_t *this); - /** * Creates an identification object of this id payload. * - * Returned object has to get destroyed by the caller. - * * @return identification_t object */ identification_t *(*get_identification) (id_payload_t *this); diff --git a/src/libcharon/encoding/payloads/ike_header.c b/src/libcharon/encoding/payloads/ike_header.c index 735f01304..80dcee0cb 100644 --- a/src/libcharon/encoding/payloads/ike_header.c +++ b/src/libcharon/encoding/payloads/ike_header.c @@ -83,6 +83,11 @@ struct private_ike_header_t { bool response; } flags; + /** + * Reserved bits of IKE header + */ + bool reserved[5]; + /** * Associated Message-ID. */ @@ -119,30 +124,30 @@ encoding_rule_t ike_header_encodings[] = { /* 8 Byte SPI, stored in the field initiator_spi */ { IKE_SPI, offsetof(private_ike_header_t, initiator_spi) }, /* 8 Byte SPI, stored in the field responder_spi */ - { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, + { IKE_SPI, offsetof(private_ike_header_t, responder_spi) }, /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ike_header_t, next_payload) }, + { U_INT_8, offsetof(private_ike_header_t, next_payload) }, /* 4 Bit major version, stored in the field maj_version */ - { U_INT_4, offsetof(private_ike_header_t, maj_version) }, + { U_INT_4, offsetof(private_ike_header_t, maj_version) }, /* 4 Bit minor version, stored in the field min_version */ - { U_INT_4, offsetof(private_ike_header_t, min_version) }, + { U_INT_4, offsetof(private_ike_header_t, min_version) }, /* 8 Bit for the exchange type */ - { U_INT_8, offsetof(private_ike_header_t, exchange_type) }, - /* 2 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { U_INT_8, offsetof(private_ike_header_t, exchange_type) }, + /* 2 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[1]) }, /* 3 Bit flags, stored in the fields response, version and initiator */ - { FLAG, offsetof(private_ike_header_t, flags.response) }, - { FLAG, offsetof(private_ike_header_t, flags.version) }, - { FLAG, offsetof(private_ike_header_t, flags.initiator) }, - /* 3 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ike_header_t, flags.response) }, + { FLAG, offsetof(private_ike_header_t, flags.version) }, + { FLAG, offsetof(private_ike_header_t, flags.initiator) }, + /* 3 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_ike_header_t, reserved[4]) }, /* 4 Byte message id, stored in the field message_id */ - { U_INT_32, offsetof(private_ike_header_t, message_id) }, + { U_INT_32, offsetof(private_ike_header_t, message_id) }, /* 4 Byte length fied, stored in the field length */ - { HEADER_LENGTH, offsetof(private_ike_header_t, length) } + { HEADER_LENGTH,offsetof(private_ike_header_t, length) }, }; @@ -163,11 +168,8 @@ encoding_rule_t ike_header_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ike_header_t *this) +METHOD(payload_t, verify, status_t, + private_ike_header_t *this) { if ((this->exchange_type < IKE_SA_INIT) || ((this->exchange_type > INFORMATIONAL) @@ -179,7 +181,6 @@ static status_t verify(private_ike_header_t *this) /* unsupported exchange type */ return FAILED; } - if (this->initiator_spi == 0 #ifdef ME /* we allow zero spi for INFORMATIONAL exchanges, @@ -191,225 +192,201 @@ static status_t verify(private_ike_header_t *this) /* initiator spi not set */ return FAILED; } + return SUCCESS; +} - /* verification of version is not done in here */ +METHOD(payload_t, get_encoding_rules, void, + private_ike_header_t *this, encoding_rule_t **rules, size_t *rule_count) +{ + *rules = ike_header_encodings; + *rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t); +} - return SUCCESS; +METHOD(payload_t, get_type, payload_type_t, + private_ike_header_t *this) +{ + return HEADER; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(payload_t *this,payload_type_t type) +METHOD(payload_t, get_next_type, payload_type_t, + private_ike_header_t *this) { - ((private_ike_header_t *)this)->next_payload = type; + return this->next_payload; } -/** - * Implementation of ike_header_t.get_initiator_spi. - */ -static u_int64_t get_initiator_spi(private_ike_header_t *this) + +METHOD(payload_t, set_next_type, void, + private_ike_header_t *this, payload_type_t type) +{ + this->next_payload = type; +} + +METHOD(payload_t, get_length, size_t, + private_ike_header_t *this) +{ + return this->length; +} + +METHOD(ike_header_t, get_initiator_spi, u_int64_t, + private_ike_header_t *this) { return this->initiator_spi; } -/** - * Implementation of ike_header_t.set_initiator_spi. - */ -static void set_initiator_spi(private_ike_header_t *this, u_int64_t initiator_spi) +METHOD(ike_header_t, set_initiator_spi, void, + private_ike_header_t *this, u_int64_t initiator_spi) { this->initiator_spi = initiator_spi; } -/** - * Implementation of ike_header_t.get_responder_spi. - */ -static u_int64_t get_responder_spi(private_ike_header_t *this) +METHOD(ike_header_t, get_responder_spi, u_int64_t, + private_ike_header_t *this) { return this->responder_spi; } -/** - * Implementation of ike_header_t.set_responder_spi. - */ -static void set_responder_spi(private_ike_header_t *this, u_int64_t responder_spi) +METHOD(ike_header_t, set_responder_spi, void, + private_ike_header_t *this, u_int64_t responder_spi) { this->responder_spi = responder_spi; } -/** - * Implementation of ike_header_t.get_maj_version. - */ -static u_int8_t get_maj_version(private_ike_header_t *this) +METHOD(ike_header_t, get_maj_version, u_int8_t, + private_ike_header_t *this) { return this->maj_version; } -/** - * Implementation of ike_header_t.get_min_version. - */ -static u_int8_t get_min_version(private_ike_header_t *this) +METHOD(ike_header_t, set_maj_version, void, + private_ike_header_t *this, u_int8_t major) +{ + this->maj_version = major; +} + +METHOD(ike_header_t, get_min_version, u_int8_t, + private_ike_header_t *this) { return this->min_version; } -/** - * Implementation of ike_header_t.get_response_flag. - */ -static bool get_response_flag(private_ike_header_t *this) +METHOD(ike_header_t, set_min_version, void, + private_ike_header_t *this, u_int8_t minor) +{ + this->min_version = minor; +} + +METHOD(ike_header_t, get_response_flag, bool, + private_ike_header_t *this) { return this->flags.response; } -/** - * Implementation of ike_header_t.set_response_flag. - */ -static void set_response_flag(private_ike_header_t *this, bool response) +METHOD(ike_header_t, set_response_flag, void, + private_ike_header_t *this, bool response) { this->flags.response = response; } -/** - * Implementation of ike_header_t.get_version_flag. - */ -static bool get_version_flag(private_ike_header_t *this) +METHOD(ike_header_t, get_version_flag, bool, + private_ike_header_t *this) { return this->flags.version; } -/** - * Implementation of ike_header_t.get_initiator_flag. - */ -static bool get_initiator_flag(private_ike_header_t *this) +METHOD(ike_header_t, set_version_flag, void, + private_ike_header_t *this, bool version) +{ + this->flags.version = version; +} + +METHOD(ike_header_t, get_initiator_flag, bool, + private_ike_header_t *this) { return this->flags.initiator; } -/** - * Implementation of ike_header_t.set_initiator_flag. - */ -static void set_initiator_flag(private_ike_header_t *this, bool initiator) +METHOD(ike_header_t, set_initiator_flag, void, + private_ike_header_t *this, bool initiator) { this->flags.initiator = initiator; } -/** - * Implementation of ike_header_t.get_exchange_type. - */ -static u_int8_t get_exchange_type(private_ike_header_t *this) +METHOD(ike_header_t, get_exchange_type, u_int8_t, + private_ike_header_t *this) { return this->exchange_type; } -/** - * Implementation of ike_header_t.set_exchange_type. - */ -static void set_exchange_type(private_ike_header_t *this, u_int8_t exchange_type) +METHOD(ike_header_t, set_exchange_type, void, + private_ike_header_t *this, u_int8_t exchange_type) { this->exchange_type = exchange_type; } -/** - * Implements ike_header_t's get_message_id function. - * See #ike_header_t.get_message_id for description. - */ -static u_int32_t get_message_id(private_ike_header_t *this) +METHOD(ike_header_t, get_message_id, u_int32_t, + private_ike_header_t *this) { return this->message_id; } -/** - * Implementation of ike_header_t.set_message_id. - */ -static void set_message_id(private_ike_header_t *this, u_int32_t message_id) +METHOD(ike_header_t, set_message_id, void, + private_ike_header_t *this, u_int32_t message_id) { this->message_id = message_id; } -/** - * Implementation of ike_header_t.destroy and payload_t.destroy. - */ -static void destroy(ike_header_t *this) +METHOD2(payload_t, ike_header_t, destroy, void, + private_ike_header_t *this) { free(this); } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(payload_t *this, encoding_rule_t **rules, size_t *rule_count) -{ - *rules = ike_header_encodings; - *rule_count = sizeof(ike_header_encodings) / sizeof(encoding_rule_t); -} - -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(payload_t *this) -{ - return HEADER; -} - -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(payload_t *this) -{ - return (((private_ike_header_t*)this)->next_payload); -} - -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(payload_t *this) -{ - return (((private_ike_header_t*)this)->length); -} - /* * Described in header. */ ike_header_t *ike_header_create() { - private_ike_header_t *this = malloc_thing(private_ike_header_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = get_encoding_rules; - this->public.payload_interface.get_length = get_length; - this->public.payload_interface.get_next_type = get_next_type; - this->public.payload_interface.set_next_type = set_next_type; - this->public.payload_interface.get_type = get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - this->public.destroy = destroy; - - this->public.get_initiator_spi = (u_int64_t (*) (ike_header_t*))get_initiator_spi; - this->public.set_initiator_spi = (void (*) (ike_header_t*,u_int64_t))set_initiator_spi; - this->public.get_responder_spi = (u_int64_t (*) (ike_header_t*))get_responder_spi; - this->public.set_responder_spi = (void (*) (ike_header_t *,u_int64_t))set_responder_spi; - this->public.get_maj_version = (u_int8_t (*) (ike_header_t*))get_maj_version; - this->public.get_min_version = (u_int8_t (*) (ike_header_t*))get_min_version; - this->public.get_response_flag = (bool (*) (ike_header_t*))get_response_flag; - this->public.set_response_flag = (void (*) (ike_header_t*,bool))set_response_flag; - this->public.get_version_flag = (bool (*) (ike_header_t*))get_version_flag; - this->public.get_initiator_flag = (bool (*) (ike_header_t*))get_initiator_flag; - this->public.set_initiator_flag = (void (*) (ike_header_t*,bool))set_initiator_flag; - this->public.get_exchange_type = (u_int8_t (*) (ike_header_t*))get_exchange_type; - this->public.set_exchange_type = (void (*) (ike_header_t*,u_int8_t))set_exchange_type; - this->public.get_message_id = (u_int32_t (*) (ike_header_t*))get_message_id; - this->public.set_message_id = (void (*) (ike_header_t*,u_int32_t))set_message_id; - - /* set default values of the fields */ - this->initiator_spi = 0; - this->responder_spi = 0; - this->next_payload = 0; - this->maj_version = IKE_MAJOR_VERSION; - this->min_version = IKE_MINOR_VERSION; - this->exchange_type = EXCHANGE_TYPE_UNDEFINED; - this->flags.initiator = TRUE; - this->flags.version = HIGHER_VERSION_SUPPORTED_FLAG; - this->flags.response = FALSE; - this->message_id = 0; - this->length = IKE_HEADER_LENGTH; - - return (ike_header_t*)this; + private_ike_header_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_initiator_spi = _get_initiator_spi, + .set_initiator_spi = _set_initiator_spi, + .get_responder_spi = _get_responder_spi, + .set_responder_spi = _set_responder_spi, + .get_maj_version = _get_maj_version, + .set_maj_version = _set_maj_version, + .get_min_version = _get_min_version, + .set_min_version = _set_min_version, + .get_response_flag = _get_response_flag, + .set_response_flag = _set_response_flag, + .get_version_flag = _get_version_flag, + .set_version_flag = _set_version_flag, + .get_initiator_flag = _get_initiator_flag, + .set_initiator_flag = _set_initiator_flag, + .get_exchange_type = _get_exchange_type, + .set_exchange_type = _set_exchange_type, + .get_message_id = _get_message_id, + .set_message_id = _set_message_id, + .destroy = _destroy, + }, + .maj_version = IKE_MAJOR_VERSION, + .min_version = IKE_MINOR_VERSION, + .exchange_type = EXCHANGE_TYPE_UNDEFINED, + .flags = { + .initiator = TRUE, + .version = HIGHER_VERSION_SUPPORTED_FLAG, + }, + .length = IKE_HEADER_LENGTH, + ); + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/ike_header.h b/src/libcharon/encoding/payloads/ike_header.h index e63e8bf06..f52c852c5 100644 --- a/src/libcharon/encoding/payloads/ike_header.h +++ b/src/libcharon/encoding/payloads/ike_header.h @@ -142,6 +142,13 @@ struct ike_header_t { */ u_int8_t (*get_maj_version) (ike_header_t *this); + /** + * Set the major version. + * + * @param major major version + */ + void (*set_maj_version) (ike_header_t *this, u_int8_t major); + /** * Get the minor version. * @@ -149,6 +156,13 @@ struct ike_header_t { */ u_int8_t (*get_min_version) (ike_header_t *this); + /** + * Set the minor version. + * + * @param minor minor version + */ + void (*set_min_version) (ike_header_t *this, u_int8_t minor); + /** * Get the response flag. * @@ -162,6 +176,7 @@ struct ike_header_t { * @param response response flag */ void (*set_response_flag) (ike_header_t *this, bool response); + /** * Get "higher version supported"-flag. * @@ -169,6 +184,13 @@ struct ike_header_t { */ bool (*get_version_flag) (ike_header_t *this); + /** + * Set the "higher version supported"-flag. + * + * @param version flag value + */ + void (*set_version_flag)(ike_header_t *this, bool version); + /** * Get the initiator flag. * diff --git a/src/libcharon/encoding/payloads/ke_payload.c b/src/libcharon/encoding/payloads/ke_payload.c index 1bc79f084..999d73192 100644 --- a/src/libcharon/encoding/payloads/ke_payload.c +++ b/src/libcharon/encoding/payloads/ke_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -20,14 +21,13 @@ #include - typedef struct private_ke_payload_t private_ke_payload_t; /** * Private data of an ke_payload_t object. - * */ struct private_ke_payload_t { + /** * Public ke_payload_t interface. */ @@ -43,6 +43,16 @@ struct private_ke_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved_bit[7]; + + /** + * Reserved bytes + */ + u_int8_t reserved_byte[2]; + /** * Length of this payload. */ @@ -64,27 +74,27 @@ struct private_ke_payload_t { * * The defined offsets are the positions in a object of type * private_ke_payload_t. - * */ encoding_rule_t ke_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ke_payload_t, next_payload) }, + { U_INT_8, offsetof(private_ke_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_ke_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ke_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_ke_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_ke_payload_t, payload_length) }, /* DH Group number as 16 bit field*/ - { U_INT_16, offsetof(private_ke_payload_t, dh_group_number) }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { U_INT_16, offsetof(private_ke_payload_t, dh_group_number) }, + /* 2 reserved bytes */ + { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_ke_payload_t, reserved_byte[1])}, /* Key Exchange Data is from variable size */ { KEY_EXCHANGE_DATA, offsetof(private_ke_payload_t, key_exchange_data)} }; @@ -103,123 +113,60 @@ encoding_rule_t ke_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ke_payload_t *this) +METHOD(payload_t, verify, status_t, + private_ke_payload_t *this) { - /* dh group is not verified in here */ return SUCCESS; } -/** - * Implementation of payload_t.destroy. - */ -static void destroy(private_ke_payload_t *this) -{ - if (this->key_exchange_data.ptr != NULL) - { - free(this->key_exchange_data.ptr); - } - free(this); -} - -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_ke_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = ke_payload_encodings; - *rule_count = sizeof(ke_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(ke_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_ke_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_ke_payload_t *this) { return KEY_EXCHANGE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_ke_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_ke_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_ke_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_ke_payload_t *this,payload_type_t type) { this->next_payload = type; } -/** - * recompute the length of the payload. - */ -static void compute_length(private_ke_payload_t *this) -{ - size_t length = KE_PAYLOAD_HEADER_LENGTH; - if (this->key_exchange_data.ptr != NULL) - { - length += this->key_exchange_data.len; - } - this->payload_length = length; -} - -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_ke_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_ke_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of ke_payload_t.get_key_exchange_data. - */ -static chunk_t get_key_exchange_data(private_ke_payload_t *this) +METHOD(ke_payload_t, get_key_exchange_data, chunk_t, + private_ke_payload_t *this) { - return (this->key_exchange_data); + return this->key_exchange_data; } -/** - * Implementation of ke_payload_t.set_key_exchange_data. - */ -static void set_key_exchange_data(private_ke_payload_t *this, chunk_t key_exchange_data) -{ - /* destroy existing data first */ - if (this->key_exchange_data.ptr != NULL) - { - /* free existing value */ - free(this->key_exchange_data.ptr); - this->key_exchange_data.ptr = NULL; - this->key_exchange_data.len = 0; - - } - - this->key_exchange_data = chunk_clone(key_exchange_data); - compute_length(this); -} - -/** - * Implementation of ke_payload_t.get_dh_group_number. - */ -static diffie_hellman_group_t get_dh_group_number(private_ke_payload_t *this) +METHOD(ke_payload_t, get_dh_group_number, diffie_hellman_group_t, + private_ke_payload_t *this) { return this->dh_group_number; } -/** - * Implementation of ke_payload_t.set_dh_group_number. - */ -static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group_t dh_group_number) +METHOD2(payload_t, ke_payload_t, destroy, void, + private_ke_payload_t *this) { - this->dh_group_number = dh_group_number; + free(this->key_exchange_data.ptr); + free(this); } /* @@ -227,31 +174,27 @@ static void set_dh_group_number(private_ke_payload_t *this, diffie_hellman_group */ ke_payload_t *ke_payload_create() { - private_ke_payload_t *this = malloc_thing(private_ke_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_key_exchange_data = (chunk_t (*) (ke_payload_t *)) get_key_exchange_data; - this->public.set_key_exchange_data = (void (*) (ke_payload_t *,chunk_t)) set_key_exchange_data; - this->public.get_dh_group_number = (diffie_hellman_group_t (*) (ke_payload_t *)) get_dh_group_number; - this->public.set_dh_group_number =(void (*) (ke_payload_t *,diffie_hellman_group_t)) set_dh_group_number; - this->public.destroy = (void (*) (ke_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = KE_PAYLOAD_HEADER_LENGTH; - this->key_exchange_data = chunk_empty; - this->dh_group_number = MODP_NONE; - + private_ke_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_key_exchange_data = _get_key_exchange_data, + .get_dh_group_number = _get_dh_group_number, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = KE_PAYLOAD_HEADER_LENGTH, + .dh_group_number = MODP_NONE, + ); return &this->public; } @@ -264,7 +207,7 @@ ke_payload_t *ke_payload_create_from_diffie_hellman(diffie_hellman_t *dh) dh->get_my_public_value(dh, &this->key_exchange_data); this->dh_group_number = dh->get_dh_group(dh); - compute_length(this); + this->payload_length = this->key_exchange_data.len + KE_PAYLOAD_HEADER_LENGTH; return &this->public; } diff --git a/src/libcharon/encoding/payloads/ke_payload.h b/src/libcharon/encoding/payloads/ke_payload.h index 3ca05009e..65cc11883 100644 --- a/src/libcharon/encoding/payloads/ke_payload.h +++ b/src/libcharon/encoding/payloads/ke_payload.h @@ -47,23 +47,12 @@ struct ke_payload_t { payload_t payload_interface; /** - * Returns the currently set key exchange data of this KE payload. + * Returns the key exchange data of this KE payload. * - * @warning Returned data are not copied. - * - * @return chunk_t pointing to the value + * @return chunk_t pointing to internal data */ chunk_t (*get_key_exchange_data) (ke_payload_t *this); - /** - * Sets the key exchange data of this KE payload. - * - * Value is getting copied. - * - * @param key_exchange_data chunk_t pointing to the value to set - */ - void (*set_key_exchange_data) (ke_payload_t *this, chunk_t key_exchange_data); - /** * Gets the Diffie-Hellman Group Number of this KE payload. * @@ -71,14 +60,6 @@ struct ke_payload_t { */ diffie_hellman_group_t (*get_dh_group_number) (ke_payload_t *this); - /** - * Sets the Diffie-Hellman Group Number of this KE payload. - * - * @param dh_group_number DH Group to set - */ - void (*set_dh_group_number) (ke_payload_t *this, - diffie_hellman_group_t dh_group_number); - /** * Destroys an ke_payload_t object. */ diff --git a/src/libcharon/encoding/payloads/nonce_payload.c b/src/libcharon/encoding/payloads/nonce_payload.c index 4ad5ce9dd..78000b8c6 100644 --- a/src/libcharon/encoding/payloads/nonce_payload.c +++ b/src/libcharon/encoding/payloads/nonce_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -14,21 +15,19 @@ * for more details. */ -/* offsetof macro */ #include #include "nonce_payload.h" #include - typedef struct private_nonce_payload_t private_nonce_payload_t; /** * Private data of an nonce_payload_t object. - * */ struct private_nonce_payload_t { + /** * Public nonce_payload_t interface. */ @@ -44,6 +43,11 @@ struct private_nonce_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -60,25 +64,24 @@ struct private_nonce_payload_t { * * The defined offsets are the positions in a object of type * private_nonce_payload_t. - * */ encoding_rule_t nonce_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_nonce_payload_t, next_payload) }, + { U_INT_8, offsetof(private_nonce_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_nonce_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_nonce_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_nonce_payload_t, reserved[6]) }, /* Length of the whole nonce payload*/ - { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, + { PAYLOAD_LENGTH, offsetof(private_nonce_payload_t, payload_length) }, /* some nonce bytes, lenth is defined in PAYLOAD_LENGTH */ - { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) } + { NONCE_DATA, offsetof(private_nonce_payload_t, nonce) }, }; /* 1 2 3 @@ -92,102 +95,64 @@ encoding_rule_t nonce_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_nonce_payload_t *this) +METHOD(payload_t, verify, status_t, + private_nonce_payload_t *this) { - if ((this->nonce.len < 16) || ((this->nonce.len > 256))) + if (this->nonce.len < 16 || this->nonce.len > 256) { - /* nonce length is wrong */ return FAILED; } - return SUCCESS; } -/** - * Implementation of nonce_payload_t.set_nonce. - */ -static status_t set_nonce(private_nonce_payload_t *this, chunk_t nonce) -{ - this->nonce.ptr = clalloc(nonce.ptr, nonce.len); - this->nonce.len = nonce.len; - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len; - return SUCCESS; -} - -/** - * Implementation of nonce_payload_t.get_nonce. - */ -static chunk_t get_nonce(private_nonce_payload_t *this) -{ - chunk_t nonce; - nonce.ptr = clalloc(this->nonce.ptr,this->nonce.len); - nonce.len = this->nonce.len; - return nonce; -} - -/** - * Implementation of nonce_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_nonce_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = nonce_payload_encodings; - *rule_count = sizeof(nonce_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(nonce_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_nonce_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_nonce_payload_t *this) { return NONCE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_nonce_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_nonce_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_nonce_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_nonce_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * recompute the length of the payload. - */ -static void compute_length(private_nonce_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_nonce_payload_t *this) { - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + this->nonce.len; + return this->payload_length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_nonce_payload_t *this) +METHOD(nonce_payload_t, set_nonce, void, + private_nonce_payload_t *this, chunk_t nonce) { - compute_length(this); - return this->payload_length; + this->nonce = chunk_clone(nonce); + this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH + nonce.len; } -/** - * Implementation of payload_t.destroy and nonce_payload_t.destroy. - */ -static void destroy(private_nonce_payload_t *this) +METHOD(nonce_payload_t, get_nonce, chunk_t, + private_nonce_payload_t *this) { - if (this->nonce.ptr != NULL) - { - free(this->nonce.ptr); - } + return chunk_clone(this->nonce); +} +METHOD2(payload_t, nonce_payload_t, destroy, void, + private_nonce_payload_t *this) +{ + free(this->nonce.ptr); free(this); } @@ -196,30 +161,25 @@ static void destroy(private_nonce_payload_t *this) */ nonce_payload_t *nonce_payload_create() { - private_nonce_payload_t *this = malloc_thing(private_nonce_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (nonce_payload_t *)) destroy; - this->public.set_nonce = (void (*) (nonce_payload_t *,chunk_t)) set_nonce; - this->public.get_nonce = (chunk_t (*) (nonce_payload_t *)) get_nonce; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = NONCE_PAYLOAD_HEADER_LENGTH; - this->nonce.ptr = NULL; - this->nonce.len = 0; - - return (&(this->public)); + private_nonce_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_nonce = _set_nonce, + .get_nonce = _get_nonce, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = NONCE_PAYLOAD_HEADER_LENGTH, + ); + return &this->public; } - - diff --git a/src/libcharon/encoding/payloads/notify_payload.c b/src/libcharon/encoding/payloads/notify_payload.c index a56fd1869..77f15ec6d 100644 --- a/src/libcharon/encoding/payloads/notify_payload.c +++ b/src/libcharon/encoding/payloads/notify_payload.c @@ -1,7 +1,8 @@ /* + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2006-2008 Tobias Brunner * Copyright (C) 2006 Daniel Roethlisberger - * Copyright (C) 2005-2006 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -186,9 +187,9 @@ typedef struct private_notify_payload_t private_notify_payload_t; /** * Private data of an notify_payload_t object. - * */ struct private_notify_payload_t { + /** * Public notify_payload_t interface. */ @@ -204,6 +205,11 @@ struct private_notify_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -240,7 +246,6 @@ struct private_notify_payload_t { * * The defined offsets are the positions in a object of type * private_notify_payload_t. - * */ encoding_rule_t notify_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ @@ -248,13 +253,13 @@ encoding_rule_t notify_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_notify_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_notify_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_notify_payload_t, payload_length) }, /* Protocol ID as 8 bit field*/ @@ -262,11 +267,11 @@ encoding_rule_t notify_payload_encodings[] = { /* SPI Size as 8 bit field*/ { SPI_SIZE, offsetof(private_notify_payload_t, spi_size) }, /* Notify message type as 16 bit field*/ - { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, + { U_INT_16, offsetof(private_notify_payload_t, notify_type) }, /* SPI as variable length field*/ { SPI, offsetof(private_notify_payload_t, spi) }, /* Key Exchange Data is from variable size */ - { NOTIFICATION_DATA, offsetof(private_notify_payload_t, notification_data) } + { NOTIFICATION_DATA,offsetof(private_notify_payload_t, notification_data) } }; /* @@ -287,10 +292,8 @@ encoding_rule_t notify_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_notify_payload_t *this) +METHOD(payload_t, verify, status_t, + private_notify_payload_t *this) { bool bad_length = FALSE; @@ -404,35 +407,27 @@ static status_t verify(private_notify_payload_t *this) return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_notify_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = notify_payload_encodings; - *rule_count = sizeof(notify_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(notify_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_notify_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_notify_payload_t *this) { return NOTIFY; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_notify_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_notify_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_notify_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_notify_payload_t *this, payload_type_t type) { this->next_payload = type; } @@ -443,6 +438,7 @@ static void set_next_type(private_notify_payload_t *this,payload_type_t type) static void compute_length (private_notify_payload_t *this) { size_t length = NOTIFY_PAYLOAD_HEADER_LENGTH; + if (this->notification_data.ptr != NULL) { length += this->notification_data.len; @@ -454,51 +450,38 @@ static void compute_length (private_notify_payload_t *this) this->payload_length = length; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_notify_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_notify_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of notify_payload_t.get_protocol_id. - */ -static u_int8_t get_protocol_id(private_notify_payload_t *this) +METHOD(notify_payload_t, get_protocol_id, u_int8_t, + private_notify_payload_t *this) { return this->protocol_id; } -/** - * Implementation of notify_payload_t.set_protocol_id. - */ -static void set_protocol_id(private_notify_payload_t *this, u_int8_t protocol_id) +METHOD(notify_payload_t, set_protocol_id, void, + private_notify_payload_t *this, u_int8_t protocol_id) { this->protocol_id = protocol_id; } -/** - * Implementation of notify_payload_t.get_notify_type. - */ -static notify_type_t get_notify_type(private_notify_payload_t *this) +METHOD(notify_payload_t, get_notify_type, notify_type_t, + private_notify_payload_t *this) { return this->notify_type; } -/** - * Implementation of notify_payload_t.set_notify_type. - */ -static void set_notify_type(private_notify_payload_t *this, u_int16_t notify_type) +METHOD(notify_payload_t, set_notify_type, void, + private_notify_payload_t *this, notify_type_t notify_type) { this->notify_type = notify_type; } -/** - * Implementation of notify_payload_t.get_spi. - */ -static u_int32_t get_spi(private_notify_payload_t *this) +METHOD(notify_payload_t, get_spi, u_int32_t, + private_notify_payload_t *this) { switch (this->protocol_id) { @@ -514,10 +497,8 @@ static u_int32_t get_spi(private_notify_payload_t *this) return 0; } -/** - * Implementation of notify_payload_t.set_spi. - */ -static void set_spi(private_notify_payload_t *this, u_int32_t spi) +METHOD(notify_payload_t, set_spi, void, + private_notify_payload_t *this, u_int32_t spi) { chunk_free(&this->spi); switch (this->protocol_id) @@ -534,37 +515,26 @@ static void set_spi(private_notify_payload_t *this, u_int32_t spi) compute_length(this); } -/** - * Implementation of notify_payload_t.get_notification_data. - */ -static chunk_t get_notification_data(private_notify_payload_t *this) +METHOD(notify_payload_t, get_notification_data, chunk_t, + private_notify_payload_t *this) { - return (this->notification_data); + return this->notification_data; } -/** - * Implementation of notify_payload_t.set_notification_data. - */ -static status_t set_notification_data(private_notify_payload_t *this, chunk_t notification_data) +METHOD(notify_payload_t, set_notification_data, void, + private_notify_payload_t *this, chunk_t data) { - chunk_free(&this->notification_data); - if (notification_data.len > 0) - { - this->notification_data = chunk_clone(notification_data); - } + free(this->notification_data.ptr); + this->notification_data = chunk_clone(data); compute_length(this); - return SUCCESS; } -/** - * Implementation of notify_payload_t.destroy and notify_payload_t.destroy. - */ -static status_t destroy(private_notify_payload_t *this) +METHOD2(payload_t, notify_payload_t, destroy, void, + private_notify_payload_t *this) { - chunk_free(&this->notification_data); - chunk_free(&this->spi); + free(this->notification_data.ptr); + free(this->spi.ptr); free(this); - return SUCCESS; } /* @@ -572,52 +542,45 @@ static status_t destroy(private_notify_payload_t *this) */ notify_payload_t *notify_payload_create() { - private_notify_payload_t *this = malloc_thing(private_notify_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_protocol_id = (u_int8_t (*) (notify_payload_t *)) get_protocol_id; - this->public.set_protocol_id = (void (*) (notify_payload_t *,u_int8_t)) set_protocol_id; - this->public.get_notify_type = (notify_type_t (*) (notify_payload_t *)) get_notify_type; - this->public.set_notify_type = (void (*) (notify_payload_t *,notify_type_t)) set_notify_type; - this->public.get_spi = (u_int32_t (*) (notify_payload_t *)) get_spi; - this->public.set_spi = (void (*) (notify_payload_t *,u_int32_t)) set_spi; - this->public.get_notification_data = (chunk_t (*) (notify_payload_t *)) get_notification_data; - this->public.set_notification_data = (void (*) (notify_payload_t *,chunk_t)) set_notification_data; - this->public.destroy = (void (*) (notify_payload_t *)) destroy; - - /* set default values of the fields */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH; - this->protocol_id = 0; - this->notify_type = 0; - this->spi.ptr = NULL; - this->spi.len = 0; - this->spi_size = 0; - this->notification_data.ptr = NULL; - this->notification_data.len = 0; - + private_notify_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_protocol_id = _get_protocol_id, + .set_protocol_id = _set_protocol_id, + .get_notify_type = _get_notify_type, + .set_notify_type = _set_notify_type, + .get_spi = _get_spi, + .set_spi = _set_spi, + .get_notification_data = _get_notification_data, + .set_notification_data = _set_notification_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = NOTIFY_PAYLOAD_HEADER_LENGTH, + ); return &this->public; } /* * Described in header. */ -notify_payload_t *notify_payload_create_from_protocol_and_type(protocol_id_t protocol_id, notify_type_t notify_type) +notify_payload_t *notify_payload_create_from_protocol_and_type( + protocol_id_t protocol_id, notify_type_t notify_type) { notify_payload_t *notify = notify_payload_create(); - notify->set_notify_type(notify,notify_type); - notify->set_protocol_id(notify,protocol_id); + notify->set_notify_type(notify, notify_type); + notify->set_protocol_id(notify, protocol_id); return notify; } diff --git a/src/libcharon/encoding/payloads/payload.c b/src/libcharon/encoding/payloads/payload.c index 1cee6d2aa..d1e677db7 100644 --- a/src/libcharon/encoding/payloads/payload.c +++ b/src/libcharon/encoding/payloads/payload.c @@ -59,25 +59,23 @@ ENUM_NEXT(payload_type_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICATION, N #ifdef ME ENUM_NEXT(payload_type_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "ID_PEER"); -ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", - "CONFIGURATION_ATTRIBUTE", - "UNKNOWN_PAYLOAD"); + "CONFIGURATION_ATTRIBUTE"); #else -ENUM_NEXT(payload_type_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +ENUM_NEXT(payload_type_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, "HEADER", "PROPOSAL_SUBSTRUCTURE", "TRANSFORM_SUBSTRUCTURE", "TRANSFORM_ATTRIBUTE", "TRAFFIC_SELECTOR_SUBSTRUCTURE", - "CONFIGURATION_ATTRIBUTE", - "UNKNOWN_PAYLOAD"); + "CONFIGURATION_ATTRIBUTE"); #endif /* ME */ -ENUM_END(payload_type_names, UNKNOWN_PAYLOAD); +ENUM_END(payload_type_names, CONFIGURATION_ATTRIBUTE); /* short forms of payload names */ ENUM_BEGIN(payload_type_short_names, NO_PAYLOAD, NO_PAYLOAD, @@ -102,25 +100,23 @@ ENUM_NEXT(payload_type_short_names, SECURITY_ASSOCIATION, EXTENSIBLE_AUTHENTICAT #ifdef ME ENUM_NEXT(payload_type_short_names, ID_PEER, ID_PEER, EXTENSIBLE_AUTHENTICATION, "IDp"); -ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, ID_PEER, +ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, ID_PEER, "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", - "CPATTR", - "??"); + "CPATTR"); #else -ENUM_NEXT(payload_type_short_names, HEADER, UNKNOWN_PAYLOAD, EXTENSIBLE_AUTHENTICATION, +ENUM_NEXT(payload_type_short_names, HEADER, CONFIGURATION_ATTRIBUTE, EXTENSIBLE_AUTHENTICATION, "HDR", "PROP", "TRANS", "TRANSATTR", "TSSUB", - "CPATTR", - "??"); + "CPATTR"); #endif /* ME */ -ENUM_END(payload_type_short_names, UNKNOWN_PAYLOAD); +ENUM_END(payload_type_short_names, CONFIGURATION_ATTRIBUTE); /* * see header @@ -178,7 +174,45 @@ payload_t *payload_create(payload_type_t type) case ENCRYPTED: return (payload_t*)encryption_payload_create(); default: - return (payload_t*)unknown_payload_create(); + return (payload_t*)unknown_payload_create(type); } } +/** + * See header. + */ +bool payload_is_known(payload_type_t type) +{ + if (type == HEADER || + (type >= SECURITY_ASSOCIATION && type <= EXTENSIBLE_AUTHENTICATION)) + { + return TRUE; + } +#ifdef ME + if (type == ID_PEER) + { + return TRUE; + } +#endif + return FALSE; +} + +/** + * See header. + */ +void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip) +{ + encoding_rule_t *rule; + size_t count; + int i; + + payload->get_encoding_rules(payload, &rule, &count); + for (i = 0; i < count; i++) + { + if (rule[i].type == type && skip-- == 0) + { + return ((char*)payload) + rule[i].offset; + } + } + return NULL; +} diff --git a/src/libcharon/encoding/payloads/payload.h b/src/libcharon/encoding/payloads/payload.h index 2e783cb30..0f407ff42 100644 --- a/src/libcharon/encoding/payloads/payload.h +++ b/src/libcharon/encoding/payloads/payload.h @@ -137,7 +137,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle IKEv2-Header like a payload. */ - HEADER = 140, + HEADER = 256, /** * PROPOSAL_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -145,7 +145,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a proposal substructure like a payload. */ - PROPOSAL_SUBSTRUCTURE = 141, + PROPOSAL_SUBSTRUCTURE = 257, /** * TRANSFORM_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -153,7 +153,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform substructure like a payload. */ - TRANSFORM_SUBSTRUCTURE = 142, + TRANSFORM_SUBSTRUCTURE = 258, /** * TRANSFORM_ATTRIBUTE has a value of PRIVATE USE space. @@ -161,7 +161,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ - TRANSFORM_ATTRIBUTE = 143, + TRANSFORM_ATTRIBUTE = 259, /** * TRAFFIC_SELECTOR_SUBSTRUCTURE has a value of PRIVATE USE space. @@ -169,7 +169,7 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform selector like a payload. */ - TRAFFIC_SELECTOR_SUBSTRUCTURE = 144, + TRAFFIC_SELECTOR_SUBSTRUCTURE = 260, /** * CONFIGURATION_ATTRIBUTE has a value of PRIVATE USE space. @@ -177,18 +177,9 @@ enum payload_type_t{ * This payload type is not sent over wire and just * used internally to handle a transform attribute like a payload. */ - CONFIGURATION_ATTRIBUTE = 145, - - /** - * A unknown payload has a value of PRIVATE USE space. - * - * This payload type is not sent over wire and just - * used internally to handle a unknown payload. - */ - UNKNOWN_PAYLOAD = 146, + CONFIGURATION_ATTRIBUTE = 261, }; - /** * enum names for payload_type_t. */ @@ -269,4 +260,22 @@ struct payload_t { */ payload_t *payload_create(payload_type_t type); +/** + * Check if a specific payload is implemented, or handled as unknown payload. + * + * @param type type of the payload to check + * @return FALSE if payload type handled as unknown payload + */ +bool payload_is_known(payload_type_t type); + +/** + * Get the value field in a payload using encoding rules. + * + * @param payload payload to look up a field + * @param type encoding rule type to look up + * @param skip number rules of type to skip, 0 to get first + * @return type specific value pointer, NULL if not found + */ +void* payload_get_field(payload_t *payload, encoding_type_t type, u_int skip); + #endif /** PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c index 985b03255..f39c3b0e6 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.c +++ b/src/libcharon/encoding/payloads/proposal_substructure.c @@ -46,6 +46,11 @@ struct private_proposal_substructure_t { */ u_int8_t next_payload; + /** + * reserved byte + */ + u_int8_t reserved; + /** * Length of this payload. */ @@ -91,8 +96,8 @@ struct private_proposal_substructure_t { encoding_rule_t proposal_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ { U_INT_8, offsetof(private_proposal_substructure_t, next_payload) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_proposal_substructure_t, reserved) }, /* Length of the whole proposal substructure payload*/ { PAYLOAD_LENGTH, offsetof(private_proposal_substructure_t, proposal_length) }, /* proposal number is a number of 8 bit */ @@ -213,28 +218,23 @@ METHOD(payload_t, set_next_type, void, */ static void compute_length(private_proposal_substructure_t *this) { - iterator_t *iterator; - payload_t *current_transform; - size_t transforms_count = 0; - size_t length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH; + enumerator_t *enumerator; + payload_t *transform; - iterator = this->transforms->create_iterator(this->transforms,TRUE); - while (iterator->iterate(iterator, (void**)¤t_transform)) + this->transforms_count = 0; + this->proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH + this->spi.len; + enumerator = this->transforms->create_enumerator(this->transforms); + while (enumerator->enumerate(enumerator, &transform)) { - length += current_transform->get_length(current_transform); - transforms_count++; + this->proposal_length += transform->get_length(transform); + this->transforms_count++; } - iterator->destroy(iterator); - - length += this->spi.len; - this->transforms_count = transforms_count; - this->proposal_length = length; + enumerator->destroy(enumerator); } METHOD(payload_t, get_length, size_t, private_proposal_substructure_t *this) { - compute_length(this); return this->proposal_length; } @@ -342,32 +342,10 @@ METHOD(proposal_substructure_t, get_proposal, proposal_t*, return proposal; } -METHOD(proposal_substructure_t, clone_, proposal_substructure_t*, +METHOD(proposal_substructure_t, create_substructure_enumerator, enumerator_t*, private_proposal_substructure_t *this) { - private_proposal_substructure_t *clone; - enumerator_t *enumerator; - transform_substructure_t *current; - - clone = (private_proposal_substructure_t*)proposal_substructure_create(); - clone->next_payload = this->next_payload; - clone->proposal_number = this->proposal_number; - clone->protocol_id = this->protocol_id; - clone->spi_size = this->spi_size; - if (this->spi.ptr != NULL) - { - clone->spi.ptr = clalloc(this->spi.ptr, this->spi.len); - clone->spi.len = this->spi.len; - } - enumerator = this->transforms->create_enumerator(this->transforms); - while (enumerator->enumerate(enumerator, ¤t)) - { - current = current->clone(current); - add_transform_substructure(clone, current); - } - enumerator->destroy(enumerator); - - return &clone->public; + return this->transforms->create_enumerator(this->transforms); } METHOD2(payload_t, proposal_substructure_t, destroy, void, @@ -403,12 +381,13 @@ proposal_substructure_t *proposal_substructure_create() .get_protocol_id = _get_protocol_id, .set_is_last_proposal = _set_is_last_proposal, .get_proposal = _get_proposal, + .create_substructure_enumerator = _create_substructure_enumerator, .set_spi = _set_spi, .get_spi = _get_spi, - .clone = _clone_, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, + .proposal_length = PROPOSAL_SUBSTRUCTURE_HEADER_LENGTH, .transforms = linked_list_create(), ); @@ -500,6 +479,7 @@ proposal_substructure_t *proposal_substructure_create_from_proposal( } this->proposal_number = proposal->get_number(proposal); this->protocol_id = proposal->get_protocol(proposal); + compute_length(this); return &this->public; } diff --git a/src/libcharon/encoding/payloads/proposal_substructure.h b/src/libcharon/encoding/payloads/proposal_substructure.h index 56e7184b6..d0ba1fd2a 100644 --- a/src/libcharon/encoding/payloads/proposal_substructure.h +++ b/src/libcharon/encoding/payloads/proposal_substructure.h @@ -111,11 +111,11 @@ struct proposal_substructure_t { proposal_t * (*get_proposal) (proposal_substructure_t *this); /** - * Clones an proposal_substructure_t object. + * Create an enumerator over transform substructures. * - * @return cloned object + * @return enumerator over transform_substructure_t */ - proposal_substructure_t* (*clone) (proposal_substructure_t *this); + enumerator_t* (*create_substructure_enumerator)(proposal_substructure_t *this); /** * Destroys an proposal_substructure_t object. diff --git a/src/libcharon/encoding/payloads/sa_payload.c b/src/libcharon/encoding/payloads/sa_payload.c index 4fbd4cac0..db20d052f 100644 --- a/src/libcharon/encoding/payloads/sa_payload.c +++ b/src/libcharon/encoding/payloads/sa_payload.c @@ -45,6 +45,11 @@ struct private_sa_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -68,13 +73,13 @@ encoding_rule_t sa_payload_encodings[] = { /* the critical bit */ { FLAG, offsetof(private_sa_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_sa_payload_t, reserved[6]) }, /* Length of the whole SA payload*/ { PAYLOAD_LENGTH, offsetof(private_sa_payload_t, payload_length) }, /* Proposals are stored in a proposal substructure, @@ -185,7 +190,6 @@ static void compute_length(private_sa_payload_t *this) METHOD(payload_t, get_length, size_t, private_sa_payload_t *this) { - compute_length(this); return this->payload_length; } @@ -258,6 +262,12 @@ METHOD(sa_payload_t, get_proposals, linked_list_t*, return list; } +METHOD(sa_payload_t, create_substructure_enumerator, enumerator_t*, + private_sa_payload_t *this) +{ + return this->proposals->create_enumerator(this->proposals); +} + METHOD2(payload_t, sa_payload_t, destroy, void, private_sa_payload_t *this) { @@ -286,6 +296,7 @@ sa_payload_t *sa_payload_create() }, .add_proposal = _add_proposal, .get_proposals = _get_proposals, + .create_substructure_enumerator = _create_substructure_enumerator, .destroy = _destroy, }, .next_payload = NO_PAYLOAD, diff --git a/src/libcharon/encoding/payloads/sa_payload.h b/src/libcharon/encoding/payloads/sa_payload.h index 801a70738..cc8c481c8 100644 --- a/src/libcharon/encoding/payloads/sa_payload.h +++ b/src/libcharon/encoding/payloads/sa_payload.h @@ -60,6 +60,13 @@ struct sa_payload_t { */ void (*add_proposal) (sa_payload_t *this, proposal_t *proposal); + /** + * Create an enumerator over all proposal substructures. + * + * @return enumerator over proposal_substructure_t + */ + enumerator_t* (*create_substructure_enumerator)(sa_payload_t *this); + /** * Destroys an sa_payload_t object. */ diff --git a/src/libcharon/encoding/payloads/traffic_selector_substructure.c b/src/libcharon/encoding/payloads/traffic_selector_substructure.c index f24857591..df36e4383 100644 --- a/src/libcharon/encoding/payloads/traffic_selector_substructure.c +++ b/src/libcharon/encoding/payloads/traffic_selector_substructure.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -19,14 +20,13 @@ #include #include - typedef struct private_traffic_selector_substructure_t private_traffic_selector_substructure_t; /** * Private data of an traffic_selector_substructure_t object. - * */ struct private_traffic_selector_substructure_t { + /** * Public traffic_selector_substructure_t interface. */ @@ -73,24 +73,22 @@ struct private_traffic_selector_substructure_t { * * The defined offsets are the positions in a object of type * private_traffic_selector_substructure_t. - * */ encoding_rule_t traffic_selector_substructure_encodings[] = { /* 1 Byte next ts type*/ - { TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) }, + { TS_TYPE, offsetof(private_traffic_selector_substructure_t, ts_type) }, /* 1 Byte IP protocol id*/ - { U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) }, + { U_INT_8, offsetof(private_traffic_selector_substructure_t, ip_protocol_id) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_traffic_selector_substructure_t, payload_length) }, + { PAYLOAD_LENGTH,offsetof(private_traffic_selector_substructure_t, payload_length) }, /* 2 Byte start port*/ - { U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) }, + { U_INT_16, offsetof(private_traffic_selector_substructure_t, start_port) }, /* 2 Byte end port*/ { U_INT_16, offsetof(private_traffic_selector_substructure_t, end_port) }, /* starting address is either 4 or 16 byte */ - { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, + { ADDRESS, offsetof(private_traffic_selector_substructure_t, starting_address) }, /* ending address is either 4 or 16 byte */ - { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } - + { ADDRESS, offsetof(private_traffic_selector_substructure_t, ending_address) } }; /* @@ -111,10 +109,8 @@ encoding_rule_t traffic_selector_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_traffic_selector_substructure_t *this) +METHOD(payload_t, verify, status_t, + private_traffic_selector_substructure_t *this) { if (this->start_port > this->end_port) { @@ -152,72 +148,48 @@ static status_t verify(private_traffic_selector_substructure_t *this) return SUCCESS; } -/** - * Implementation of traffic_selector_substructure_t.get_encoding_rules. - */ -static void get_encoding_rules(private_traffic_selector_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_traffic_selector_substructure_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = traffic_selector_substructure_encodings; - *rule_count = sizeof(traffic_selector_substructure_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(traffic_selector_substructure_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_traffic_selector_substructure_t *this) { return TRAFFIC_SELECTOR_SUBSTRUCTURE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_traffic_selector_substructure_t *this) { - return 0; + return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_traffic_selector_substructure_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_traffic_selector_substructure_t *this,payload_type_t type) { - } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_traffic_selector_substructure_t *this) +METHOD(payload_t, get_length, size_t, + private_traffic_selector_substructure_t *this) { return this->payload_length; } -/** - * Implementation of traffic_selector_substructure_t.get_traffic_selector. - */ -static traffic_selector_t *get_traffic_selector(private_traffic_selector_substructure_t *this) +METHOD(traffic_selector_substructure_t, get_traffic_selector, traffic_selector_t*, + private_traffic_selector_substructure_t *this) { - traffic_selector_t *ts; - ts = traffic_selector_create_from_bytes(this->ip_protocol_id, this->ts_type, - this->starting_address, this->start_port, - this->ending_address, this->end_port); - return ts; + return traffic_selector_create_from_bytes( + this->ip_protocol_id, this->ts_type, + this->starting_address, this->start_port, + this->ending_address, this->end_port); } -/** - * recompute length field of the payload - */ -void compute_length(private_traffic_selector_substructure_t *this) -{ - this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH + - this->ending_address.len + this->starting_address.len; -} - -/** - * Implementation of payload_t.destroy and traffic_selector_substructure_t.destroy. - */ -static void destroy(private_traffic_selector_substructure_t *this) +METHOD2(payload_t, traffic_selector_substructure_t, destroy, void, + private_traffic_selector_substructure_t *this) { free(this->starting_address.ptr); free(this->ending_address.ptr); @@ -229,48 +201,46 @@ static void destroy(private_traffic_selector_substructure_t *this) */ traffic_selector_substructure_t *traffic_selector_substructure_create() { - private_traffic_selector_substructure_t *this = malloc_thing(private_traffic_selector_substructure_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.get_traffic_selector = (traffic_selector_t* (*)(traffic_selector_substructure_t*))get_traffic_selector; - this->public.destroy = (void (*) (traffic_selector_substructure_t *)) destroy; - - /* private variables */ - this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH; - this->start_port = 0; - this->end_port = 0; - this->starting_address = chunk_empty; - this->ending_address = chunk_empty; - this->ip_protocol_id = 0; - /* must be set to be valid */ - this->ts_type = TS_IPV4_ADDR_RANGE; - - return (&(this->public)); + private_traffic_selector_substructure_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_traffic_selector = _get_traffic_selector, + .destroy = _destroy, + }, + .payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH, + /* must be set to be valid */ + .ts_type = TS_IPV4_ADDR_RANGE, + ); + return &this->public; } /* * Described in header */ -traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector(traffic_selector_t *traffic_selector) +traffic_selector_substructure_t *traffic_selector_substructure_create_from_traffic_selector( + traffic_selector_t *ts) { - private_traffic_selector_substructure_t *this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create(); - this->ts_type = traffic_selector->get_type(traffic_selector); - this->ip_protocol_id = traffic_selector->get_protocol(traffic_selector); - this->start_port = traffic_selector->get_from_port(traffic_selector); - this->end_port = traffic_selector->get_to_port(traffic_selector); - this->starting_address = chunk_clone(traffic_selector->get_from_address(traffic_selector)); - this->ending_address = chunk_clone(traffic_selector->get_to_address(traffic_selector)); - - compute_length(this); + private_traffic_selector_substructure_t *this; + + this = (private_traffic_selector_substructure_t*)traffic_selector_substructure_create(); + this->ts_type = ts->get_type(ts); + this->ip_protocol_id = ts->get_protocol(ts); + this->start_port = ts->get_from_port(ts); + this->end_port = ts->get_to_port(ts); + this->starting_address = chunk_clone(ts->get_from_address(ts)); + this->ending_address = chunk_clone(ts->get_to_address(ts)); + this->payload_length = TRAFFIC_SELECTOR_HEADER_LENGTH + + this->ending_address.len + this->starting_address.len; - return &(this->public); + return &this->public; } diff --git a/src/libcharon/encoding/payloads/transform_attribute.c b/src/libcharon/encoding/payloads/transform_attribute.c index 8bf2ddef4..7d21258b1 100644 --- a/src/libcharon/encoding/payloads/transform_attribute.c +++ b/src/libcharon/encoding/payloads/transform_attribute.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -26,9 +27,9 @@ typedef struct private_transform_attribute_t private_transform_attribute_t; /** * Private data of an transform_attribute_t object. - * */ struct private_transform_attribute_t { + /** * Public transform_attribute_t interface. */ @@ -70,7 +71,6 @@ ENUM_END(transform_attribute_type_name, KEY_LENGTH); * * The defined offsets are the positions in a object of type * private_transform_attribute_t. - * */ encoding_rule_t transform_attribute_encodings[] = { /* Flag defining the format of this payload */ @@ -78,7 +78,7 @@ encoding_rule_t transform_attribute_encodings[] = { /* type of the attribute as 15 bit unsigned integer */ { ATTRIBUTE_TYPE, offsetof(private_transform_attribute_t, attribute_type) }, /* Length or value, depending on the attribute format flag */ - { ATTRIBUTE_LENGTH_OR_VALUE, offsetof(private_transform_attribute_t, attribute_length_or_value) }, + { ATTRIBUTE_LENGTH_OR_VALUE,offsetof(private_transform_attribute_t, attribute_length_or_value) }, /* Value of attribute if attribute format flag is zero */ { ATTRIBUTE_VALUE, offsetof(private_transform_attribute_t, attribute_value) } }; @@ -95,162 +95,106 @@ encoding_rule_t transform_attribute_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_transform_attribute_t *this) +METHOD(payload_t, verify, status_t, + private_transform_attribute_t *this) { - if (this->attribute_type != KEY_LENGTH) - { - return FAILED; - } - return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_transform_attribute_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_transform_attribute_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = transform_attribute_encodings; - *rule_count = sizeof(transform_attribute_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(transform_attribute_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_transform_attribute_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_transform_attribute_t *this) { return TRANSFORM_ATTRIBUTE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_transform_attribute_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_transform_attribute_t *this) { - return (NO_PAYLOAD); + return NO_PAYLOAD; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_transform_attribute_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_transform_attribute_t *this, payload_type_t type) { } -/** - * Implementation of transform_attribute_t.get_length. - */ -static size_t get_length(private_transform_attribute_t *this) +METHOD(payload_t, get_length, size_t, + private_transform_attribute_t *this) { - if (this->attribute_format == TRUE) + if (this->attribute_format) { - /*Attribute size is only 4 byte */ return 4; } - return (this->attribute_length_or_value + 4); + return this->attribute_length_or_value + 4; } -/** - * Implementation of transform_attribute_t.set_value_chunk. - */ -static void set_value_chunk(private_transform_attribute_t *this, chunk_t value) +METHOD(transform_attribute_t, set_value_chunk, void, + private_transform_attribute_t *this, chunk_t value) { - if (this->attribute_value.ptr != NULL) - { - /* free existing value */ - free(this->attribute_value.ptr); - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - } + chunk_free(&this->attribute_value); - if (value.len > 2) + if (value.len != 2) { - this->attribute_value.ptr = clalloc(value.ptr,value.len); - this->attribute_value.len = value.len; + this->attribute_value = chunk_clone(value); this->attribute_length_or_value = value.len; - /* attribute has not a fixed length */ this->attribute_format = FALSE; } else { - memcpy(&(this->attribute_length_or_value),value.ptr,value.len); + memcpy(&this->attribute_length_or_value, value.ptr, value.len); } } -/** - * Implementation of transform_attribute_t.set_value. - */ -static void set_value(private_transform_attribute_t *this, u_int16_t value) +METHOD(transform_attribute_t, set_value, void, + private_transform_attribute_t *this, u_int16_t value) { - if (this->attribute_value.ptr != NULL) - { - /* free existing value */ - free(this->attribute_value.ptr); - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - } + chunk_free(&this->attribute_value); this->attribute_length_or_value = value; + this->attribute_format = TRUE; } -/** - * Implementation of transform_attribute_t.get_value_chunk. - */ -static chunk_t get_value_chunk (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_value_chunk, chunk_t, + private_transform_attribute_t *this) { - chunk_t value; - - if (this->attribute_format == FALSE) + if (this->attribute_format) { - value.ptr = this->attribute_value.ptr; - value.len = this->attribute_value.len; + return chunk_from_thing(this->attribute_length_or_value); } - else - { - value.ptr = (void *) &(this->attribute_length_or_value); - value.len = 2; - } - - return value; + return this->attribute_value; } -/** - * Implementation of transform_attribute_t.get_value. - */ -static u_int16_t get_value (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_value, u_int16_t, + private_transform_attribute_t *this) { return this->attribute_length_or_value; } - -/** - * Implementation of transform_attribute_t.set_attribute_type. - */ -static void set_attribute_type (private_transform_attribute_t *this, u_int16_t type) +METHOD(transform_attribute_t, set_attribute_type, void, + private_transform_attribute_t *this, u_int16_t type) { this->attribute_type = type & 0x7FFF; } -/** - * Implementation of transform_attribute_t.get_attribute_type. - */ -static u_int16_t get_attribute_type (private_transform_attribute_t *this) +METHOD(transform_attribute_t, get_attribute_type, u_int16_t, + private_transform_attribute_t *this) { return this->attribute_type; } -/** - * Implementation of transform_attribute_t.clone. - */ -static transform_attribute_t * _clone(private_transform_attribute_t *this) +METHOD(transform_attribute_t, clone_, transform_attribute_t*, + private_transform_attribute_t *this) { private_transform_attribute_t *new_clone; - new_clone = (private_transform_attribute_t *) transform_attribute_create(); + new_clone = (private_transform_attribute_t *)transform_attribute_create(); new_clone->attribute_format = this->attribute_format; new_clone->attribute_type = this->attribute_type; @@ -258,22 +202,15 @@ static transform_attribute_t * _clone(private_transform_attribute_t *this) if (!new_clone->attribute_format) { - new_clone->attribute_value.ptr = clalloc(this->attribute_value.ptr,this->attribute_value.len); - new_clone->attribute_value.len = this->attribute_value.len; + new_clone->attribute_value = chunk_clone(this->attribute_value); } - - return (transform_attribute_t *) new_clone; + return &new_clone->public; } -/** - * Implementation of transform_attribute_t.destroy and payload_t.destroy. - */ -static void destroy(private_transform_attribute_t *this) +METHOD2(payload_t, transform_attribute_t, destroy, void, + private_transform_attribute_t *this) { - if (this->attribute_value.ptr != NULL) - { - free(this->attribute_value.ptr); - } + free(this->attribute_value.ptr); free(this); } @@ -282,35 +219,31 @@ static void destroy(private_transform_attribute_t *this) */ transform_attribute_t *transform_attribute_create() { - private_transform_attribute_t *this = malloc_thing(private_transform_attribute_t); - - /* payload interface */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.set_value_chunk = (void (*) (transform_attribute_t *,chunk_t)) set_value_chunk; - this->public.set_value = (void (*) (transform_attribute_t *,u_int16_t)) set_value; - this->public.get_value_chunk = (chunk_t (*) (transform_attribute_t *)) get_value_chunk; - this->public.get_value = (u_int16_t (*) (transform_attribute_t *)) get_value; - this->public.set_attribute_type = (void (*) (transform_attribute_t *,u_int16_t type)) set_attribute_type; - this->public.get_attribute_type = (u_int16_t (*) (transform_attribute_t *)) get_attribute_type; - this->public.clone = (transform_attribute_t * (*) (transform_attribute_t *)) _clone; - this->public.destroy = (void (*) (transform_attribute_t *)) destroy; - - /* set default values of the fields */ - this->attribute_format = TRUE; - this->attribute_type = 0; - this->attribute_length_or_value = 0; - this->attribute_value.ptr = NULL; - this->attribute_value.len = 0; - - return (&(this->public)); + private_transform_attribute_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_value_chunk = _set_value_chunk, + .set_value = _set_value, + .get_value_chunk = _get_value_chunk, + .get_value = _get_value, + .set_attribute_type = _set_attribute_type, + .get_attribute_type = _get_attribute_type, + .clone = _clone_, + .destroy = _destroy, + }, + .attribute_format = TRUE, + ); + return &this->public; } /* @@ -319,7 +252,7 @@ transform_attribute_t *transform_attribute_create() transform_attribute_t *transform_attribute_create_key_length(u_int16_t key_length) { transform_attribute_t *attribute = transform_attribute_create(); - attribute->set_attribute_type(attribute,KEY_LENGTH); - attribute->set_value(attribute,key_length); + attribute->set_attribute_type(attribute, KEY_LENGTH); + attribute->set_value(attribute, key_length); return attribute; } diff --git a/src/libcharon/encoding/payloads/transform_substructure.c b/src/libcharon/encoding/payloads/transform_substructure.c index c94f6c1a2..0428da726 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.c +++ b/src/libcharon/encoding/payloads/transform_substructure.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -24,14 +25,13 @@ #include #include - typedef struct private_transform_substructure_t private_transform_substructure_t; /** * Private data of an transform_substructure_t object. - * */ struct private_transform_substructure_t { + /** * Public transform_substructure_t interface. */ @@ -41,14 +41,16 @@ struct private_transform_substructure_t { * Next payload type. */ u_int8_t next_payload; - + /** + * Reserved bytes + */ + u_int8_t reserved[2]; /** * Length of this payload. */ u_int16_t transform_length; - /** * Type of the transform. */ @@ -65,30 +67,28 @@ struct private_transform_substructure_t { linked_list_t *attributes; }; - /** * Encoding rules to parse or generate a Transform substructure. * * The defined offsets are the positions in a object of type * private_transform_substructure_t. - * */ encoding_rule_t transform_substructure_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_transform_substructure_t, next_payload) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { U_INT_8, offsetof(private_transform_substructure_t, next_payload) }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[0]) }, /* Length of the whole transform substructure*/ - { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length) }, + { PAYLOAD_LENGTH, offsetof(private_transform_substructure_t, transform_length)}, /* transform type is a number of 8 bit */ - { U_INT_8, offsetof(private_transform_substructure_t, transform_type) }, - /* Reserved Byte is skipped */ - { RESERVED_BYTE, 0 }, + { U_INT_8, offsetof(private_transform_substructure_t, transform_type) }, + /* 1 Reserved Byte */ + { RESERVED_BYTE, offsetof(private_transform_substructure_t, reserved[1]) }, /* tranform ID is a number of 8 bit */ - { U_INT_16, offsetof(private_transform_substructure_t, transform_id) }, + { U_INT_16, offsetof(private_transform_substructure_t, transform_id) }, /* Attributes are stored in a transform attribute, offset points to a linked_list_t pointer */ - { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } + { TRANSFORM_ATTRIBUTES, offsetof(private_transform_substructure_t, attributes) } }; /* @@ -105,19 +105,15 @@ encoding_rule_t transform_substructure_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ - -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_transform_substructure_t *this) +METHOD(payload_t, verify, status_t, + private_transform_substructure_t *this) { status_t status = SUCCESS; - iterator_t *iterator; - payload_t *current_attributes; + enumerator_t *enumerator; + payload_t *attribute; - if ((this->next_payload != NO_PAYLOAD) && (this->next_payload != 3)) + if (this->next_payload != NO_PAYLOAD && this->next_payload != 3) { - /* must be 0 or 3 */ DBG1(DBG_ENC, "inconsistent next payload"); return FAILED; } @@ -138,45 +134,41 @@ static status_t verify(private_transform_substructure_t *this) return FAILED; } } - iterator = this->attributes->create_iterator(this->attributes,TRUE); - while(iterator->iterate(iterator, (void**)¤t_attributes)) + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - status = current_attributes->verify(current_attributes); + status = attribute->verify(attribute); if (status != SUCCESS) { DBG1(DBG_ENC, "TRANSFORM_ATTRIBUTE verification failed"); + break; } } - iterator->destroy(iterator); + enumerator->destroy(enumerator); /* proposal number is checked in SA payload */ return status; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_transform_substructure_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_transform_substructure_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = transform_substructure_encodings; - *rule_count = sizeof(transform_substructure_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(transform_substructure_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_type(private_transform_substructure_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_transform_substructure_t *this) { return TRANSFORM_SUBSTRUCTURE; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_transform_substructure_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_transform_substructure_t *this) { - return (this->next_payload); + return this->next_payload; } /** @@ -184,154 +176,69 @@ static payload_type_t get_next_type(private_transform_substructure_t *this) */ static void compute_length (private_transform_substructure_t *this) { - iterator_t *iterator; - payload_t *current_attribute; - size_t length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + enumerator_t *enumerator; + payload_t *attribute; - iterator = this->attributes->create_iterator(this->attributes,TRUE); - while (iterator->iterate(iterator, (void**)¤t_attribute)) + this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - length += current_attribute->get_length(current_attribute); + this->transform_length += attribute->get_length(attribute); } - iterator->destroy(iterator); - - this->transform_length = length; + enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_transform_substructure_t *this) +METHOD(payload_t, get_length, size_t, + private_transform_substructure_t *this) { - compute_length(this); return this->transform_length; } -/** - * Implementation of transform_substructure_t.create_transform_attribute_iterator. - */ -static iterator_t *create_transform_attribute_iterator (private_transform_substructure_t *this,bool forward) -{ - return this->attributes->create_iterator(this->attributes,forward); -} - -/** - * Implementation of transform_substructure_t.add_transform_attribute. - */ -static void add_transform_attribute (private_transform_substructure_t *this,transform_attribute_t *attribute) -{ - this->attributes->insert_last(this->attributes,(void *) attribute); - compute_length(this); -} - -/** - * Implementation of transform_substructure_t.set_is_last_transform. - */ -static void set_is_last_transform (private_transform_substructure_t *this, bool is_last) -{ - this->next_payload = (is_last) ? 0: TRANSFORM_TYPE_VALUE; -} - -/** - * Implementation of transform_substructure_t.get_is_last_transform. - */ -static bool get_is_last_transform (private_transform_substructure_t *this) -{ - return ((this->next_payload == TRANSFORM_TYPE_VALUE) ? FALSE : TRUE); -} - -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_transform_substructure_t *this,payload_type_t type) +METHOD(transform_substructure_t, set_is_last_transform, void, + private_transform_substructure_t *this, bool is_last) { + this->next_payload = is_last ? 0: TRANSFORM_TYPE_VALUE; } -/** - * Implementation of transform_substructure_t.set_transform_type. - */ -static void set_transform_type (private_transform_substructure_t *this,u_int8_t type) +METHOD(payload_t, set_next_type, void, + private_transform_substructure_t *this,payload_type_t type) { - this->transform_type = type; } -/** - * Implementation of transform_substructure_t.get_transform_type. - */ -static u_int8_t get_transform_type (private_transform_substructure_t *this) +METHOD(transform_substructure_t, get_transform_type, u_int8_t, + private_transform_substructure_t *this) { return this->transform_type; } -/** - * Implementation of transform_substructure_t.set_transform_id. - */ -static void set_transform_id (private_transform_substructure_t *this,u_int16_t id) -{ - this->transform_id = id; -} - -/** - * Implementation of transform_substructure_t.get_transform_id. - */ -static u_int16_t get_transform_id (private_transform_substructure_t *this) +METHOD(transform_substructure_t, get_transform_id, u_int16_t, + private_transform_substructure_t *this) { return this->transform_id; } -/** - * Implementation of transform_substructure_t.clone. - */ -static transform_substructure_t *clone_(private_transform_substructure_t *this) -{ - private_transform_substructure_t *clone; - iterator_t *attributes; - transform_attribute_t *current_attribute; - - clone = (private_transform_substructure_t *) transform_substructure_create(); - clone->next_payload = this->next_payload; - clone->transform_type = this->transform_type; - clone->transform_id = this->transform_id; - - attributes = this->attributes->create_iterator(this->attributes, FALSE); - while (attributes->iterate(attributes, (void**)¤t_attribute)) - { - current_attribute = current_attribute->clone(current_attribute); - clone->public.add_transform_attribute(&clone->public, current_attribute); - } - attributes->destroy(attributes); - - return &clone->public; -} - - -/** - * Implementation of transform_substructure_t.get_key_length. - */ -static status_t get_key_length(private_transform_substructure_t *this, u_int16_t *key_length) +METHOD(transform_substructure_t, get_key_length, status_t, + private_transform_substructure_t *this, u_int16_t *key_length) { - iterator_t *attributes; - transform_attribute_t *current_attribute; + enumerator_t *enumerator; + transform_attribute_t *attribute; - attributes = this->attributes->create_iterator(this->attributes, TRUE); - while (attributes->iterate(attributes, (void**)¤t_attribute)) + enumerator = this->attributes->create_enumerator(this->attributes); + while (enumerator->enumerate(enumerator, &attribute)) { - if (current_attribute->get_attribute_type(current_attribute) == KEY_LENGTH) + if (attribute->get_attribute_type(attribute) == KEY_LENGTH) { - *key_length = current_attribute->get_value(current_attribute); - attributes->destroy(attributes); + *key_length = attribute->get_value(attribute); + enumerator->destroy(enumerator); return SUCCESS; } } - attributes->destroy(attributes); + enumerator->destroy(enumerator); return FAILED; } - -/** - * Implementation of transform_substructure_t.destroy and payload_t.destroy. - */ -static void destroy(private_transform_substructure_t *this) +METHOD2(payload_t, transform_substructure_t, destroy, void, + private_transform_substructure_t *this) { this->attributes->destroy_offset(this->attributes, offsetof(transform_attribute_t, destroy)); @@ -343,60 +250,50 @@ static void destroy(private_transform_substructure_t *this) */ transform_substructure_t *transform_substructure_create() { - private_transform_substructure_t *this = malloc_thing(private_transform_substructure_t); - - /* payload interface */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.create_transform_attribute_iterator = (iterator_t * (*) (transform_substructure_t *,bool)) create_transform_attribute_iterator; - this->public.add_transform_attribute = (void (*) (transform_substructure_t *,transform_attribute_t *)) add_transform_attribute; - this->public.set_is_last_transform = (void (*) (transform_substructure_t *,bool)) set_is_last_transform; - this->public.get_is_last_transform = (bool (*) (transform_substructure_t *)) get_is_last_transform; - this->public.set_transform_type = (void (*) (transform_substructure_t *,u_int8_t)) set_transform_type; - this->public.get_transform_type = (u_int8_t (*) (transform_substructure_t *)) get_transform_type; - this->public.set_transform_id = (void (*) (transform_substructure_t *,u_int16_t)) set_transform_id; - this->public.get_transform_id = (u_int16_t (*) (transform_substructure_t *)) get_transform_id; - this->public.get_key_length = (status_t (*) (transform_substructure_t *,u_int16_t *)) get_key_length; - this->public.clone = (transform_substructure_t* (*) (transform_substructure_t *)) clone_; - this->public.destroy = (void (*) (transform_substructure_t *)) destroy; - - /* set default values of the fields */ - this->next_payload = NO_PAYLOAD; - this->transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH; - this->transform_id = 0; - this->transform_type = 0; - this->attributes = linked_list_create(); - - return (&(this->public)); + private_transform_substructure_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .set_is_last_transform = _set_is_last_transform, + .get_transform_type = _get_transform_type, + .get_transform_id = _get_transform_id, + .get_key_length = _get_key_length, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .transform_length = TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH, + .attributes = linked_list_create(), + ); + return &this->public; } /* * Described in header */ transform_substructure_t *transform_substructure_create_type( - transform_type_t transform_type, - u_int16_t transform_id, u_int16_t key_length) + transform_type_t type, u_int16_t id, u_int16_t key_length) { - transform_substructure_t *transform = transform_substructure_create(); + private_transform_substructure_t *this; - transform->set_transform_type(transform,transform_type); - transform->set_transform_id(transform,transform_id); + this = (private_transform_substructure_t*)transform_substructure_create(); + this->transform_type = type; + this->transform_id = id; if (key_length) { - transform_attribute_t *attribute; - - attribute = transform_attribute_create_key_length(key_length); - transform->add_transform_attribute(transform, attribute); - + this->attributes->insert_last(this->attributes, + (void*)transform_attribute_create_key_length(key_length)); + compute_length(this); } - return transform; + return &this->public; } diff --git a/src/libcharon/encoding/payloads/transform_substructure.h b/src/libcharon/encoding/payloads/transform_substructure.h index 5d31f8c0a..c961700a4 100644 --- a/src/libcharon/encoding/payloads/transform_substructure.h +++ b/src/libcharon/encoding/payloads/transform_substructure.h @@ -34,7 +34,6 @@ typedef struct transform_substructure_t transform_substructure_t; #include #include - /** * IKEv1 Value for a transform payload. */ @@ -45,31 +44,18 @@ typedef struct transform_substructure_t transform_substructure_t; */ #define TRANSFORM_SUBSTRUCTURE_HEADER_LENGTH 8 - /** * Class representing an IKEv2- TRANSFORM SUBSTRUCTURE. * * The TRANSFORM SUBSTRUCTURE format is described in RFC section 3.3.2. */ struct transform_substructure_t { + /** * The payload_t interface. */ payload_t payload_interface; - /** - * Creates an iterator of stored transform_attribute_t objects. - * - * When deleting an transform attribute using this iterator, - * the length of this transform substructure has to be refreshed - * by calling get_length(). - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object. - */ - iterator_t * (*create_transform_attribute_iterator) ( - transform_substructure_t *this, bool forward); - /** * Adds a transform_attribute_t object to this object. * @@ -88,20 +74,6 @@ struct transform_substructure_t { */ void (*set_is_last_transform) (transform_substructure_t *this, bool is_last); - /** - * Checks if this is the last transform. - * - * @return TRUE if this is the last Transform, FALSE otherwise - */ - bool (*get_is_last_transform) (transform_substructure_t *this); - - /** - * Sets transform type of the current transform substructure. - * - * @param type type value to set - */ - void (*set_transform_type) (transform_substructure_t *this, u_int8_t type); - /** * get transform type of the current transform. * @@ -110,21 +82,14 @@ struct transform_substructure_t { u_int8_t (*get_transform_type) (transform_substructure_t *this); /** - * Sets transform id of the current transform substructure. - * - * @param id transform id to set - */ - void (*set_transform_id) (transform_substructure_t *this, u_int16_t id); - - /** - * get transform id of the current transform. + * Get transform id of the current transform. * * @return Transform id of current transform substructure. */ u_int16_t (*get_transform_id) (transform_substructure_t *this); /** - * get transform id of the current transform. + * Get transform id of the current transform. * * @param key_length The key length is written to this location * @return @@ -135,13 +100,6 @@ struct transform_substructure_t { status_t (*get_key_length) (transform_substructure_t *this, u_int16_t *key_length); - /** - * Clones an transform_substructure_t object. - * - * @return cloned transform_substructure_t object - */ - transform_substructure_t* (*clone) (transform_substructure_t *this); - /** * Destroys an transform_substructure_t object. */ @@ -151,24 +109,19 @@ struct transform_substructure_t { /** * Creates an empty transform_substructure_t object. * - * @return created transform_substructure_t object + * @return created transform_substructure_t object */ transform_substructure_t *transform_substructure_create(void); /** * Creates an empty transform_substructure_t object. * - * The key length is used for the transport types ENCRYPTION_ALGORITHM, - * PSEUDO_RANDOM_FUNCTION, INTEGRITY_ALGORITHM. For all - * other transport types the key_length parameter is not used - * - * @param transform_type type of transform to create - * @param transform_id transform id specifying the specific algorithm of a transform type - * @param key_length Key length for key lenght attribute - * @return transform_substructure_t object + * @param type type of transform to create + * @param id transform id specifc for the transform type + * @param key_length key length for key lenght attribute, 0 to omit + * @return transform_substructure_t object */ transform_substructure_t *transform_substructure_create_type( - transform_type_t transform_type, u_int16_t transform_id, - u_int16_t key_length); + transform_type_t type, u_int16_t id, u_int16_t key_length); #endif /** TRANSFORM_SUBSTRUCTURE_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/ts_payload.c b/src/libcharon/encoding/payloads/ts_payload.c index 6bf3e4293..28f760e40 100644 --- a/src/libcharon/encoding/payloads/ts_payload.c +++ b/src/libcharon/encoding/payloads/ts_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2006 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -25,9 +26,9 @@ typedef struct private_ts_payload_t private_ts_payload_t; /** * Private data of an ts_payload_t object. - * */ struct private_ts_payload_t { + /** * Public ts_payload_t interface. */ @@ -48,6 +49,16 @@ struct private_ts_payload_t { */ bool critical; + /** + * reserved bits + */ + bool reserved_bit[7]; + + /** + * reserved bytes + */ + bool reserved_byte[3]; + /** * Length of this payload. */ @@ -56,12 +67,12 @@ struct private_ts_payload_t { /** * Number of traffic selectors */ - u_int8_t number_of_traffic_selectors; + u_int8_t ts_num; /** * Contains the traffic selectors of type traffic_selector_substructure_t. */ - linked_list_t *traffic_selectors; + linked_list_t *substrs; }; /** @@ -69,31 +80,30 @@ struct private_ts_payload_t { * * The defined offsets are the positions in a object of type * private_ts_payload_t. - * */ encoding_rule_t ts_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_ts_payload_t, next_payload) }, + { U_INT_8, offsetof(private_ts_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_ts_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_ts_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[0]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[1]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[2]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[3]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[4]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[5]) }, + { RESERVED_BIT, offsetof(private_ts_payload_t, reserved_bit[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_ts_payload_t, payload_length) }, /* 1 Byte TS type*/ - { U_INT_8, offsetof(private_ts_payload_t, number_of_traffic_selectors) }, + { U_INT_8, offsetof(private_ts_payload_t, ts_num) }, /* 3 reserved bytes */ - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, - { RESERVED_BYTE, 0 }, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[0])}, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[1])}, + { RESERVED_BYTE, offsetof(private_ts_payload_t, reserved_byte[2])}, /* some ts data bytes, length is defined in PAYLOAD_LENGTH */ - { TRAFFIC_SELECTORS, offsetof(private_ts_payload_t, traffic_selectors) } + { TRAFFIC_SELECTORS,offsetof(private_ts_payload_t, substrs) } }; /* @@ -110,71 +120,56 @@ encoding_rule_t ts_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_ts_payload_t *this) +METHOD(payload_t, verify, status_t, + private_ts_payload_t *this) { - iterator_t *iterator; - payload_t *current_traffic_selector; + enumerator_t *enumerator; + payload_t *substr; status_t status = SUCCESS; - if (this->number_of_traffic_selectors != (this->traffic_selectors->get_count(this->traffic_selectors))) + if (this->ts_num != this->substrs->get_count(this->substrs)) { - /* must be the same */ return FAILED; } - - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); - while(iterator->iterate(iterator, (void**)¤t_traffic_selector)) + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &substr)) { - status = current_traffic_selector->verify(current_traffic_selector); + status = substr->verify(substr); if (status != SUCCESS) { break; } } - iterator->destroy(iterator); + enumerator->destroy(enumerator); return status; } -/** - * Implementation of ts_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_ts_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = ts_payload_encodings; - *rule_count = sizeof(ts_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(ts_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_ts_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_ts_payload_t *this) { if (this->is_initiator) { return TRAFFIC_SELECTOR_INITIATOR; } - else - { - return TRAFFIC_SELECTOR_RESPONDER; - } + return TRAFFIC_SELECTOR_RESPONDER; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_ts_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_ts_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_ts_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_ts_payload_t *this,payload_type_t type) { this->next_payload = type; } @@ -182,95 +177,64 @@ static void set_next_type(private_ts_payload_t *this,payload_type_t type) /** * recompute the length of the payload. */ -static void compute_length (private_ts_payload_t *this) +static void compute_length(private_ts_payload_t *this) { - iterator_t *iterator; - size_t ts_count = 0; - size_t length = TS_PAYLOAD_HEADER_LENGTH; - payload_t *current_traffic_selector; + enumerator_t *enumerator; + payload_t *subst; - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors,TRUE); - while (iterator->iterate(iterator, (void**)¤t_traffic_selector)) + this->payload_length = TS_PAYLOAD_HEADER_LENGTH; + this->ts_num = 0; + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &subst)) { - length += current_traffic_selector->get_length(current_traffic_selector); - ts_count++; + this->payload_length += subst->get_length(subst); + this->ts_num++; } - iterator->destroy(iterator); - - this->number_of_traffic_selectors= ts_count; - this->payload_length = length; + enumerator->destroy(enumerator); } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_ts_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_ts_payload_t *this) { - compute_length(this); return this->payload_length; } -/** - * Implementation of ts_payload_t.get_initiator. - */ -static bool get_initiator (private_ts_payload_t *this) +METHOD(ts_payload_t, get_initiator, bool, + private_ts_payload_t *this) { - return (this->is_initiator); + return this->is_initiator; } -/** - * Implementation of ts_payload_t.set_initiator. - */ -static void set_initiator (private_ts_payload_t *this,bool is_initiator) +METHOD(ts_payload_t, set_initiator, void, + private_ts_payload_t *this,bool is_initiator) { this->is_initiator = is_initiator; } -/** - * Implementation of ts_payload_t.add_traffic_selector_substructure. - */ -static void add_traffic_selector_substructure (private_ts_payload_t *this,traffic_selector_substructure_t *traffic_selector) -{ - this->traffic_selectors->insert_last(this->traffic_selectors,traffic_selector); - this->number_of_traffic_selectors = this->traffic_selectors->get_count(this->traffic_selectors); -} - -/** - * Implementation of ts_payload_t.create_traffic_selector_substructure_iterator. - */ -static iterator_t * create_traffic_selector_substructure_iterator (private_ts_payload_t *this, bool forward) -{ - return this->traffic_selectors->create_iterator(this->traffic_selectors,forward); -} - -/** - * Implementation of ts_payload_t.get_traffic_selectors. - */ -static linked_list_t *get_traffic_selectors(private_ts_payload_t *this) +METHOD(ts_payload_t, get_traffic_selectors, linked_list_t*, + private_ts_payload_t *this) { traffic_selector_t *ts; - iterator_t *iterator; - traffic_selector_substructure_t *ts_substructure; - linked_list_t *ts_list = linked_list_create(); + enumerator_t *enumerator; + traffic_selector_substructure_t *subst; + linked_list_t *list; - iterator = this->traffic_selectors->create_iterator(this->traffic_selectors, TRUE); - while (iterator->iterate(iterator, (void**)&ts_substructure)) + list = linked_list_create(); + enumerator = this->substrs->create_enumerator(this->substrs); + while (enumerator->enumerate(enumerator, &subst)) { - ts = ts_substructure->get_traffic_selector(ts_substructure); - ts_list->insert_last(ts_list, (void*)ts); + ts = subst->get_traffic_selector(subst); + list->insert_last(list, ts); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); - return ts_list; + return list; } -/** - * Implementation of payload_t.destroy and ts_payload_t.destroy. - */ -static void destroy(private_ts_payload_t *this) +METHOD2(payload_t, ts_payload_t, destroy, void, + private_ts_payload_t *this) { - this->traffic_selectors->destroy_offset(this->traffic_selectors, - offsetof(payload_t, destroy)); + this->substrs->destroy_offset(this->substrs, offsetof(payload_t, destroy)); free(this); } @@ -279,56 +243,53 @@ static void destroy(private_ts_payload_t *this) */ ts_payload_t *ts_payload_create(bool is_initiator) { - private_ts_payload_t *this = malloc_thing(private_ts_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (ts_payload_t *)) destroy; - this->public.get_initiator = (bool (*) (ts_payload_t *)) get_initiator; - this->public.set_initiator = (void (*) (ts_payload_t *,bool)) set_initiator; - this->public.add_traffic_selector_substructure = (void (*) (ts_payload_t *,traffic_selector_substructure_t *)) add_traffic_selector_substructure; - this->public.create_traffic_selector_substructure_iterator = (iterator_t* (*) (ts_payload_t *,bool)) create_traffic_selector_substructure_iterator; - this->public.get_traffic_selectors = (linked_list_t *(*) (ts_payload_t *)) get_traffic_selectors; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length =TS_PAYLOAD_HEADER_LENGTH; - this->is_initiator = is_initiator; - this->number_of_traffic_selectors = 0; - this->traffic_selectors = linked_list_create(); + private_ts_payload_t *this; - return &(this->public); + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_initiator = _get_initiator, + .set_initiator = _set_initiator, + .get_traffic_selectors = _get_traffic_selectors, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = TS_PAYLOAD_HEADER_LENGTH, + .is_initiator = is_initiator, + .substrs = linked_list_create(), + ); + return &this->public; } /* * Described in header */ -ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, linked_list_t *traffic_selectors) +ts_payload_t *ts_payload_create_from_traffic_selectors(bool is_initiator, + linked_list_t *traffic_selectors) { - iterator_t *iterator; + enumerator_t *enumerator; traffic_selector_t *ts; - traffic_selector_substructure_t *ts_substructure; + traffic_selector_substructure_t *subst; private_ts_payload_t *this; this = (private_ts_payload_t*)ts_payload_create(is_initiator); - iterator = traffic_selectors->create_iterator(traffic_selectors, TRUE); - while (iterator->iterate(iterator, (void**)&ts)) + enumerator = traffic_selectors->create_enumerator(traffic_selectors); + while (enumerator->enumerate(enumerator, &ts)) { - ts_substructure = traffic_selector_substructure_create_from_traffic_selector(ts); - this->public.add_traffic_selector_substructure(&(this->public), ts_substructure); + subst = traffic_selector_substructure_create_from_traffic_selector(ts); + this->substrs->insert_last(this->substrs, subst); } - iterator->destroy(iterator); + enumerator->destroy(enumerator); + compute_length(this); - return &(this->public); + return &this->public; } - diff --git a/src/libcharon/encoding/payloads/ts_payload.h b/src/libcharon/encoding/payloads/ts_payload.h index d322ff1a8..88ca00bc9 100644 --- a/src/libcharon/encoding/payloads/ts_payload.h +++ b/src/libcharon/encoding/payloads/ts_payload.h @@ -19,7 +19,6 @@ * @{ @ingroup payloads */ - #ifndef TS_PAYLOAD_H_ #define TS_PAYLOAD_H_ @@ -36,13 +35,13 @@ typedef struct ts_payload_t ts_payload_t; */ #define TS_PAYLOAD_HEADER_LENGTH 8 - /** * Class representing an IKEv2 TS payload. * * The TS payload format is described in RFC section 3.13. */ struct ts_payload_t { + /** * The payload_t interface. */ @@ -66,27 +65,6 @@ struct ts_payload_t { */ void (*set_initiator) (ts_payload_t *this,bool is_initiator); - /** - * Adds a traffic_selector_substructure_t object to this object. - * - * @param traffic_selector traffic_selector_substructure_t object to add - */ - void (*add_traffic_selector_substructure) (ts_payload_t *this, - traffic_selector_substructure_t *traffic_selector); - - /** - * Creates an iterator of stored traffic_selector_substructure_t objects. - * - * When removing an traffic_selector_substructure_t object - * using this iterator, the length of this payload - * has to get refreshed by calling payload_t.get_length! - * - * @param forward iterator direction (TRUE: front to end) - * @return created iterator_t object - */ - iterator_t *(*create_traffic_selector_substructure_iterator) ( - ts_payload_t *this, bool forward); - /** * Get a list of nested traffic selectors as traffic_selector_t. * @@ -105,19 +83,15 @@ struct ts_payload_t { /** * Creates an empty ts_payload_t object. * - * @param is_initiator - * - TRUE if this payload is of type TSi - * - FALSE if this payload is of type TSr - * @return ts_payload_t object + * @param is_initiator TRUE for TSi, FALSE for TSr payload type + * @return ts_payload_t object */ ts_payload_t *ts_payload_create(bool is_initiator); /** * Creates ts_payload with a list of traffic_selector_t * - * @param is_initiator - * - TRUE if this payload is of type TSi - * - FALSE if this payload is of type TSr + * @param is_initiator TRUE for TSi, FALSE for TSr payload type * @param traffic_selectors list of traffic selectors to include * @return ts_payload_t object */ diff --git a/src/libcharon/encoding/payloads/unknown_payload.c b/src/libcharon/encoding/payloads/unknown_payload.c index dd5547dc3..27af338b3 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.c +++ b/src/libcharon/encoding/payloads/unknown_payload.c @@ -18,8 +18,6 @@ #include "unknown_payload.h" - - typedef struct private_unknown_payload_t private_unknown_payload_t; /** @@ -32,6 +30,11 @@ struct private_unknown_payload_t { */ unknown_payload_t public; + /** + * Type of this payload + */ + payload_type_t type; + /** * Next payload type. */ @@ -42,6 +45,11 @@ struct private_unknown_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -62,21 +70,21 @@ struct private_unknown_payload_t { */ encoding_rule_t unknown_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_unknown_payload_t, next_payload)}, + { U_INT_8, offsetof(private_unknown_payload_t, next_payload) }, /* the critical bit */ - { FLAG, offsetof(private_unknown_payload_t, critical) }, - /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { FLAG, offsetof(private_unknown_payload_t, critical) }, + /* 7 Bit reserved bits */ + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_unknown_payload_t, reserved[6]) }, /* Length of the whole payload*/ - { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length)}, + { PAYLOAD_LENGTH, offsetof(private_unknown_payload_t, payload_length) }, /* some unknown data bytes, length is defined in PAYLOAD_LENGTH */ - { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) } + { UNKNOWN_DATA, offsetof(private_unknown_payload_t, data) }, }; /* @@ -91,111 +99,109 @@ encoding_rule_t unknown_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_unknown_payload_t *this) +METHOD(payload_t, verify, status_t, + private_unknown_payload_t *this) { - /* can't do any checks, so we assume its good */ + if (this->payload_length != UNKNOWN_PAYLOAD_HEADER_LENGTH + this->data.len) + { + return FAILED; + } return SUCCESS; } -/** - * Implementation of payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_unknown_payload_t *this, encoding_rule_t **rules, size_t *rule_count) { *rules = unknown_payload_encodings; *rule_count = sizeof(unknown_payload_encodings) / sizeof(encoding_rule_t); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_unknown_payload_t *this) +METHOD(payload_t, get_payload_type, payload_type_t, + private_unknown_payload_t *this) { - return UNKNOWN_PAYLOAD; + return this->type; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_unknown_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_unknown_payload_t *this) { - return (this->next_payload); + return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_unknown_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_unknown_payload_t *this,payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_unknown_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_unknown_payload_t *this) { return this->payload_length; } -/** - * Implementation of unknown_payload_t.get_data. - */ -static bool is_critical(private_unknown_payload_t *this) +METHOD(unknown_payload_t, is_critical, bool, + private_unknown_payload_t *this) { return this->critical; } -/** - * Implementation of unknown_payload_t.get_data. - */ -static chunk_t get_data (private_unknown_payload_t *this) +METHOD(unknown_payload_t, get_data, chunk_t, + private_unknown_payload_t *this) { - return (this->data); + return this->data; } -/** - * Implementation of payload_t.destroy and unknown_payload_t.destroy. - */ -static void destroy(private_unknown_payload_t *this) +METHOD2(payload_t, unknown_payload_t, destroy, void, + private_unknown_payload_t *this) { - if (this->data.ptr != NULL) - { - chunk_free(&(this->data)); - } - + free(this->data.ptr); free(this); } /* * Described in header */ -unknown_payload_t *unknown_payload_create() +unknown_payload_t *unknown_payload_create(payload_type_t type) +{ + private_unknown_payload_t *this; + + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_payload_type, + .destroy = _destroy, + }, + .is_critical = _is_critical, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH, + .type = type, + ); + + return &this->public; +} + + +/* + * Described in header + */ +unknown_payload_t *unknown_payload_create_data(payload_type_t type, + bool critical, chunk_t data) { - private_unknown_payload_t *this = malloc_thing(private_unknown_payload_t); - - /* interface functions */ - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - - /* public functions */ - this->public.destroy = (void (*) (unknown_payload_t *)) destroy; - this->public.is_critical = (bool (*) (unknown_payload_t *)) is_critical; - this->public.get_data = (chunk_t (*) (unknown_payload_t *)) get_data; - - /* private variables */ - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; - - return (&(this->public)); + private_unknown_payload_t *this; + + this = (private_unknown_payload_t*)unknown_payload_create(type); + this->data = data; + this->critical = critical; + this->payload_length = UNKNOWN_PAYLOAD_HEADER_LENGTH + data.len; + + return &this->public; } diff --git a/src/libcharon/encoding/payloads/unknown_payload.h b/src/libcharon/encoding/payloads/unknown_payload.h index c761ed2b6..5ae85331b 100644 --- a/src/libcharon/encoding/payloads/unknown_payload.h +++ b/src/libcharon/encoding/payloads/unknown_payload.h @@ -70,10 +70,22 @@ struct unknown_payload_t { }; /** - * Creates an empty unknown_payload_t object. + * Creates an empty unknown_payload_t. * - * @return unknown_payload_t object + * @param type of the payload + * @return unknown_payload_t object */ -unknown_payload_t *unknown_payload_create(void); +unknown_payload_t *unknown_payload_create(payload_type_t type); + +/** + * Create an unknown payload with data. + * + * @param type type of payload to create + * @param critical TRUE to set critical bit + * @param data data to set for this payload, gets owned by payload + * @return payload object + */ +unknown_payload_t *unknown_payload_create_data(payload_type_t type, + bool critical, chunk_t data); #endif /** UNKNOWN_PAYLOAD_H_ @}*/ diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.c b/src/libcharon/encoding/payloads/vendor_id_payload.c index bf33d2418..e9e80e989 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.c +++ b/src/libcharon/encoding/payloads/vendor_id_payload.c @@ -1,5 +1,6 @@ /* - * Copyright (C) 2005-2009 Martin Willi + * Copyright (C) 2005-2010 Martin Willi + * Copyright (C) 2010 revosec AG * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -40,6 +41,11 @@ struct private_vendor_id_payload_t { */ bool critical; + /** + * Reserved bits + */ + bool reserved[7]; + /** * Length of this payload. */ @@ -59,21 +65,21 @@ struct private_vendor_id_payload_t { */ encoding_rule_t vendor_id_payload_encodings[] = { /* 1 Byte next payload type, stored in the field next_payload */ - { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, + { U_INT_8, offsetof(private_vendor_id_payload_t, next_payload) }, /* the critical bit */ { FLAG, offsetof(private_vendor_id_payload_t, critical) }, /* 7 Bit reserved bits, nowhere stored */ - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, - { RESERVED_BIT, 0 }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[0]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[1]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[2]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[3]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[4]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[5]) }, + { RESERVED_BIT, offsetof(private_vendor_id_payload_t, reserved[6]) }, /* Length of the whole payload*/ { PAYLOAD_LENGTH, offsetof(private_vendor_id_payload_t, payload_length)}, /* some vendor_id data bytes, length is defined in PAYLOAD_LENGTH */ - { VID_DATA, offsetof(private_vendor_id_payload_t, data) } + { VID_DATA, offsetof(private_vendor_id_payload_t, data) } }; /* @@ -88,68 +94,52 @@ encoding_rule_t vendor_id_payload_encodings[] = { +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ */ -/** - * Implementation of payload_t.verify. - */ -static status_t verify(private_vendor_id_payload_t *this) +METHOD(payload_t, verify, status_t, + private_vendor_id_payload_t *this) { return SUCCESS; } -/** - * Implementation of vendor_id_payload_t.get_encoding_rules. - */ -static void get_encoding_rules(private_vendor_id_payload_t *this, - encoding_rule_t **rules, size_t *rule_count) +METHOD(payload_t, get_encoding_rules, void, + private_vendor_id_payload_t *this, encoding_rule_t **rules, + size_t *rule_count) { *rules = vendor_id_payload_encodings; - *rule_count = sizeof(vendor_id_payload_encodings) / sizeof(encoding_rule_t); + *rule_count = countof(vendor_id_payload_encodings); } -/** - * Implementation of payload_t.get_type. - */ -static payload_type_t get_payload_type(private_vendor_id_payload_t *this) +METHOD(payload_t, get_type, payload_type_t, + private_vendor_id_payload_t *this) { return VENDOR_ID; } -/** - * Implementation of payload_t.get_next_type. - */ -static payload_type_t get_next_type(private_vendor_id_payload_t *this) +METHOD(payload_t, get_next_type, payload_type_t, + private_vendor_id_payload_t *this) { return this->next_payload; } -/** - * Implementation of payload_t.set_next_type. - */ -static void set_next_type(private_vendor_id_payload_t *this,payload_type_t type) +METHOD(payload_t, set_next_type, void, + private_vendor_id_payload_t *this, payload_type_t type) { this->next_payload = type; } -/** - * Implementation of payload_t.get_length. - */ -static size_t get_length(private_vendor_id_payload_t *this) +METHOD(payload_t, get_length, size_t, + private_vendor_id_payload_t *this) { return this->payload_length; } -/** - * Implementation of vendor_id_payload_t.get_data. - */ -static chunk_t get_data(private_vendor_id_payload_t *this) +METHOD(vendor_id_payload_t, get_data, chunk_t, + private_vendor_id_payload_t *this) { return this->data; } -/** - * Implementation of payload_t.destroy and vendor_id_payload_t.destroy. - */ -static void destroy(private_vendor_id_payload_t *this) +METHOD2(payload_t, vendor_id_payload_t, destroy, void, + private_vendor_id_payload_t *this) { free(this->data.ptr); free(this); @@ -158,38 +148,35 @@ static void destroy(private_vendor_id_payload_t *this) /* * Described in header */ -vendor_id_payload_t *vendor_id_payload_create() +vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) { - private_vendor_id_payload_t *this = malloc_thing(private_vendor_id_payload_t); - - this->public.payload_interface.verify = (status_t (*) (payload_t *))verify; - this->public.payload_interface.get_encoding_rules = (void (*) (payload_t *, encoding_rule_t **, size_t *) ) get_encoding_rules; - this->public.payload_interface.get_length = (size_t (*) (payload_t *)) get_length; - this->public.payload_interface.get_next_type = (payload_type_t (*) (payload_t *)) get_next_type; - this->public.payload_interface.set_next_type = (void (*) (payload_t *,payload_type_t)) set_next_type; - this->public.payload_interface.get_type = (payload_type_t (*) (payload_t *)) get_payload_type; - this->public.payload_interface.destroy = (void (*) (payload_t *))destroy; - this->public.get_data = (chunk_t (*) (vendor_id_payload_t *)) get_data; - - this->critical = FALSE; - this->next_payload = NO_PAYLOAD; - this->payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH; - this->data = chunk_empty; + private_vendor_id_payload_t *this; + INIT(this, + .public = { + .payload_interface = { + .verify = _verify, + .get_encoding_rules = _get_encoding_rules, + .get_length = _get_length, + .get_next_type = _get_next_type, + .set_next_type = _set_next_type, + .get_type = _get_type, + .destroy = _destroy, + }, + .get_data = _get_data, + .destroy = _destroy, + }, + .next_payload = NO_PAYLOAD, + .payload_length = VENDOR_ID_PAYLOAD_HEADER_LENGTH + data.len, + .data = data, + ); return &this->public; } /* * Described in header */ -vendor_id_payload_t *vendor_id_payload_create_data(chunk_t data) +vendor_id_payload_t *vendor_id_payload_create() { - private_vendor_id_payload_t *this; - - this = (private_vendor_id_payload_t*)vendor_id_payload_create(); - this->payload_length += data.len; - this->data = data; - - return &this->public; + return vendor_id_payload_create_data(chunk_empty); } - diff --git a/src/libcharon/encoding/payloads/vendor_id_payload.h b/src/libcharon/encoding/payloads/vendor_id_payload.h index 241535cac..4e4e7d8eb 100644 --- a/src/libcharon/encoding/payloads/vendor_id_payload.h +++ b/src/libcharon/encoding/payloads/vendor_id_payload.h @@ -50,6 +50,11 @@ struct vendor_id_payload_t { * @return VID data, pointing to an internal chunk_t */ chunk_t (*get_data)(vendor_id_payload_t *this); + + /** + * Destroy Vendor ID payload. + */ + void (*destroy)(vendor_id_payload_t *this); }; /** diff --git a/src/libcharon/plugins/addrblock/Makefile.in b/src/libcharon/plugins/addrblock/Makefile.in index 426d1a689..018318a59 100644 --- a/src/libcharon/plugins/addrblock/Makefile.in +++ b/src/libcharon/plugins/addrblock/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c index 44ef38d85..12cf0c941 100644 --- a/src/libcharon/plugins/addrblock/addrblock_validator.c +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -1,8 +1,6 @@ /* - * Copyright (C) 2010 Martin Willi - * Copyright (C) 2010 revosec AG - * Copyright (C) 2009 Andreas Steffen - * Hochschule fuer Technik Rapperswil + * Copyright (C) 2010 Martin Willi, revosec AG + * Copyright (C) 2009 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the @@ -90,7 +88,8 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer) METHOD(cert_validator_t, validate, bool, private_addrblock_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509) diff --git a/src/libcharon/plugins/android/Makefile.in b/src/libcharon/plugins/android/Makefile.in index d80868798..7d6eb2b9c 100644 --- a/src/libcharon/plugins/android/Makefile.in +++ b/src/libcharon/plugins/android/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/android/android_creds.c b/src/libcharon/plugins/android/android_creds.c index aa7fc6f92..601c91e7b 100644 --- a/src/libcharon/plugins/android/android_creds.c +++ b/src/libcharon/plugins/android/android_creds.c @@ -235,7 +235,7 @@ METHOD(android_creds_t, set_username_password, void, DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); - this->pass = password ? strdup(password) : NULL; + this->pass = strdupnull(password); this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/android/android_service.c b/src/libcharon/plugins/android/android_service.c index f9a8e1ea1..487567f2a 100644 --- a/src/libcharon/plugins/android/android_service.c +++ b/src/libcharon/plugins/android/android_service.c @@ -291,8 +291,8 @@ static job_requeue_t initiate(private_android_service_t *this) peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/dhcp/Makefile.in b/src/libcharon/plugins/dhcp/Makefile.in index e843c42e8..8046fc052 100644 --- a/src/libcharon/plugins/dhcp/Makefile.in +++ b/src/libcharon/plugins/dhcp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/dhcp/dhcp_socket.c b/src/libcharon/plugins/dhcp/dhcp_socket.c index e1e83d648..8851c1b79 100644 --- a/src/libcharon/plugins/dhcp/dhcp_socket.c +++ b/src/libcharon/plugins/dhcp/dhcp_socket.c @@ -459,7 +459,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) { dhcp_transaction_t *transaction = NULL; enumerator_t *enumerator; - host_t *offer, *server; + host_t *offer, *server = NULL; offer = host_create_from_chunk(AF_INET, chunk_from_thing(dhcp->your_address), 0); @@ -500,7 +500,7 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) chunk_create((char*)&option->data[pos], 4)); } } - if (option->type == DHCP_SERVER_ID && option->len == 4) + if (!server && option->type == DHCP_SERVER_ID && option->len == 4) { server = host_create_from_chunk(AF_INET, chunk_create(option->data, 4), DHCP_SERVER_PORT); @@ -515,12 +515,11 @@ static void handle_offer(private_dhcp_socket_t *this, dhcp_t *dhcp, int optlen) } DBG1(DBG_CFG, "received DHCP OFFER %H from %H", offer, server); transaction->set_address(transaction, offer->clone(offer)); - transaction->set_server(transaction, server->clone(server)); + transaction->set_server(transaction, server); } this->mutex->unlock(this->mutex); this->condvar->broadcast(this->condvar); offer->destroy(offer); - server->destroy(server); } /** diff --git a/src/libcharon/plugins/eap_aka/Makefile.in b/src/libcharon/plugins/eap_aka/Makefile.in index c0750786d..4a23f9010 100644 --- a/src/libcharon/plugins/eap_aka/Makefile.in +++ b/src/libcharon/plugins/eap_aka/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in index 41f69546e..ad1ae1906 100644 --- a/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in +++ b/src/libcharon/plugins/eap_aka_3gpp2/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_gtc/Makefile.in b/src/libcharon/plugins/eap_gtc/Makefile.in index 02d659197..142a35e50 100644 --- a/src/libcharon/plugins/eap_gtc/Makefile.in +++ b/src/libcharon/plugins/eap_gtc/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_identity/Makefile.in b/src/libcharon/plugins/eap_identity/Makefile.in index 46011694a..5c1e07ade 100644 --- a/src/libcharon/plugins/eap_identity/Makefile.in +++ b/src/libcharon/plugins/eap_identity/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_md5/Makefile.in b/src/libcharon/plugins/eap_md5/Makefile.in index 2e307147f..4e01d96cc 100644 --- a/src/libcharon/plugins/eap_md5/Makefile.in +++ b/src/libcharon/plugins/eap_md5/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_mschapv2/Makefile.in b/src/libcharon/plugins/eap_mschapv2/Makefile.in index 635cfe6ec..495ccf441 100644 --- a/src/libcharon/plugins/eap_mschapv2/Makefile.in +++ b/src/libcharon/plugins/eap_mschapv2/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_radius/Makefile.in b/src/libcharon/plugins/eap_radius/Makefile.in index 1d771d9a4..99084e2c1 100644 --- a/src/libcharon/plugins/eap_radius/Makefile.in +++ b/src/libcharon/plugins/eap_radius/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim/Makefile.in b/src/libcharon/plugins/eap_sim/Makefile.in index d05930bbd..90f203f61 100644 --- a/src/libcharon/plugins/eap_sim/Makefile.in +++ b/src/libcharon/plugins/eap_sim/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_sim_file/Makefile.in b/src/libcharon/plugins/eap_sim_file/Makefile.in index 46a584265..3cd766a75 100644 --- a/src/libcharon/plugins/eap_sim_file/Makefile.in +++ b/src/libcharon/plugins/eap_sim_file/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in index 2d8556a59..a48fb652a 100644 --- a/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_pseudonym/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in index e59015f82..f2af3ae0d 100644 --- a/src/libcharon/plugins/eap_simaka_reauth/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_reauth/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_simaka_sql/Makefile.in b/src/libcharon/plugins/eap_simaka_sql/Makefile.in index 3c66d2f36..9a58a6055 100644 --- a/src/libcharon/plugins/eap_simaka_sql/Makefile.in +++ b/src/libcharon/plugins/eap_simaka_sql/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tls/Makefile.in b/src/libcharon/plugins/eap_tls/Makefile.in index e4b78faf8..9ebb85be9 100644 --- a/src/libcharon/plugins/eap_tls/Makefile.in +++ b/src/libcharon/plugins/eap_tls/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/Makefile.in b/src/libcharon/plugins/eap_tnc/Makefile.in index fb7108a8a..cf75585ef 100644 --- a/src/libcharon/plugins/eap_tnc/Makefile.in +++ b/src/libcharon/plugins/eap_tnc/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_tnc/eap_tnc.c b/src/libcharon/plugins/eap_tnc/eap_tnc.c index f0bff0e1f..dd4ed5322 100644 --- a/src/libcharon/plugins/eap_tnc/eap_tnc.c +++ b/src/libcharon/plugins/eap_tnc/eap_tnc.c @@ -18,7 +18,7 @@ #include #include -#include +#include typedef struct private_eap_tnc_t private_eap_tnc_t; @@ -114,6 +114,8 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, private_eap_tnc_t *this; size_t frag_size; int max_msg_count; + char* protocol; + tnccs_type_t type; tnccs_t *tnccs; INIT(this, @@ -133,7 +135,27 @@ static eap_tnc_t *eap_tnc_create(identification_t *server, "charon.plugins.eap-tnc.fragment_size", MAX_FRAGMENT_LEN); max_msg_count = lib->settings->get_int(lib->settings, "charon.plugins.eap-tnc.max_message_count", MAX_MESSAGE_COUNT); - tnccs = charon->tnccs->create_instance(charon->tnccs, TNCCS_1_1, is_server); + protocol = lib->settings->get_str(lib->settings, + "charon.plugins.eap-tnc.protocol", "tnccs-1.1"); + if (strcaseeq(protocol, "tnccs-2.0")) + { + type = TNCCS_2_0; + } + else if (strcaseeq(protocol, "tnccs-1.1")) + { + type = TNCCS_1_1; + } + else if (strcaseeq(protocol, "tnccs-dynamic") && is_server) + { + type = TNCCS_DYNAMIC; + } + else + { + DBG1(DBG_TNC, "TNCCS protocol '%s' not supported", protocol); + free(this); + return NULL; + } + tnccs = charon->tnccs->create_instance(charon->tnccs, type, is_server); this->tls_eap = tls_eap_create(EAP_TNC, (tls_t*)tnccs, frag_size, max_msg_count); if (!this->tls_eap) { diff --git a/src/libcharon/plugins/eap_ttls/Makefile.in b/src/libcharon/plugins/eap_ttls/Makefile.in index 2cdd7701d..ff67686b2 100644 --- a/src/libcharon/plugins/eap_ttls/Makefile.in +++ b/src/libcharon/plugins/eap_ttls/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c index 10d08ca2a..29b0a9303 100644 --- a/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c +++ b/src/libcharon/plugins/eap_ttls/eap_ttls_peer.c @@ -196,6 +196,7 @@ METHOD(tls_application_t, process, status_t, in->destroy(in); return NEED_MORE; } + this->start_phase2 = FALSE; } type = this->method->get_type(this->method, &vendor); diff --git a/src/libcharon/plugins/farp/Makefile.in b/src/libcharon/plugins/farp/Makefile.in index bfd50d6da..21e8b78db 100644 --- a/src/libcharon/plugins/farp/Makefile.in +++ b/src/libcharon/plugins/farp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/Makefile.in b/src/libcharon/plugins/ha/Makefile.in index 3600eb7c6..2fcd7cc82 100644 --- a/src/libcharon/plugins/ha/Makefile.in +++ b/src/libcharon/plugins/ha/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/ha/ha_ctl.c b/src/libcharon/plugins/ha/ha_ctl.c index 980c0551a..15f7824f9 100644 --- a/src/libcharon/plugins/ha/ha_ctl.c +++ b/src/libcharon/plugins/ha/ha_ctl.c @@ -21,8 +21,8 @@ #include #include #include -#include +#include #include #define HA_FIFO IPSEC_PIDDIR "/charon.ha" @@ -60,13 +60,14 @@ struct private_ha_ctl_t { */ static job_requeue_t dispatch_fifo(private_ha_ctl_t *this) { - int fifo, old; + int fifo; + bool oldstate; char buf[8]; u_int segment; - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &old); + oldstate = thread_cancelability(TRUE); fifo = open(HA_FIFO, O_RDONLY); - pthread_setcancelstate(old, NULL); + thread_cancelability(oldstate); if (fifo == -1) { DBG1(DBG_CFG, "opening HA fifo failed: %s", strerror(errno)); diff --git a/src/libcharon/plugins/ha/ha_dispatcher.c b/src/libcharon/plugins/ha/ha_dispatcher.c index b46a221bd..85dc0f4a4 100644 --- a/src/libcharon/plugins/ha/ha_dispatcher.c +++ b/src/libcharon/plugins/ha/ha_dispatcher.c @@ -596,9 +596,9 @@ static void process_child_add(private_ha_dispatcher_t *this, if (initiator) { if (child_sa->install(child_sa, encr_r, integ_r, inbound_spi, - inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_i, integ_i, outbound_spi, - outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) + outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) { failed = TRUE; } @@ -606,9 +606,9 @@ static void process_child_add(private_ha_dispatcher_t *this, else { if (child_sa->install(child_sa, encr_i, integ_i, inbound_spi, - inbound_cpi, TRUE, local_ts, remote_ts) != SUCCESS || + inbound_cpi, TRUE, TRUE, local_ts, remote_ts) != SUCCESS || child_sa->install(child_sa, encr_r, integ_r, outbound_spi, - outbound_cpi, FALSE, local_ts, remote_ts) != SUCCESS) + outbound_cpi, FALSE, TRUE, local_ts, remote_ts) != SUCCESS) { failed = TRUE; } diff --git a/src/libcharon/plugins/ha/ha_segments.c b/src/libcharon/plugins/ha/ha_segments.c index 19e0f692e..7c7bef851 100644 --- a/src/libcharon/plugins/ha/ha_segments.c +++ b/src/libcharon/plugins/ha/ha_segments.c @@ -15,11 +15,10 @@ #include "ha_segments.h" -#include - #include #include #include +#include #include #define DEFAULT_HEARTBEAT_DELAY 1000 @@ -255,16 +254,15 @@ METHOD(listener_t, alert_hook, bool, */ static job_requeue_t watchdog(private_ha_segments_t *this) { - int oldstate; - bool timeout; + bool timeout, oldstate; this->mutex->lock(this->mutex); - pthread_cleanup_push((void*)this->mutex->unlock, this->mutex); - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + thread_cleanup_push((void*)this->mutex->unlock, this->mutex); + oldstate = thread_cancelability(TRUE); timeout = this->condvar->timed_wait(this->condvar, this->mutex, this->heartbeat_timeout); - pthread_setcancelstate(oldstate, NULL); - pthread_cleanup_pop(TRUE); + thread_cancelability(oldstate); + thread_cleanup_pop(TRUE); if (timeout) { DBG1(DBG_CFG, "no heartbeat received, taking all segments"); diff --git a/src/libcharon/plugins/ha/ha_socket.c b/src/libcharon/plugins/ha/ha_socket.c index 614c70ed3..086178442 100644 --- a/src/libcharon/plugins/ha/ha_socket.c +++ b/src/libcharon/plugins/ha/ha_socket.c @@ -20,10 +20,10 @@ #include #include #include -#include #include #include +#include #include typedef struct private_ha_socket_t private_ha_socket_t; @@ -121,12 +121,12 @@ METHOD(ha_socket_t, pull, ha_message_t*, { ha_message_t *message; char buf[1024]; - int oldstate; + bool oldstate; ssize_t len; - pthread_setcancelstate(PTHREAD_CANCEL_ENABLE, &oldstate); + oldstate = thread_cancelability(TRUE); len = recv(this->fd, buf, sizeof(buf), 0); - pthread_setcancelstate(oldstate, NULL); + thread_cancelability(oldstate); if (len <= 0) { switch (errno) diff --git a/src/libcharon/plugins/ha/ha_tunnel.c b/src/libcharon/plugins/ha/ha_tunnel.c index fef84a430..299053ec1 100644 --- a/src/libcharon/plugins/ha/ha_tunnel.c +++ b/src/libcharon/plugins/ha/ha_tunnel.c @@ -223,8 +223,8 @@ static void setup_tunnel(private_ha_tunnel_t *this, peer_cfg->add_auth_cfg(peer_cfg, auth_cfg, FALSE); child_cfg = child_cfg_create("ha", &lifetime, NULL, TRUE, MODE_TRANSPORT, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); ts = traffic_selector_create_dynamic(IPPROTO_UDP, HA_PORT, HA_PORT); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); ts = traffic_selector_create_dynamic(IPPROTO_ICMP, 0, 65535); diff --git a/src/libcharon/plugins/led/Makefile.in b/src/libcharon/plugins/led/Makefile.in index a4e529d89..fa1194fd0 100644 --- a/src/libcharon/plugins/led/Makefile.in +++ b/src/libcharon/plugins/led/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/Makefile.in b/src/libcharon/plugins/load_tester/Makefile.in index 85db9a10b..c921ec3db 100644 --- a/src/libcharon/plugins/load_tester/Makefile.in +++ b/src/libcharon/plugins/load_tester/Makefile.in @@ -225,9 +225,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -266,6 +264,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/load_tester/load_tester_config.c b/src/libcharon/plugins/load_tester/load_tester_config.c index a230aa3f5..71391d593 100644 --- a/src/libcharon/plugins/load_tester/load_tester_config.c +++ b/src/libcharon/plugins/load_tester/load_tester_config.c @@ -224,8 +224,8 @@ static peer_cfg_t* generate_config(private_load_tester_config_t *this, uint num) } child_cfg = child_cfg_create("load-test", &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); proposal = proposal_create_from_string(PROTO_ESP, "aes128-sha1"); child_cfg->add_proposal(child_cfg, proposal); ts = traffic_selector_create_dynamic(0, 0, 65535); diff --git a/src/libcharon/plugins/load_tester/load_tester_ipsec.c b/src/libcharon/plugins/load_tester/load_tester_ipsec.c index aece95e12..ef9d7f9ef 100644 --- a/src/libcharon/plugins/load_tester/load_tester_ipsec.c +++ b/src/libcharon/plugins/load_tester/load_tester_ipsec.c @@ -52,7 +52,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_load_tester_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) diff --git a/src/libcharon/plugins/load_tester/load_tester_plugin.c b/src/libcharon/plugins/load_tester/load_tester_plugin.c index cb9b80c7f..8fd65adfa 100644 --- a/src/libcharon/plugins/load_tester/load_tester_plugin.c +++ b/src/libcharon/plugins/load_tester/load_tester_plugin.c @@ -28,6 +28,8 @@ #include #include +static const char *plugin_name = "load_tester"; + typedef struct private_load_tester_plugin_t private_load_tester_plugin_t; /** @@ -189,7 +191,7 @@ plugin_t *load_tester_plugin_create() this = malloc_thing(private_load_tester_plugin_t); this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - lib->crypto->add_dh(lib->crypto, MODP_NULL, + lib->crypto->add_dh(lib->crypto, MODP_NULL, plugin_name, (dh_constructor_t)load_tester_diffie_hellman_create); this->delay = lib->settings->get_int(lib->settings, diff --git a/src/libcharon/plugins/maemo/Makefile.am b/src/libcharon/plugins/maemo/Makefile.am index ed6c76c0f..0bf7fad5d 100644 --- a/src/libcharon/plugins/maemo/Makefile.am +++ b/src/libcharon/plugins/maemo/Makefile.am @@ -19,5 +19,9 @@ libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service -EXTRA_DIST = $(dbusservice_DATA) +org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in + sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ + +EXTRA_DIST = org.strongswan.charon.service.in +CLEANFILES = $(dbusservice_DATA) diff --git a/src/libcharon/plugins/maemo/Makefile.in b/src/libcharon/plugins/maemo/Makefile.in index 978950d22..0ca1fa436 100644 --- a/src/libcharon/plugins/maemo/Makefile.in +++ b/src/libcharon/plugins/maemo/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -288,7 +288,8 @@ libstrongswan_maemo_la_SOURCES = \ libstrongswan_maemo_la_LDFLAGS = -module -avoid-version libstrongswan_maemo_la_LIBADD = ${maemo_LIBS} dbusservice_DATA = org.strongswan.charon.service -EXTRA_DIST = $(dbusservice_DATA) +EXTRA_DIST = org.strongswan.charon.service.in +CLEANFILES = $(dbusservice_DATA) all: all-am .SUFFIXES: @@ -528,6 +529,7 @@ install-strip: mostlyclean-generic: clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) @@ -626,6 +628,9 @@ uninstall-am: uninstall-dbusserviceDATA uninstall-pluginLTLIBRARIES uninstall-pluginLTLIBRARIES +org.strongswan.charon.service: $(srcdir)/org.strongswan.charon.service.in + sed -e 's|[@]LIBEXECDIR[@]|$(libexecdir)|' $< >$@ + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/src/libcharon/plugins/maemo/maemo_service.c b/src/libcharon/plugins/maemo/maemo_service.c index efd914a00..0e9fd8ccc 100644 --- a/src/libcharon/plugins/maemo/maemo_service.c +++ b/src/libcharon/plugins/maemo/maemo_service.c @@ -115,12 +115,11 @@ METHOD(listener_t, ike_updown, bool, return TRUE; } -METHOD(listener_t, child_state_change, bool, - private_maemo_service_t *this, ike_sa_t *ike_sa, child_sa_t *child_sa, - child_sa_state_t state) +METHOD(listener_t, ike_state_change, bool, + private_maemo_service_t *this, ike_sa_t *ike_sa, ike_sa_state_t state) { /* this call back is only registered during initiation */ - if (this->ike_sa == ike_sa && state == CHILD_DESTROYING) + if (this->ike_sa == ike_sa && state == IKE_DESTROYING) { change_status(this, VPN_STATUS_CONNECTION_FAILED); return FALSE; @@ -138,7 +137,7 @@ METHOD(listener_t, child_updown, bool, { /* disable hooks registered to catch initiation failures */ this->public.listener.ike_updown = NULL; - this->public.listener.child_state_change = NULL; + this->public.listener.ike_state_change = NULL; change_status(this, VPN_STATUS_CONNECTED); } else @@ -347,7 +346,7 @@ static gboolean initiate_connection(private_maemo_service_t *this, child_cfg = child_cfg_create(this->current, &lifetime, NULL /* updown */, TRUE, MODE_TUNNEL, ACTION_NONE, ACTION_NONE, - FALSE, 0, 0, NULL, NULL); + ACTION_NONE, FALSE, 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); @@ -371,7 +370,7 @@ static gboolean initiate_connection(private_maemo_service_t *this, this->ike_sa = ike_sa; this->status = VPN_STATUS_CONNECTING; this->public.listener.ike_updown = _ike_updown; - this->public.listener.child_state_change = _child_state_change; + this->public.listener.ike_state_change = _ike_state_change; charon->bus->add_listener(charon->bus, &this->public.listener); if (ike_sa->initiate(ike_sa, child_cfg, 0, NULL, NULL) != SUCCESS) @@ -464,7 +463,7 @@ maemo_service_t *maemo_service_create() .public = { .listener = { .ike_updown = _ike_updown, - .child_state_change = _child_state_change, + .ike_state_change = _ike_state_change, .child_updown = _child_updown, .ike_rekey = _ike_rekey, }, diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service b/src/libcharon/plugins/maemo/org.strongswan.charon.service deleted file mode 100644 index 7dd31ed60..000000000 --- a/src/libcharon/plugins/maemo/org.strongswan.charon.service +++ /dev/null @@ -1,4 +0,0 @@ -[D-BUS Service] -Name=org.strongswan.charon -Exec=/usr/bin/run-standalone.sh /usr/libexec/ipsec/charon -User=root diff --git a/src/libcharon/plugins/maemo/org.strongswan.charon.service.in b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in new file mode 100644 index 000000000..8fa83af93 --- /dev/null +++ b/src/libcharon/plugins/maemo/org.strongswan.charon.service.in @@ -0,0 +1,4 @@ +[D-BUS Service] +Name=org.strongswan.charon +Exec=/usr/bin/run-standalone.sh @LIBEXECDIR@/ipsec/charon +User=root diff --git a/src/libcharon/plugins/medcli/Makefile.in b/src/libcharon/plugins/medcli/Makefile.in index 6dcbc99dd..372a436a6 100644 --- a/src/libcharon/plugins/medcli/Makefile.in +++ b/src/libcharon/plugins/medcli/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/medcli/medcli_config.c b/src/libcharon/plugins/medcli/medcli_config.c index 870d87c7e..b5672dba9 100644 --- a/src/libcharon/plugins/medcli/medcli_config.c +++ b/src/libcharon/plugins/medcli/medcli_config.c @@ -182,8 +182,8 @@ static peer_cfg_t *get_peer_cfg_by_name(private_medcli_config_t *this, char *nam peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); @@ -261,8 +261,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->current->add_auth_cfg(this->current, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, FALSE, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, ts_from_string(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, ts_from_string(remote_net)); diff --git a/src/libcharon/plugins/medsrv/Makefile.in b/src/libcharon/plugins/medsrv/Makefile.in index f6db7d834..4bb65bd09 100644 --- a/src/libcharon/plugins/medsrv/Makefile.in +++ b/src/libcharon/plugins/medsrv/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/Makefile.in b/src/libcharon/plugins/nm/Makefile.in index 2f5c20971..69af7bf83 100644 --- a/src/libcharon/plugins/nm/Makefile.in +++ b/src/libcharon/plugins/nm/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/nm/nm_creds.c b/src/libcharon/plugins/nm/nm_creds.c index 638787019..ea98c056d 100644 --- a/src/libcharon/plugins/nm/nm_creds.c +++ b/src/libcharon/plugins/nm/nm_creds.c @@ -400,7 +400,7 @@ static void set_username_password(private_nm_creds_t *this, identification_t *id DESTROY_IF(this->user); this->user = id->clone(id); free(this->pass); - this->pass = password ? strdup(password) : NULL; + this->pass = strdupnull(password); this->lock->unlock(this->lock); } @@ -411,7 +411,7 @@ static void set_key_password(private_nm_creds_t *this, char *password) { this->lock->write_lock(this->lock); free(this->keypass); - this->keypass = password ? strdup(password) : NULL; + this->keypass = strdupnull(password); this->lock->unlock(this->lock); } @@ -423,7 +423,7 @@ static void set_pin(private_nm_creds_t *this, chunk_t keyid, char *pin) this->lock->write_lock(this->lock); free(this->keypass); free(this->keyid.ptr); - this->keypass = pin ? strdup(pin) : NULL; + this->keypass = strdupnull(pin); this->keyid = chunk_clone(keyid); this->lock->unlock(this->lock); } diff --git a/src/libcharon/plugins/nm/nm_service.c b/src/libcharon/plugins/nm/nm_service.c index 72c5bbbb5..4300b57cf 100644 --- a/src/libcharon/plugins/nm/nm_service.c +++ b/src/libcharon/plugins/nm/nm_service.c @@ -518,8 +518,8 @@ static gboolean connect_(NMVPNPlugin *plugin, NMConnection *connection, child_cfg = child_cfg_create(priv->name, &lifetime, NULL, TRUE, MODE_TUNNEL, /* updown, hostaccess */ - ACTION_NONE, ACTION_NONE, ipcomp, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, ipcomp, + 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); ts = traffic_selector_create_dynamic(0, 0, 65535); child_cfg->add_traffic_selector(child_cfg, TRUE, ts); diff --git a/src/libcharon/plugins/smp/Makefile.in b/src/libcharon/plugins/smp/Makefile.in index f24e2d1e7..3d2cef13c 100644 --- a/src/libcharon/plugins/smp/Makefile.in +++ b/src/libcharon/plugins/smp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_default/Makefile.in b/src/libcharon/plugins/socket_default/Makefile.in index bd85386b2..b82372e30 100644 --- a/src/libcharon/plugins/socket_default/Makefile.in +++ b/src/libcharon/plugins/socket_default/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_dynamic/Makefile.in b/src/libcharon/plugins/socket_dynamic/Makefile.in index 8e0790671..7a49088b2 100644 --- a/src/libcharon/plugins/socket_dynamic/Makefile.in +++ b/src/libcharon/plugins/socket_dynamic/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/socket_raw/Makefile.in b/src/libcharon/plugins/socket_raw/Makefile.in index 5f4cba131..744b12fcf 100644 --- a/src/libcharon/plugins/socket_raw/Makefile.in +++ b/src/libcharon/plugins/socket_raw/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/Makefile.in b/src/libcharon/plugins/sql/Makefile.in index 7c4521785..4244d3b5e 100644 --- a/src/libcharon/plugins/sql/Makefile.in +++ b/src/libcharon/plugins/sql/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/sql/sql_config.c b/src/libcharon/plugins/sql/sql_config.c index a47d93f7b..dc016012c 100644 --- a/src/libcharon/plugins/sql/sql_config.c +++ b/src/libcharon/plugins/sql/sql_config.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2006-2008 Martin Willi + * Copyright (C) 2010 Andreas Steffen * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it @@ -38,13 +39,13 @@ struct private_sql_config_t { }; /** - * forward declaration + * Forward declaration */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other); /** - * build a traffic selector from a SQL query + * Build a traffic selector from an SQL query */ static traffic_selector_t *build_traffic_selector(private_sql_config_t *this, enumerator_t *e, bool *local) @@ -119,24 +120,62 @@ static void add_traffic_selectors(private_sql_config_t *this, } /** - * build a Child configuration from a SQL query + * Add ESP proposals to a child config + */ +static void add_esp_proposals(private_sql_config_t *this, + child_cfg_t *child, int id) +{ + enumerator_t *e; + proposal_t *proposal; + char *prop; + bool use_default = TRUE; + + e = this->db->query(this->db, + "SELECT proposal " + "FROM proposals JOIN child_config_proposal ON id = prop " + "WHERE child_cfg = ? ORDER BY prio", + DB_INT, id, DB_TEXT); + if (e) + { + while (e->enumerate(e, &prop)) + { + proposal = proposal_create_from_string(PROTO_ESP, prop); + if (!proposal) + { + DBG1(DBG_CFG, "could not create ESP proposal from '%s'", prop); + break; + } + child->add_proposal(child, proposal); + use_default = FALSE; + } + e->destroy(e); + } + if (use_default) + { + child->add_proposal(child, proposal_create_default(PROTO_ESP)); + } +} + +/** + * Build a child config from an SQL query */ static child_cfg_t *build_child_cfg(private_sql_config_t *this, enumerator_t *e) { - int id, lifetime, rekeytime, jitter, hostaccess, mode, dpd, close, ipcomp; + int id, lifetime, rekeytime, jitter, hostaccess, mode, ipcomp, reqid; + int start, dpd, close; char *name, *updown; child_cfg_t *child_cfg; - if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, - &updown, &hostaccess, &mode, &dpd, &close, &ipcomp)) + if (e->enumerate(e, &id, &name, &lifetime, &rekeytime, &jitter, &updown, + &hostaccess, &mode, &start, &dpd, &close, &ipcomp, &reqid)) { lifetime_cfg_t lft = { .time = { .life = lifetime, .rekey = rekeytime, .jitter = jitter } }; child_cfg = child_cfg_create(name, &lft, updown, hostaccess, mode, - dpd, close, ipcomp, 0, 0, NULL, NULL); - /* TODO: read proposal from db */ - child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP)); + start, dpd, close, ipcomp, 0, reqid, + NULL, NULL, 0); + add_esp_proposals(this, child_cfg, id); add_traffic_selectors(this, child_cfg, id); return child_cfg; } @@ -152,13 +191,13 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) child_cfg_t *child_cfg; e = this->db->query(this->db, - "SELECT id, name, lifetime, rekeytime, jitter, " - "updown, hostaccess, mode, dpd_action, close_action, ipcomp " + "SELECT id, name, lifetime, rekeytime, jitter, updown, hostaccess, " + "mode, start_action, dpd_action, close_action, ipcomp, reqid " "FROM child_configs JOIN peer_config_child_config ON id = child_cfg " "WHERE peer_cfg = ?", DB_INT, id, - DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, - DB_TEXT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); + DB_INT, DB_TEXT, DB_INT, DB_INT, DB_INT, DB_TEXT, DB_INT, + DB_INT, DB_INT, DB_INT, DB_INT, DB_INT, DB_INT); if (e) { while ((child_cfg = build_child_cfg(this, e))) @@ -170,29 +209,65 @@ static void add_child_cfgs(private_sql_config_t *this, peer_cfg_t *peer, int id) } /** - * build a ike configuration from a SQL query + * Add IKE proposals to an IKE config + */ +static void add_ike_proposals(private_sql_config_t *this, + ike_cfg_t *ike_cfg, int id) +{ + enumerator_t *e; + proposal_t *proposal; + char *prop; + bool use_default = TRUE; + + e = this->db->query(this->db, + "SELECT proposal " + "FROM proposals JOIN ike_config_proposal ON id = prop " + "WHERE ike_cfg = ? ORDER BY prio", + DB_INT, id, DB_TEXT); + if (e) + { + while (e->enumerate(e, &prop)) + { + proposal = proposal_create_from_string(PROTO_IKE, prop); + if (!proposal) + { + DBG1(DBG_CFG, "could not create IKE proposal from '%s'", prop); + break; + } + ike_cfg->add_proposal(ike_cfg, proposal); + use_default = FALSE; + } + e->destroy(e); + } + if (use_default) + { + ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + } +} + +/** + * Build an IKE config from an SQL query */ static ike_cfg_t *build_ike_cfg(private_sql_config_t *this, enumerator_t *e, host_t *my_host, host_t *other_host) { - int certreq, force_encap; + int id, certreq, force_encap; char *local, *remote; - while (e->enumerate(e, &certreq, &force_encap, &local, &remote)) + while (e->enumerate(e, &id, &certreq, &force_encap, &local, &remote)) { ike_cfg_t *ike_cfg; ike_cfg = ike_cfg_create(certreq, force_encap, local, IKEV2_UDP_PORT, remote, IKEV2_UDP_PORT); - /* TODO: read proposal from db */ - ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE)); + add_ike_proposals(this, ike_cfg, id); return ike_cfg; } return NULL; } /** - * Query a IKE config by its id + * Query an IKE config by its id */ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) { @@ -200,10 +275,10 @@ static ike_cfg_t* get_ike_cfg_by_id(private_sql_config_t *this, int id) ike_cfg_t *ike_cfg = NULL; e = this->db->query(this->db, - "SELECT certreq, force_encap, local, remote " + "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs WHERE id = ?", DB_INT, id, - DB_INT, DB_INT, DB_TEXT, DB_TEXT); + DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); if (e) { ike_cfg = build_ike_cfg(this, e, NULL, NULL); @@ -246,7 +321,7 @@ static peer_cfg_t *get_peer_cfg_by_id(private_sql_config_t *this, int id) } /** - * build a peer configuration from a SQL query + * Build a peer config from an SQL query */ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, identification_t *me, identification_t *other) @@ -325,10 +400,8 @@ static peer_cfg_t *build_peer_cfg(private_sql_config_t *this, enumerator_t *e, return NULL; } -/** - * implements backend_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_sql_config_t *this, char *name) +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_sql_config_t *this, char *name) { enumerator_t *e; peer_cfg_t *peer_cfg = NULL; @@ -398,11 +471,8 @@ static void ike_enumerator_destroy(ike_enumerator_t *this) free(this); } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_sql_config_t *this, host_t *me, host_t *other) { ike_enumerator_t *e = malloc_thing(ike_enumerator_t); @@ -414,9 +484,9 @@ static enumerator_t* create_ike_cfg_enumerator(private_sql_config_t *this, e->public.destroy = (void*)ike_enumerator_destroy; e->inner = this->db->query(this->db, - "SELECT certreq, force_encap, local, remote " + "SELECT id, certreq, force_encap, local, remote " "FROM ike_configs", - DB_INT, DB_INT, DB_TEXT, DB_TEXT); + DB_INT, DB_INT, DB_INT, DB_TEXT, DB_TEXT); if (!e->inner) { free(e); @@ -466,12 +536,8 @@ static void peer_enumerator_destroy(peer_enumerator_t *this) free(this); } -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this, - identification_t *me, - identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_sql_config_t *this, identification_t *me, identification_t *other) { peer_enumerator_t *e = malloc_thing(peer_enumerator_t); @@ -508,10 +574,8 @@ static enumerator_t* create_peer_cfg_enumerator(private_sql_config_t *this, return &e->public; } -/** - * Implementation of sql_config_t.destroy. - */ -static void destroy(private_sql_config_t *this) +METHOD(sql_config_t, destroy, void, + private_sql_config_t *this) { free(this); } @@ -521,14 +585,19 @@ static void destroy(private_sql_config_t *this) */ sql_config_t *sql_config_create(database_t *db) { - private_sql_config_t *this = malloc_thing(private_sql_config_t); - - this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; - this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; - this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; - this->public.destroy = (void(*)(sql_config_t*))destroy; + private_sql_config_t *this; - this->db = db; + INIT(this, + .public = { + .backend = { + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .destroy = _destroy, + }, + .db = db + ); return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_cred.c b/src/libcharon/plugins/sql/sql_cred.c index 12f4ab045..117eec921 100644 --- a/src/libcharon/plugins/sql/sql_cred.c +++ b/src/libcharon/plugins/sql/sql_cred.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -37,6 +38,7 @@ struct private_sql_cred_t { database_t *db; }; + /** * enumerator over private keys */ @@ -49,11 +51,8 @@ typedef struct { private_key_t *current; } private_enumerator_t; -/** - * Implementation of private_enumerator_t.public.enumerate - */ -static bool private_enumerator_enumerate(private_enumerator_t *this, - private_key_t **key) +METHOD(enumerator_t, private_enumerator_enumerate, bool, + private_enumerator_t *this, private_key_t **key) { chunk_t blob; int type; @@ -62,7 +61,7 @@ static bool private_enumerator_enumerate(private_enumerator_t *this, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, type, - BUILD_BLOB_ASN1_DER, blob, + BUILD_BLOB_PEM, blob, BUILD_END); if (this->current) { @@ -74,29 +73,25 @@ static bool private_enumerator_enumerate(private_enumerator_t *this, return FALSE; } -/** - * Implementation of private_enumerator_t.public.destroy - */ -static void private_enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, private_enumerator_destroy, void, + private_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_private_enumerator. - */ -static enumerator_t* create_private_enumerator(private_sql_cred_t *this, - key_type_t type, - identification_t *id) +METHOD(credential_set_t, create_private_enumerator, enumerator_t*, + private_sql_cred_t *this, key_type_t type, identification_t *id) { private_enumerator_t *e; - e = malloc_thing(private_enumerator_t); - e->current = NULL; - e->public.enumerate = (void*)private_enumerator_enumerate; - e->public.destroy = (void*)private_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_private_enumerator_enumerate, + .destroy = _private_enumerator_destroy, + }, + ); if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -123,6 +118,7 @@ static enumerator_t* create_private_enumerator(private_sql_cred_t *this, return &e->public; } + /** * enumerator over certificates */ @@ -135,11 +131,8 @@ typedef struct { certificate_t *current; } cert_enumerator_t; -/** - * Implementation of cert_enumerator_t.public.enumerate - */ -static bool cert_enumerator_enumerate(cert_enumerator_t *this, - certificate_t **cert) +METHOD(enumerator_t, cert_enumerator_enumerate, bool, + cert_enumerator_t *this, certificate_t **cert) { chunk_t blob; int type; @@ -148,7 +141,7 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this, while (this->inner->enumerate(this->inner, &type, &blob)) { this->current = lib->creds->create(lib->creds, CRED_CERTIFICATE, type, - BUILD_BLOB_ASN1_DER, blob, + BUILD_BLOB_PEM, blob, BUILD_END); if (this->current) { @@ -160,29 +153,26 @@ static bool cert_enumerator_enumerate(cert_enumerator_t *this, return FALSE; } -/** - * Implementation of cert_enumerator_t.public.destroy - */ -static void cert_enumerator_destroy(cert_enumerator_t *this) +METHOD(enumerator_t, cert_enumerator_destroy, void, + cert_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_cert_enumerator. - */ -static enumerator_t* create_cert_enumerator(private_sql_cred_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) +METHOD(credential_set_t, create_cert_enumerator, enumerator_t*, + private_sql_cred_t *this, certificate_type_t cert, key_type_t key, + identification_t *id, bool trusted) { cert_enumerator_t *e; - e = malloc_thing(cert_enumerator_t); - e->current = NULL; - e->public.enumerate = (void*)cert_enumerator_enumerate; - e->public.destroy = (void*)cert_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_cert_enumerator_enumerate, + .destroy = _cert_enumerator_destroy, + }, + ); if (id && id->get_type(id) != ID_ANY) { e->inner = this->db->query(this->db, @@ -213,6 +203,7 @@ static enumerator_t* create_cert_enumerator(private_sql_cred_t *this, return &e->public; } + /** * enumerator over shared keys */ @@ -229,12 +220,9 @@ typedef struct { shared_key_t *current; } shared_enumerator_t; -/** - * Implementation of shared_enumerator_t.public.enumerate - */ -static bool shared_enumerator_enumerate(shared_enumerator_t *this, - shared_key_t **shared, - id_match_t *me, id_match_t *other) +METHOD(enumerator_t, shared_enumerator_enumerate, bool, + shared_enumerator_t *this, shared_key_t **shared, + id_match_t *me, id_match_t *other) { chunk_t blob; int type; @@ -261,31 +249,28 @@ static bool shared_enumerator_enumerate(shared_enumerator_t *this, return FALSE; } -/** - * Implementation of shared_enumerator_t.public.destroy - */ -static void shared_enumerator_destroy(shared_enumerator_t *this) +METHOD(enumerator_t, shared_enumerator_destroy, void, + shared_enumerator_t *this) { DESTROY_IF(this->current); this->inner->destroy(this->inner); free(this); } -/** - * Implementation of credential_set_t.create_shared_enumerator. - */ -static enumerator_t* create_shared_enumerator(private_sql_cred_t *this, - shared_key_type_t type, - identification_t *me, identification_t *other) +METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, + private_sql_cred_t *this, shared_key_type_t type, + identification_t *me, identification_t *other) { shared_enumerator_t *e; - e = malloc_thing(shared_enumerator_t); - e->me = me; - e->other = other; - e->current = NULL; - e->public.enumerate = (void*)shared_enumerator_enumerate; - e->public.destroy = (void*)shared_enumerator_destroy; + INIT(e, + .public = { + .enumerate = (void*)_shared_enumerator_enumerate, + .destroy = _shared_enumerator_destroy, + }, + .me = me, + .other = other, + ); if (!me && !other) { e->inner = this->db->query(this->db, @@ -329,36 +314,141 @@ static enumerator_t* create_shared_enumerator(private_sql_cred_t *this, return &e->public; } + /** - * Implementation of credential_set_t.cache_cert. + * enumerator over CDPs */ -static void cache_cert(private_sql_cred_t *this, certificate_t *cert) +typedef struct { + /** implements enumerator_t */ + enumerator_t public; + /** inner SQL enumerator */ + enumerator_t *inner; + /** currently enumerated string */ + char *current; +} cdp_enumerator_t; + +/** + * types of CDPs + */ +typedef enum { + /** any available CDP */ + CDP_TYPE_ANY = 0, + /** CRL */ + CDP_TYPE_CRL, + /** OCSP Responder */ + CDP_TYPE_OCSP, +} cdp_type_t; + +METHOD(enumerator_t, cdp_enumerator_enumerate, bool, + cdp_enumerator_t *this, char **uri) +{ + char *text; + + free(this->current); + while (this->inner->enumerate(this->inner, &text)) + { + *uri = this->current = strdup(text); + return TRUE; + } + this->current = NULL; + return FALSE; +} + +METHOD(enumerator_t, cdp_enumerator_destroy, void, + cdp_enumerator_t *this) +{ + free(this->current); + this->inner->destroy(this->inner); + free(this); +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_sql_cred_t *this, certificate_type_t type, identification_t *id) +{ + cdp_enumerator_t *e; + cdp_type_t cdp_type; + + switch (type) + { /* we serve CRLs and OCSP responders */ + case CERT_X509_CRL: + cdp_type = CDP_TYPE_CRL; + break; + case CERT_X509_OCSP_RESPONSE: + cdp_type = CDP_TYPE_OCSP; + break; + case CERT_ANY: + cdp_type = CDP_TYPE_ANY; + break; + default: + return NULL; + } + INIT(e, + .public = { + .enumerate = (void*)_cdp_enumerator_enumerate, + .destroy = _cdp_enumerator_destroy, + }, + ); + if (id && id->get_type(id) != ID_ANY) + { + e->inner = this->db->query(this->db, + "SELECT dp.uri FROM certificate_distribution_points AS dp " + "JOIN certificate_authorities AS ca ON ca.id = dp.ca " + "JOIN certificates AS c ON c.id = ca.certificate " + "JOIN certificate_identity AS ci ON c.id = ci.certificate " + "JOIN identities AS i ON ci.identity = i.id " + "WHERE i.type = ? AND i.data = ? AND (? OR dp.type = ?)", + DB_INT, id->get_type(id), DB_BLOB, id->get_encoding(id), + DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type, + DB_TEXT); + } + else + { + e->inner = this->db->query(this->db, + "SELECT dp.uri FROM certificate_distribution_points AS dp " + "WHERE (? OR dp.type = ?)", + DB_INT, cdp_type == CDP_TYPE_ANY, DB_INT, cdp_type, + DB_TEXT); + } + if (!e->inner) + { + free(e); + return NULL; + } + return &e->public; +} + +METHOD(credential_set_t, cache_cert, void, + private_sql_cred_t *this, certificate_t *cert) { /* TODO: implement CRL caching to database */ } -/** - * Implementation of sql_cred_t.destroy. - */ -static void destroy(private_sql_cred_t *this) +METHOD(sql_cred_t, destroy, void, + private_sql_cred_t *this) { free(this); } + /** * Described in header. */ sql_cred_t *sql_cred_create(database_t *db) { - private_sql_cred_t *this = malloc_thing(private_sql_cred_t); - - this->public.set.create_private_enumerator = (void*)create_private_enumerator; - this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; - this->public.set.create_cdp_enumerator = (void*)return_null; - this->public.set.cache_cert = (void*)cache_cert; - this->public.destroy = (void(*)(sql_cred_t*))destroy; - - this->db = db; + private_sql_cred_t *this; + + INIT(this, + .public = { + .set = { + .create_private_enumerator = _create_private_enumerator, + .create_cert_enumerator = _create_cert_enumerator, + .create_shared_enumerator = _create_shared_enumerator, + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = _cache_cert, + }, + .destroy = _destroy, + }, + .db = db, + ); return &this->public; } diff --git a/src/libcharon/plugins/sql/sql_plugin.c b/src/libcharon/plugins/sql/sql_plugin.c index 7b0a198d1..ad1eb91b1 100644 --- a/src/libcharon/plugins/sql/sql_plugin.c +++ b/src/libcharon/plugins/sql/sql_plugin.c @@ -53,10 +53,8 @@ struct private_sql_plugin_t { sql_logger_t *logger; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_sql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sql_plugin_t *this) { charon->backends->remove_backend(charon->backends, &this->config->backend); lib->credmgr->remove_set(lib->credmgr, &this->cred->set); @@ -83,11 +81,15 @@ plugin_t *sql_plugin_create() return NULL; } - this = malloc_thing(private_sql_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .db = lib->db->create(lib->db, uri), + ); - this->db = lib->db->create(lib->db, uri); if (!this->db) { DBG1(DBG_CFG, "sql plugin failed to connect to database"); diff --git a/src/libcharon/plugins/stroke/Makefile.am b/src/libcharon/plugins/stroke/Makefile.am index 40888a40b..e561224e9 100644 --- a/src/libcharon/plugins/stroke/Makefile.am +++ b/src/libcharon/plugins/stroke/Makefile.am @@ -21,7 +21,6 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c + stroke_list.h stroke_list.c libstrongswan_stroke_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/stroke/Makefile.in b/src/libcharon/plugins/stroke/Makefile.in index e6e98838b..ccf3eeede 100644 --- a/src/libcharon/plugins/stroke/Makefile.in +++ b/src/libcharon/plugins/stroke/Makefile.in @@ -77,7 +77,7 @@ LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) libstrongswan_stroke_la_LIBADD = am_libstrongswan_stroke_la_OBJECTS = stroke_plugin.lo stroke_socket.lo \ stroke_config.lo stroke_control.lo stroke_cred.lo stroke_ca.lo \ - stroke_attribute.lo stroke_list.lo stroke_shared_key.lo + stroke_attribute.lo stroke_list.lo libstrongswan_stroke_la_OBJECTS = \ $(am_libstrongswan_stroke_la_OBJECTS) libstrongswan_stroke_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -292,8 +292,7 @@ libstrongswan_stroke_la_SOURCES = \ stroke_cred.h stroke_cred.c \ stroke_ca.h stroke_ca.c \ stroke_attribute.h stroke_attribute.c \ - stroke_list.h stroke_list.c \ - stroke_shared_key.h stroke_shared_key.c + stroke_list.h stroke_list.c libstrongswan_stroke_la_LDFLAGS = -module -avoid-version all: all-am @@ -386,7 +385,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_cred.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_list.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_plugin.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_shared_key.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/stroke_socket.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index 9a3ae0ab9..69e13deb9 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -113,6 +113,7 @@ static void ca_section_destroy(ca_section_t *this) this->crl->destroy_function(this->crl, free); this->ocsp->destroy_function(this->ocsp, free); this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); + this->cert->destroy(this->cert); free(this->certuribase); free(this->name); free(this); @@ -207,11 +208,8 @@ static enumerator_t *create_inner_cdp_hashandurl(ca_section_t *section, cdp_data return enumerator; } -/** - * Implementation of credential_set_t.create_cdp_enumerator. - */ -static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, - certificate_type_t type, identification_t *id) +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_stroke_ca_t *this, certificate_type_t type, identification_t *id) { cdp_data_t *data; @@ -235,10 +233,9 @@ static enumerator_t *create_cdp_enumerator(private_stroke_ca_t *this, (type == CERT_X509) ? (void*)create_inner_cdp_hashandurl : (void*)create_inner_cdp, data, (void*)cdp_data_destroy); } -/** - * Implementation of stroke_ca_t.add. - */ -static void add(private_stroke_ca_t *this, stroke_msg_t *msg) + +METHOD(stroke_ca_t, add, void, + private_stroke_ca_t *this, stroke_msg_t *msg) { certificate_t *cert; ca_section_t *ca; @@ -279,10 +276,8 @@ static void add(private_stroke_ca_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_ca_t.del. - */ -static void del(private_stroke_ca_t *this, stroke_msg_t *msg) +METHOD(stroke_ca_t, del, void, + private_stroke_ca_t *this, stroke_msg_t *msg) { enumerator_t *enumerator; ca_section_t *ca = NULL; @@ -336,10 +331,8 @@ static void list_uris(linked_list_t *list, char *label, FILE *out) enumerator->destroy(enumerator); } -/** - * Implementation of stroke_ca_t.check_for_hash_and_url. - */ -static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cert) +METHOD(stroke_ca_t, check_for_hash_and_url, void, + private_stroke_ca_t *this, certificate_t* cert) { ca_section_t *section; enumerator_t *enumerator; @@ -376,10 +369,8 @@ static void check_for_hash_and_url(private_stroke_ca_t *this, certificate_t* cer hasher->destroy(hasher); } -/** - * Implementation of stroke_ca_t.list. - */ -static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_ca_t, list, void, + private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) { bool first = TRUE; ca_section_t *section; @@ -426,10 +417,8 @@ static void list(private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) this->lock->unlock(this->lock); } -/** - * Implementation of stroke_ca_t.destroy - */ -static void destroy(private_stroke_ca_t *this) +METHOD(stroke_ca_t, destroy, void, + private_stroke_ca_t *this) { this->sections->destroy_function(this->sections, (void*)ca_section_destroy); this->lock->destroy(this->lock); @@ -441,22 +430,27 @@ static void destroy(private_stroke_ca_t *this) */ stroke_ca_t *stroke_ca_create(stroke_cred_t *cred) { - private_stroke_ca_t *this = malloc_thing(private_stroke_ca_t); - - this->public.set.create_private_enumerator = (void*)return_null; - this->public.set.create_cert_enumerator = (void*)return_null; - this->public.set.create_shared_enumerator = (void*)return_null; - this->public.set.create_cdp_enumerator = (void*)create_cdp_enumerator; - this->public.set.cache_cert = (void*)nop; - this->public.add = (void(*)(stroke_ca_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_ca_t*, stroke_msg_t *msg))del; - this->public.list = (void(*)(stroke_ca_t*, stroke_msg_t *msg, FILE *out))list; - this->public.check_for_hash_and_url = (void(*)(stroke_ca_t*, certificate_t*))check_for_hash_and_url; - this->public.destroy = (void(*)(stroke_ca_t*))destroy; - - this->sections = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); - this->cred = cred; + private_stroke_ca_t *this; + + INIT(this, + .public = { + .set = { + .create_private_enumerator = (void*)return_null, + .create_cert_enumerator = (void*)return_null, + .create_shared_enumerator = (void*)return_null, + .create_cdp_enumerator = _create_cdp_enumerator, + .cache_cert = (void*)nop, + }, + .add = _add, + .del = _del, + .list = _list, + .check_for_hash_and_url = _check_for_hash_and_url, + .destroy = _destroy, + }, + .sections = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .cred = cred, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 165212a5e..ea7d17592 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -53,12 +53,8 @@ struct private_stroke_config_t { stroke_cred_t *cred; }; -/** - * Implementation of backend_t.create_peer_cfg_enumerator. - */ -static enumerator_t* create_peer_cfg_enumerator(private_stroke_config_t *this, - identification_t *me, - identification_t *other) +METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*, + private_stroke_config_t *this, identification_t *me, identification_t *other) { this->mutex->lock(this->mutex); return enumerator_create_cleaner(this->list->create_enumerator(this->list), @@ -74,11 +70,8 @@ static bool ike_filter(void *data, peer_cfg_t **in, ike_cfg_t **out) return TRUE; } -/** - * Implementation of backend_t.create_ike_cfg_enumerator. - */ -static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, - host_t *me, host_t *other) +METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*, + private_stroke_config_t *this, host_t *me, host_t *other) { this->mutex->lock(this->mutex); return enumerator_create_filter(this->list->create_enumerator(this->list), @@ -86,10 +79,8 @@ static enumerator_t* create_ike_cfg_enumerator(private_stroke_config_t *this, (void*)this->mutex->unlock); } -/** - * implements backend_t.get_peer_cfg_by_name. - */ -static peer_cfg_t *get_peer_cfg_by_name(private_stroke_config_t *this, char *name) +METHOD(backend_t, get_peer_cfg_by_name, peer_cfg_t*, + private_stroke_config_t *this, char *name) { enumerator_t *e1, *e2; peer_cfg_t *current, *found = NULL; @@ -438,13 +429,38 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, enumerator->destroy(enumerator); } + /* certificatePolicies */ + if (end->cert_policy) + { + enumerator_t *enumerator; + char *policy; + + enumerator = enumerator_create_token(end->cert_policy, ",", " "); + while (enumerator->enumerate(enumerator, &policy)) + { + cfg->add(cfg, AUTH_RULE_CERT_POLICY, strdup(policy)); + } + enumerator->destroy(enumerator); + } + /* authentication metod (class, actually) */ if (streq(auth, "pubkey") || - streq(auth, "rsasig") || streq(auth, "rsa") || - streq(auth, "ecdsasig") || streq(auth, "ecdsa")) + strneq(auth, "rsa", strlen("rsa")) || + strneq(auth, "ecdsa", strlen("ecdsa"))) { + u_int strength; + cfg->add(cfg, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); build_crl_policy(cfg, local, msg->add_conn.crl_policy); + + if (sscanf(auth, "rsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_RSA_STRENGTH, (uintptr_t)strength); + } + if (sscanf(auth, "ecdsa-%d", &strength) == 1) + { + cfg->add(cfg, AUTH_RULE_ECDSA_STRENGTH, (uintptr_t)strength); + } } else if (streq(auth, "psk") || streq(auth, "secret")) { @@ -808,9 +824,9 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, child_cfg = child_cfg_create( msg->add_conn.name, &lifetime, msg->add_conn.me.updown, msg->add_conn.me.hostaccess, - msg->add_conn.mode, dpd, dpd, msg->add_conn.ipcomp, + msg->add_conn.mode, ACTION_NONE, dpd, dpd, msg->add_conn.ipcomp, msg->add_conn.inactivity, msg->add_conn.reqid, - &mark_in, &mark_out); + &mark_in, &mark_out, msg->add_conn.tfc); child_cfg->set_mipv6_options(child_cfg, msg->add_conn.proxy_mode, msg->add_conn.install_policy); add_ts(this, &msg->add_conn.me, child_cfg, TRUE); @@ -821,10 +837,8 @@ static child_cfg_t *build_child_cfg(private_stroke_config_t *this, return child_cfg; } -/** - * Implementation of stroke_config_t.add. - */ -static void add(private_stroke_config_t *this, stroke_msg_t *msg) +METHOD(stroke_config_t, add, void, + private_stroke_config_t *this, stroke_msg_t *msg) { ike_cfg_t *ike_cfg, *existing_ike; peer_cfg_t *peer_cfg, *existing; @@ -884,10 +898,8 @@ static void add(private_stroke_config_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_config_t.del. - */ -static void del(private_stroke_config_t *this, stroke_msg_t *msg) +METHOD(stroke_config_t, del, void, + private_stroke_config_t *this, stroke_msg_t *msg) { enumerator_t *enumerator, *children; peer_cfg_t *peer; @@ -938,10 +950,8 @@ static void del(private_stroke_config_t *this, stroke_msg_t *msg) } } -/** - * Implementation of stroke_config_t.destroy - */ -static void destroy(private_stroke_config_t *this) +METHOD(stroke_config_t, destroy, void, + private_stroke_config_t *this) { this->list->destroy_offset(this->list, offsetof(peer_cfg_t, destroy)); this->mutex->destroy(this->mutex); @@ -953,19 +963,24 @@ static void destroy(private_stroke_config_t *this) */ stroke_config_t *stroke_config_create(stroke_ca_t *ca, stroke_cred_t *cred) { - private_stroke_config_t *this = malloc_thing(private_stroke_config_t); - - this->public.backend.create_peer_cfg_enumerator = (enumerator_t*(*)(backend_t*, identification_t *me, identification_t *other))create_peer_cfg_enumerator; - this->public.backend.create_ike_cfg_enumerator = (enumerator_t*(*)(backend_t*, host_t *me, host_t *other))create_ike_cfg_enumerator; - this->public.backend.get_peer_cfg_by_name = (peer_cfg_t* (*)(backend_t*,char*))get_peer_cfg_by_name; - this->public.add = (void(*)(stroke_config_t*, stroke_msg_t *msg))add; - this->public.del = (void(*)(stroke_config_t*, stroke_msg_t *msg))del; - this->public.destroy = (void(*)(stroke_config_t*))destroy; - - this->list = linked_list_create(); - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); - this->ca = ca; - this->cred = cred; + private_stroke_config_t *this; + + INIT(this, + .public = { + .backend = { + .create_peer_cfg_enumerator = _create_peer_cfg_enumerator, + .create_ike_cfg_enumerator = _create_ike_cfg_enumerator, + .get_peer_cfg_by_name = _get_peer_cfg_by_name, + }, + .add = _add, + .del = _del, + .destroy = _destroy, + }, + .list = linked_list_create(), + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + .ca = ca, + .cred = cred, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.c b/src/libcharon/plugins/stroke/stroke_control.c index e0398ba78..3541ab8f9 100644 --- a/src/libcharon/plugins/stroke/stroke_control.c +++ b/src/libcharon/plugins/stroke/stroke_control.c @@ -17,6 +17,8 @@ #include #include +#include +#include typedef struct private_stroke_control_t private_stroke_control_t; @@ -90,10 +92,8 @@ static child_cfg_t* get_child_from_peer(peer_cfg_t *peer_cfg, char *name) return found; } -/** - * Implementation of stroke_control_t.initiate. - */ -static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, initiate, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -137,76 +137,89 @@ static void initiate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *ou } /** - * Implementation of stroke_control_t.terminate. + * Parse a terminate/rekey specifier */ -static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +static bool parse_specifier(char *string, u_int32_t *id, + char **name, bool *child, bool *all) { - char *string, *pos = NULL, *name = NULL; - u_int32_t id = 0; - bool child, all = FALSE; int len; - ike_sa_t *ike_sa; - enumerator_t *enumerator; - linked_list_t *ike_list, *child_list; - stroke_log_info_t info; - uintptr_t del; + char *pos = NULL; - string = msg->terminate.name; + *id = 0; + *name = NULL; + *all = FALSE; len = strlen(string); if (len < 1) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } switch (string[len-1]) { case '}': - child = TRUE; + *child = TRUE; pos = strchr(string, '{'); break; case ']': - child = FALSE; + *child = FALSE; pos = strchr(string, '['); break; default: - name = string; - child = FALSE; + *name = string; + *child = FALSE; break; } - if (name) + if (*name) { /* is a single name */ } else if (pos == string + len - 2) { /* is name[] or name{} */ string[len-2] = '\0'; - name = string; + *name = string; } else { if (!pos) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } if (*(pos + 1) == '*') { /* is name[*] */ - all = TRUE; + *all = TRUE; *pos = '\0'; - name = string; + *name = string; } else { /* is name[123] or name{23} */ - id = atoi(pos + 1); - if (id == 0) + *id = atoi(pos + 1); + if (*id == 0) { - DBG1(DBG_CFG, "error parsing string"); - return; + return FALSE; } } } + return TRUE; +} + +METHOD(stroke_control_t, terminate, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +{ + char *name; + u_int32_t id; + bool child, all; + ike_sa_t *ike_sa; + enumerator_t *enumerator; + linked_list_t *ike_list, *child_list; + stroke_log_info_t info; + uintptr_t del; + + if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) + { + DBG1(DBG_CFG, "error parsing specifier string"); + return; + } info.out = out; info.level = msg->output_verbosity; @@ -293,11 +306,68 @@ static void terminate(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o child_list->destroy(child_list); } -/** - * Implementation of stroke_control_t.terminate_srcip. - */ -static void terminate_srcip(private_stroke_control_t *this, - stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, rekey, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +{ + char *name; + u_int32_t id; + bool child, all, finished = FALSE; + ike_sa_t *ike_sa; + enumerator_t *enumerator; + + if (!parse_specifier(msg->terminate.name, &id, &name, &child, &all)) + { + DBG1(DBG_CFG, "error parsing specifier string"); + return; + } + enumerator = charon->controller->create_ike_sa_enumerator(charon->controller); + while (enumerator->enumerate(enumerator, &ike_sa)) + { + child_sa_t *child_sa; + iterator_t *children; + + if (child) + { + children = ike_sa->create_child_sa_iterator(ike_sa); + while (children->iterate(children, (void**)&child_sa)) + { + if ((name && streq(name, child_sa->get_name(child_sa))) || + (id && id == child_sa->get_reqid(child_sa))) + { + lib->processor->queue_job(lib->processor, + (job_t*)rekey_child_sa_job_create( + child_sa->get_reqid(child_sa), + child_sa->get_protocol(child_sa), + child_sa->get_spi(child_sa, TRUE))); + if (!all) + { + finished = TRUE; + break; + } + } + } + children->destroy(children); + } + else if ((name && streq(name, ike_sa->get_name(ike_sa))) || + (id && id == ike_sa->get_unique_id(ike_sa))) + { + lib->processor->queue_job(lib->processor, + (job_t*)rekey_ike_sa_job_create(ike_sa->get_id(ike_sa), FALSE)); + if (!all) + { + finished = TRUE; + } + } + if (finished) + { + break; + } + } + enumerator->destroy(enumerator); +} + +METHOD(stroke_control_t, terminate_srcip, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; ike_sa_t *ike_sa; @@ -362,10 +432,8 @@ static void terminate_srcip(private_stroke_control_t *this, DESTROY_IF(end); } -/** - * Implementation of stroke_control_t.purge_ike - */ -static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, purge_ike, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; iterator_t *iterator; @@ -402,10 +470,8 @@ static void purge_ike(private_stroke_control_t *this, stroke_msg_t *msg, FILE *o list->destroy(list); } -/** - * Implementation of stroke_control_t.route. - */ -static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, route, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { peer_cfg_t *peer_cfg; child_cfg_t *child_cfg; @@ -443,10 +509,8 @@ static void route(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) child_cfg->destroy(child_cfg); } -/** - * Implementation of stroke_control_t.unroute. - */ -static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_control_t, unroute, void, + private_stroke_control_t *this, stroke_msg_t *msg, FILE *out) { child_sa_t *child_sa; enumerator_t *enumerator; @@ -468,10 +532,8 @@ static void unroute(private_stroke_control_t *this, stroke_msg_t *msg, FILE *out fprintf(out, "configuration '%s' not found\n", msg->unroute.name); } -/** - * Implementation of stroke_control_t.destroy - */ -static void destroy(private_stroke_control_t *this) +METHOD(stroke_control_t, destroy, void, + private_stroke_control_t *this) { free(this); } @@ -481,15 +543,20 @@ static void destroy(private_stroke_control_t *this) */ stroke_control_t *stroke_control_create() { - private_stroke_control_t *this = malloc_thing(private_stroke_control_t); - - this->public.initiate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))initiate; - this->public.terminate = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate; - this->public.terminate_srcip = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))terminate_srcip; - this->public.purge_ike = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))purge_ike; - this->public.route = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))route; - this->public.unroute = (void(*)(stroke_control_t*, stroke_msg_t *msg, FILE *out))unroute; - this->public.destroy = (void(*)(stroke_control_t*))destroy; + private_stroke_control_t *this; + + INIT(this, + .public = { + .initiate = _initiate, + .terminate = _terminate, + .terminate_srcip = _terminate_srcip, + .rekey = _rekey, + .purge_ike = _purge_ike, + .route = _route, + .unroute = _unroute, + .destroy = _destroy, + }, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_control.h b/src/libcharon/plugins/stroke/stroke_control.h index 9b49bdc31..869aab3d3 100644 --- a/src/libcharon/plugins/stroke/stroke_control.h +++ b/src/libcharon/plugins/stroke/stroke_control.h @@ -53,6 +53,13 @@ struct stroke_control_t { */ void (*terminate_srcip)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); + /** + * Rekey a connection. + * + * @param msg stroke message + */ + void (*rekey)(stroke_control_t *this, stroke_msg_t *msg, FILE *out); + /** * Delete IKE_SAs without a CHILD_SA. * diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c index 91e71f1f4..83e5a9ad6 100644 --- a/src/libcharon/plugins/stroke/stroke_cred.c +++ b/src/libcharon/plugins/stroke/stroke_cred.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2008 Tobias Brunner + * Copyright (C) 2008-2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -25,7 +25,6 @@ #include #include "stroke_cred.h" -#include "stroke_shared_key.h" #include #include @@ -64,24 +63,9 @@ struct private_stroke_cred_t { stroke_cred_t public; /** - * list of trusted peer/signer/CA certificates (certificate_t) + * credentials */ - linked_list_t *certs; - - /** - * list of shared secrets (private_shared_key_t) - */ - linked_list_t *shared; - - /** - * list of private keys (private_key_t) - */ - linked_list_t *private; - - /** - * read-write lock to lists - */ - rwlock_t *lock; + mem_cred_t *creds; /** * cache CRLs to disk? @@ -89,237 +73,6 @@ struct private_stroke_cred_t { bool cachecrl; }; -/** - * data to pass to various filters - */ -typedef struct { - private_stroke_cred_t *this; - identification_t *id; - certificate_type_t cert; - key_type_t key; -} id_data_t; - -/** - * destroy id enumerator data and unlock list - */ -static void id_data_destroy(id_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for private key enumerator - */ -static bool private_filter(id_data_t *data, - private_key_t **in, private_key_t **out) -{ - private_key_t *key; - - key = *in; - if (data->key == KEY_ANY || data->key == key->get_type(key)) - { - if (data->id == NULL) - { - *out = key; - return TRUE; - } - if (key->has_fingerprint(key, data->id->get_encoding(data->id))) - { - *out = key; - return TRUE; - } - } - return FALSE; -} - -/** - * Implements credential_set_t.create_private_enumerator - */ -static enumerator_t* create_private_enumerator(private_stroke_cred_t *this, - key_type_t type, identification_t *id) -{ - id_data_t *data; - - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - data->key = type; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->private->create_enumerator(this->private), - (void*)private_filter, data, - (void*)id_data_destroy); -} - -/** - * filter function for certs enumerator - */ -static bool certs_filter(id_data_t *data, certificate_t **in, certificate_t **out) -{ - public_key_t *public; - certificate_t *cert = *in; - - if (data->cert != CERT_ANY && data->cert != cert->get_type(cert)) - { - return FALSE; - } - if (data->id == NULL || cert->has_subject(cert, data->id)) - { - *out = *in; - return TRUE; - } - - public = cert->get_public_key(cert); - if (public) - { - if (data->key == KEY_ANY || data->key != public->get_type(public)) - { - if (public->has_fingerprint(public, data->id->get_encoding(data->id))) - { - public->destroy(public); - *out = *in; - return TRUE; - } - } - public->destroy(public); - } - return FALSE; -} - -/** - * Implements credential_set_t.create_cert_enumerator - */ -static enumerator_t* create_cert_enumerator(private_stroke_cred_t *this, - certificate_type_t cert, key_type_t key, - identification_t *id, bool trusted) -{ - id_data_t *data; - - if (trusted && (cert == CERT_X509_CRL || cert == CERT_X509_AC)) - { - return NULL; - } - data = malloc_thing(id_data_t); - data->this = this; - data->id = id; - data->cert = cert; - data->key = key; - - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->certs->create_enumerator(this->certs), - (void*)certs_filter, data, - (void*)id_data_destroy); -} - -typedef struct { - private_stroke_cred_t *this; - identification_t *me; - identification_t *other; - shared_key_type_t type; -} shared_data_t; - -/** - * free shared key enumerator data and unlock list - */ -static void shared_data_destroy(shared_data_t *data) -{ - data->this->lock->unlock(data->this->lock); - free(data); -} - -/** - * filter function for certs enumerator - */ -static bool shared_filter(shared_data_t *data, - stroke_shared_key_t **in, shared_key_t **out, - void **unused1, id_match_t *me, - void **unused2, id_match_t *other) -{ - id_match_t my_match = ID_MATCH_NONE, other_match = ID_MATCH_NONE; - stroke_shared_key_t *stroke = *in; - shared_key_t *shared = &stroke->shared; - - if (data->type != SHARED_ANY && shared->get_type(shared) != data->type) - { - return FALSE; - } - - if (data->me) - { - my_match = stroke->has_owner(stroke, data->me); - } - if (data->other) - { - other_match = stroke->has_owner(stroke, data->other); - } - if ((data->me || data->other) && (!my_match && !other_match)) - { - return FALSE; - } - *out = shared; - if (me) - { - *me = my_match; - } - if (other) - { - *other = other_match; - } - return TRUE; -} - -/** - * Implements credential_set_t.create_shared_enumerator - */ -static enumerator_t* create_shared_enumerator(private_stroke_cred_t *this, - shared_key_type_t type, identification_t *me, - identification_t *other) -{ - shared_data_t *data = malloc_thing(shared_data_t); - - data->this = this; - data->me = me; - data->other = other; - data->type = type; - this->lock->read_lock(this->lock); - return enumerator_create_filter(this->shared->create_enumerator(this->shared), - (void*)shared_filter, data, - (void*)shared_data_destroy); -} - -/** - * Add a certificate to chain - */ -static certificate_t* add_cert(private_stroke_cred_t *this, certificate_t *cert) -{ - certificate_t *current; - enumerator_t *enumerator; - bool new = TRUE; - - this->lock->read_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->equals(current, cert)) - { - /* cert already in queue */ - cert->destroy(cert); - cert = current; - new = FALSE; - break; - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return cert; -} - /** * Implementation of stroke_cred_t.load_ca. */ @@ -352,84 +105,11 @@ static certificate_t* load_ca(private_stroke_cred_t *this, char *filename) cert->destroy(cert); return NULL; } - return (certificate_t*)add_cert(this, cert); + return this->creds->add_cert_ref(this->creds, TRUE, cert); } return NULL; } -/** - * Add X.509 CRL to chain - */ -static bool add_crl(private_stroke_cred_t *this, crl_t* crl) -{ - certificate_t *current, *cert = &crl->certificate; - enumerator_t *enumerator; - bool new = TRUE, found = FALSE; - - this->lock->write_lock(this->lock); - enumerator = this->certs->create_enumerator(this->certs); - while (enumerator->enumerate(enumerator, (void**)¤t)) - { - if (current->get_type(current) == CERT_X509_CRL) - { - crl_t *crl_c = (crl_t*)current; - chunk_t authkey = crl->get_authKeyIdentifier(crl); - chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); - - /* if compare authorityKeyIdentifiers if available */ - if (authkey.ptr && authkey_c.ptr && chunk_equals(authkey, authkey_c)) - { - found = TRUE; - } - else - { - identification_t *issuer = cert->get_issuer(cert); - identification_t *issuer_c = current->get_issuer(current); - - /* otherwise compare issuer distinguished names */ - if (issuer->equals(issuer, issuer_c)) - { - found = TRUE; - } - } - if (found) - { - new = crl_is_newer(crl, crl_c); - if (new) - { - this->certs->remove_at(this->certs, enumerator); - } - else - { - cert->destroy(cert); - } - break; - } - } - } - enumerator->destroy(enumerator); - - if (new) - { - this->certs->insert_last(this->certs, cert); - } - this->lock->unlock(this->lock); - return new; -} - -/** - * Add X.509 attribute certificate to chain - */ -static bool add_ac(private_stroke_cred_t *this, ac_t* ac) -{ - certificate_t *cert = &ac->certificate; - - this->lock->write_lock(this->lock); - this->certs->insert_last(this->certs, cert); - this->lock->unlock(this->lock); - return TRUE; -} - /** * Implementation of stroke_cred_t.load_peer. */ @@ -453,10 +133,10 @@ static certificate_t* load_peer(private_stroke_cred_t *this, char *filename) BUILD_END); if (cert) { - cert = add_cert(this, cert); + cert = this->creds->add_cert_ref(this->creds, TRUE, cert); DBG1(DBG_CFG, " loaded certificate \"%Y\" from '%s'", cert->get_subject(cert), filename); - return cert->get_ref(cert); + return cert; } DBG1(DBG_CFG, " loading certificate from '%s' failed", filename); return NULL; @@ -511,8 +191,8 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } else { - DBG1(DBG_CFG, " loaded ca certificate \"%Y\" from '%s'", - cert->get_subject(cert), file); + DBG1(DBG_CFG, " loaded ca certificate \"%Y\" " + "from '%s'", cert->get_subject(cert), file); } } else @@ -540,7 +220,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, } if (cert) { - add_cert(this, cert); + this->creds->add_cert(this->creds, TRUE, cert); } break; case CERT_X509_CRL: @@ -550,7 +230,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { - add_crl(this, (crl_t*)cert); + this->creds->add_crl(this->creds, (crl_t*)cert); DBG1(DBG_CFG, " loaded crl from '%s'", file); } else @@ -565,7 +245,7 @@ static void load_certdir(private_stroke_cred_t *this, char *path, BUILD_END); if (cert) { - add_ac(this, (ac_t*)cert); + this->creds->add_cert(this->creds, FALSE, cert); DBG1(DBG_CFG, " loaded attribute certificate from '%s'", file); } @@ -593,7 +273,7 @@ static void cache_cert(private_stroke_cred_t *this, certificate_t *cert) crl_t *crl = (crl_t*)cert; cert->get_ref(cert); - if (add_crl(this, crl)) + if (this->creds->add_crl(this->creds, crl)) { char buf[BUF_LEN]; chunk_t chunk, hex; @@ -914,7 +594,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, } /* unlock: smartcard needs the pin and potentially calls public set */ - this->lock->unlock(this->lock); switch (format) { case SC_FORMAT_SLOT_MODULE_KEYID: @@ -936,7 +615,6 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, BUILD_PKCS11_KEYID, chunk, BUILD_END); break; } - this->lock->write_lock(this->lock); if (mem) { lib->credmgr->remove_local_set(lib->credmgr, &mem->set); @@ -951,7 +629,7 @@ static bool load_pin(private_stroke_cred_t *this, chunk_t line, int line_nr, if (key) { DBG1(DBG_CFG, " loaded private key from %.*s", sc.len, sc.ptr); - this->private->insert_last(this->private, key); + this->creds->add_key(this->creds, key); } return TRUE; } @@ -1022,11 +700,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, cb = callback_cred_create_shared((void*)passphrase_cb, &pp_data); lib->credmgr->add_local_set(lib->credmgr, &cb->set); - /* unlock, as the builder might ask for a secret */ - this->lock->unlock(this->lock); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); - this->lock->write_lock(this->lock); lib->credmgr->remove_local_set(lib->credmgr, &cb->set); cb->destroy(cb); @@ -1042,11 +717,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, mem->add_shared(mem, shared, NULL); lib->credmgr->add_local_set(lib->credmgr, &mem->set); - /* unlock, as the builder might ask for a secret */ - this->lock->unlock(this->lock); key = lib->creds->create(lib->creds, CRED_PRIVATE_KEY, key_type, BUILD_FROM_FILE, path, BUILD_END); - this->lock->write_lock(this->lock); lib->credmgr->remove_local_set(lib->credmgr, &mem->set); mem->destroy(mem); @@ -1055,7 +727,7 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, { DBG1(DBG_CFG, " loaded %N private key from '%s'", key_type_names, key->get_type(key), path); - this->private->insert_last(this->private, key); + this->creds->add_key(this->creds, key); } else { @@ -1070,7 +742,8 @@ static bool load_private(private_stroke_cred_t *this, chunk_t line, int line_nr, static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, shared_key_type_t type, chunk_t ids) { - stroke_shared_key_t *shared_key; + shared_key_t *shared_key; + linked_list_t *owners; chunk_t secret = chunk_empty; bool any = TRUE; @@ -1080,12 +753,12 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, DBG1(DBG_CFG, "line %d: malformed secret: %s", line_nr, ugh); return FALSE; } - shared_key = stroke_shared_key_create(type, secret); + shared_key = shared_key_create(type, secret); DBG1(DBG_CFG, " loaded %N secret for %s", shared_key_type_names, type, ids.len > 0 ? (char*)ids.ptr : "%any"); DBG4(DBG_CFG, " secret: %#B", &secret); - this->shared->insert_last(this->shared, shared_key); + owners = linked_list_create(); while (ids.len > 0) { chunk_t id; @@ -1111,14 +784,15 @@ static bool load_shared(private_stroke_cred_t *this, chunk_t line, int line_nr, continue; } - shared_key->add_owner(shared_key, peer_id); + owners->insert_last(owners, peer_id); any = FALSE; } if (any) { - shared_key->add_owner(shared_key, + owners->insert_last(owners, identification_create_from_encoding(ID_ANY, chunk_empty)); } + this->creds->add_shared_list(this->creds, shared_key, owners); return TRUE; } @@ -1130,8 +804,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, { int line_nr = 0, fd; chunk_t src, line; - private_key_t *private; - shared_key_t *shared; struct stat sb; void *addr; @@ -1160,20 +832,8 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, src = chunk_create(addr, sb.st_size); if (level == 0) - { - this->lock->write_lock(this->lock); - - /* flush secrets on non-recursive invocation */ - while (this->shared->remove_last(this->shared, - (void**)&shared) == SUCCESS) - { - shared->destroy(shared); - } - while (this->private->remove_last(this->private, - (void**)&private) == SUCCESS) - { - private->destroy(private); - } + { /* flush secrets on non-recursive invocation */ + this->creds->clear_secrets(this->creds); } while (fetchline(&src, &line)) @@ -1234,7 +894,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, if (glob(pattern, GLOB_ERR, NULL, &buf) != 0) { DBG1(DBG_CFG, "expanding file expression '%s' failed", pattern); - globfree(&buf); } else { @@ -1302,10 +961,6 @@ static void load_secrets(private_stroke_cred_t *this, char *file, int level, break; } } - if (level == 0) - { - this->lock->unlock(this->lock); - } munmap(addr, sb.st_size); close(fd); } @@ -1384,10 +1039,8 @@ static void reread(private_stroke_cred_t *this, stroke_msg_t *msg, FILE *prompt) */ static void destroy(private_stroke_cred_t *this) { - this->certs->destroy_offset(this->certs, offsetof(certificate_t, destroy)); - this->shared->destroy_offset(this->shared, offsetof(shared_key_t, destroy)); - this->private->destroy_offset(this->private, offsetof(private_key_t, destroy)); - this->lock->destroy(this->lock); + lib->credmgr->remove_set(lib->credmgr, &this->creds->set); + this->creds->destroy(this->creds); free(this); } @@ -1398,9 +1051,9 @@ stroke_cred_t *stroke_cred_create() { private_stroke_cred_t *this = malloc_thing(private_stroke_cred_t); - this->public.set.create_private_enumerator = (void*)create_private_enumerator; - this->public.set.create_cert_enumerator = (void*)create_cert_enumerator; - this->public.set.create_shared_enumerator = (void*)create_shared_enumerator; + this->public.set.create_private_enumerator = (void*)return_null; + this->public.set.create_cert_enumerator = (void*)return_null; + this->public.set.create_shared_enumerator = (void*)return_null; this->public.set.create_cdp_enumerator = (void*)return_null; this->public.set.cache_cert = (void*)cache_cert; this->public.reread = (void(*)(stroke_cred_t*, stroke_msg_t *msg, FILE*))reread; @@ -1409,10 +1062,8 @@ stroke_cred_t *stroke_cred_create() this->public.cachecrl = (void(*)(stroke_cred_t*, bool enabled))cachecrl; this->public.destroy = (void(*)(stroke_cred_t*))destroy; - this->certs = linked_list_create(); - this->shared = linked_list_create(); - this->private = linked_list_create(); - this->lock = rwlock_create(RWLOCK_TYPE_DEFAULT); + this->creds = mem_cred_create(); + lib->credmgr->add_set(lib->credmgr, &this->creds->set); load_certs(this); load_secrets(this, SECRETS_FILE, 0, NULL); diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c index 86deea490..36311f092 100644 --- a/src/libcharon/plugins/stroke/stroke_list.c +++ b/src/libcharon/plugins/stroke/stroke_list.c @@ -388,10 +388,8 @@ static void log_auth_cfgs(FILE *out, peer_cfg_t *peer_cfg, bool local) enumerator->destroy(enumerator); } -/** - * Implementation of stroke_list_t.status. - */ -static void status(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) +METHOD(stroke_list_t, status, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out, bool all) { enumerator_t *enumerator, *children; ike_cfg_t *ike_cfg; @@ -756,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label, enumerator_t *enumerator; identification_t *altName; bool first_altName = TRUE; - int pathlen; + u_int pathlen; chunk_t serial, authkey; time_t notBefore, notAfter; public_key_t *public; @@ -836,10 +834,10 @@ static void stroke_list_certs(linked_list_t *list, char *label, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + pathlen = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen != X509_NO_CONSTRAINT) { - fprintf(out, " pathlen: %d\n", pathlen); + fprintf(out, " pathlen: %u\n", pathlen); } /* list optional ipAddrBlocks */ @@ -979,6 +977,10 @@ static void stroke_list_crls(linked_list_t *list, bool utc, FILE *out) { fprintf(out, " serial: %#B\n", &chunk); } + if (crl->is_delta_crl(crl, &chunk)) + { + fprintf(out, " delta for: %#B\n", &chunk); + } /* count the number of revoked certificates */ { @@ -1059,6 +1061,25 @@ static void stroke_list_ocsp(linked_list_t* list, bool utc, FILE *out) enumerator->destroy(enumerator); } +/** + * Print the name of an algorithm plus the name of the plugin that registered it + */ +static void print_alg(FILE *out, int *len, enum_name_t *alg_names, int alg_type, + const char *plugin_name) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %N[%s]", alg_names, alg_type, plugin_name); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + fprintf(out, "\n "); + *len = 13; + } + fprintf(out, "%s", alg_name); + *len += alg_name_len; +} + /** * List of registered cryptographical algorithms */ @@ -1070,58 +1091,73 @@ static void list_algs(FILE *out) hash_algorithm_t hash; pseudo_random_function_t prf; diffie_hellman_group_t group; + rng_quality_t quality; + const char *plugin_name; + int len; fprintf(out, "\n"); fprintf(out, "List of registered IKEv2 Algorithms:\n"); - fprintf(out, "\n encryption: "); + fprintf(out, "\n encryption:"); + len = 13; enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - fprintf(out, "%N ", encryption_algorithm_names, encryption); + print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n integrity: "); + fprintf(out, "\n integrity: "); + len = 13; enumerator = lib->crypto->create_signer_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &integrity)) + while (enumerator->enumerate(enumerator, &integrity, &plugin_name)) { - fprintf(out, "%N ", integrity_algorithm_names, integrity); + print_alg(out, &len, integrity_algorithm_names, integrity, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n aead: "); + fprintf(out, "\n aead: "); + len = 13; enumerator = lib->crypto->create_aead_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption)) + while (enumerator->enumerate(enumerator, &encryption, &plugin_name)) { - fprintf(out, "%N ", encryption_algorithm_names, encryption); + print_alg(out, &len, encryption_algorithm_names, encryption, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n hasher: "); + fprintf(out, "\n hasher: "); + len = 13; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &hash)) + while (enumerator->enumerate(enumerator, &hash, &plugin_name)) { - fprintf(out, "%N ", hash_algorithm_names, hash); + print_alg(out, &len, hash_algorithm_names, hash, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n prf: "); + fprintf(out, "\n prf: "); + len = 13; enumerator = lib->crypto->create_prf_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &prf)) + while (enumerator->enumerate(enumerator, &prf, &plugin_name)) { - fprintf(out, "%N ", pseudo_random_function_names, prf); + print_alg(out, &len, pseudo_random_function_names, prf, plugin_name); } enumerator->destroy(enumerator); - fprintf(out, "\n dh-group: "); + fprintf(out, "\n dh-group: "); + len = 13; enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &group)) + while (enumerator->enumerate(enumerator, &group, &plugin_name)) { - fprintf(out, "%N ", diffie_hellman_group_names, group); + print_alg(out, &len, diffie_hellman_group_names, group, plugin_name); + } + enumerator->destroy(enumerator); + fprintf(out, "\n random-gen:"); + len = 13; + enumerator = lib->crypto->create_rng_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &quality, &plugin_name)) + { + print_alg(out, &len, rng_quality_names, quality, plugin_name); } enumerator->destroy(enumerator); fprintf(out, "\n"); } -/** - * Implementation of stroke_list_t.list. - */ -static void list(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_list_t, list, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) { linked_list_t *cert_list = NULL; @@ -1224,10 +1260,8 @@ static void pool_leases(private_stroke_list_t *this, FILE *out, char *pool, } } -/** - * Implementation of stroke_list_t.leases - */ -static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) +METHOD(stroke_list_t, leases, void, + private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) { enumerator_t *enumerator; u_int size, offline, online; @@ -1264,10 +1298,8 @@ static void leases(private_stroke_list_t *this, stroke_msg_t *msg, FILE *out) DESTROY_IF(address); } -/** - * Implementation of stroke_list_t.destroy - */ -static void destroy(private_stroke_list_t *this) +METHOD(stroke_list_t, destroy, void, + private_stroke_list_t *this) { free(this); } @@ -1277,15 +1309,19 @@ static void destroy(private_stroke_list_t *this) */ stroke_list_t *stroke_list_create(stroke_attribute_t *attribute) { - private_stroke_list_t *this = malloc_thing(private_stroke_list_t); - - this->public.list = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))list; - this->public.status = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out,bool))status; - this->public.leases = (void(*)(stroke_list_t*, stroke_msg_t *msg, FILE *out))leases; - this->public.destroy = (void(*)(stroke_list_t*))destroy; - - this->uptime = time_monotonic(NULL); - this->attribute = attribute; + private_stroke_list_t *this; + + INIT(this, + .public = { + + .list = _list, + .status = _status, + .leases = _leases, + .destroy = _destroy, + }, + .uptime = time_monotonic(NULL), + .attribute = attribute, + ); return &this->public; } diff --git a/src/libcharon/plugins/stroke/stroke_plugin.c b/src/libcharon/plugins/stroke/stroke_plugin.c index 4361e5050..2e83d0d28 100644 --- a/src/libcharon/plugins/stroke/stroke_plugin.c +++ b/src/libcharon/plugins/stroke/stroke_plugin.c @@ -36,10 +36,8 @@ struct private_stroke_plugin_t { stroke_socket_t *socket; }; -/** - * Implementation of stroke_plugin_t.destroy - */ -static void destroy(private_stroke_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_stroke_plugin_t *this) { this->socket->destroy(this->socket); free(this); @@ -50,11 +48,17 @@ static void destroy(private_stroke_plugin_t *this) */ plugin_t *stroke_plugin_create() { - private_stroke_plugin_t *this = malloc_thing(private_stroke_plugin_t); + private_stroke_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .socket = stroke_socket_create(), + ); - this->socket = stroke_socket_create(); if (this->socket == NULL) { free(this); diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.c b/src/libcharon/plugins/stroke/stroke_shared_key.c deleted file mode 100644 index 4f716e83a..000000000 --- a/src/libcharon/plugins/stroke/stroke_shared_key.c +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "stroke_shared_key.h" - -#include - -typedef struct private_stroke_shared_key_t private_stroke_shared_key_t; - -/** - * private data of shared_key - */ -struct private_stroke_shared_key_t { - - /** - * implements shared_key_t - */ - stroke_shared_key_t public; - - /** - * type of this key - */ - shared_key_type_t type; - - /** - * data of the key - */ - chunk_t key; - - /** - * list of key owners, as identification_t - */ - linked_list_t *owners; - - /** - * reference counter - */ - refcount_t ref; -}; - -/** - * Implementation of shared_key_t.get_type. - */ -static shared_key_type_t get_type(private_stroke_shared_key_t *this) -{ - return this->type; -} - -/** - * Implementation of shared_key_t.get_ref. - */ -static private_stroke_shared_key_t* get_ref(private_stroke_shared_key_t *this) -{ - ref_get(&this->ref); - return this; -} - -/** - * Implementation of shared_key_t.get_key. - */ -static chunk_t get_key(private_stroke_shared_key_t *this) -{ - return this->key; -} - -/** - * Implementation of stroke_shared_key_t.has_owner. - */ -static id_match_t has_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - enumerator_t *enumerator; - id_match_t match, best = ID_MATCH_NONE; - identification_t *current; - - enumerator = this->owners->create_enumerator(this->owners); - while (enumerator->enumerate(enumerator, ¤t)) - { - match = owner->matches(owner, current); - if (match > best) - { - best = match; - } - } - enumerator->destroy(enumerator); - return best; -} -/** - * Implementation of stroke_shared_key_t.add_owner. - */ -static void add_owner(private_stroke_shared_key_t *this, identification_t *owner) -{ - this->owners->insert_last(this->owners, owner); -} - -/** - * Implementation of stroke_shared_key_t.destroy - */ -static void destroy(private_stroke_shared_key_t *this) -{ - if (ref_put(&this->ref)) - { - this->owners->destroy_offset(this->owners, offsetof(identification_t, destroy)); - chunk_free(&this->key); - free(this); - } -} - -/** - * create a shared key - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key) -{ - private_stroke_shared_key_t *this = malloc_thing(private_stroke_shared_key_t); - - this->public.shared.get_type = (shared_key_type_t(*)(shared_key_t*))get_type; - this->public.shared.get_key = (chunk_t(*)(shared_key_t*))get_key; - this->public.shared.get_ref = (shared_key_t*(*)(shared_key_t*))get_ref; - this->public.shared.destroy = (void(*)(shared_key_t*))destroy; - this->public.add_owner = (void(*)(stroke_shared_key_t*, identification_t *owner))add_owner; - this->public.has_owner = (id_match_t(*)(stroke_shared_key_t*, identification_t *owner))has_owner; - - this->owners = linked_list_create(); - this->type = type; - this->key = key; - this->ref = 1; - - return &this->public; -} diff --git a/src/libcharon/plugins/stroke/stroke_shared_key.h b/src/libcharon/plugins/stroke/stroke_shared_key.h deleted file mode 100644 index 05ad55083..000000000 --- a/src/libcharon/plugins/stroke/stroke_shared_key.h +++ /dev/null @@ -1,60 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup stroke_shared_key stroke_shared_key - * @{ @ingroup stroke - */ - -#ifndef STROKE_SHARED_KEY_H_ -#define STROKE_SHARED_KEY_H_ - -#include -#include - -typedef struct stroke_shared_key_t stroke_shared_key_t; - -/** - * Shared key implementation for keys read from ipsec.secrets - */ -struct stroke_shared_key_t { - - /** - * Implements the shared_key_t interface. - */ - shared_key_t shared; - - /** - * Add an owner to the key. - * - * @param owner owner to add - */ - void (*add_owner)(stroke_shared_key_t *this, identification_t *owner); - - /** - * Check if a key has a specific owner. - * - * @param owner owner to check - * @return best match found - */ - id_match_t (*has_owner)(stroke_shared_key_t *this, identification_t *owner); -}; - -/** - * Create a stroke_shared_key instance. - */ -stroke_shared_key_t *stroke_shared_key_create(shared_key_type_t type, chunk_t key); - -#endif /** STROKE_SHARED_KEY_H_ @}*/ diff --git a/src/libcharon/plugins/stroke/stroke_socket.c b/src/libcharon/plugins/stroke/stroke_socket.c index 0a5110fd3..18e77905d 100644 --- a/src/libcharon/plugins/stroke/stroke_socket.c +++ b/src/libcharon/plugins/stroke/stroke_socket.c @@ -151,6 +151,7 @@ static void pop_end(stroke_msg_t *msg, const char* label, stroke_end_t *end) pop_string(msg, &end->ca); pop_string(msg, &end->ca2); pop_string(msg, &end->groups); + pop_string(msg, &end->cert_policy); pop_string(msg, &end->updown); DBG2(DBG_CFG, " %s=%s", label, end->address); @@ -245,6 +246,17 @@ static void stroke_terminate_srcip(private_stroke_socket_t *this, this->control->terminate_srcip(this->control, msg, out); } +/** + * rekey a connection by name/id + */ +static void stroke_rekey(private_stroke_socket_t *this, stroke_msg_t *msg, FILE *out) +{ + pop_string(msg, &msg->terminate.name); + DBG1(DBG_CFG, "received stroke: rekey '%s'", msg->rekey.name); + + this->control->rekey(this->control, msg, out); +} + /** * route a policy (install SPD entries) */ @@ -348,6 +360,14 @@ static void stroke_purge(private_stroke_socket_t *this, { lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE); } + if (msg->purge.flags & PURGE_CRLS) + { + lib->credmgr->flush_cache(lib->credmgr, CERT_X509_CRL); + } + if (msg->purge.flags & PURGE_CERTS) + { + lib->credmgr->flush_cache(lib->credmgr, CERT_X509); + } if (msg->purge.flags & PURGE_IKE) { this->control->purge_ike(this->control, msg, out); @@ -510,6 +530,9 @@ static job_requeue_t process(stroke_job_context_t *ctx) case STR_TERMINATE_SRCIP: stroke_terminate_srcip(this, msg, out); break; + case STR_REKEY: + stroke_rekey(this, msg, out); + break; case STR_STATUS: stroke_status(this, msg, out, FALSE); break; diff --git a/src/libcharon/plugins/tnc_imc/Makefile.am b/src/libcharon/plugins/tnc_imc/Makefile.am index ca8869460..2c551813e 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.am +++ b/src/libcharon/plugins/tnc_imc/Makefile.am @@ -1,11 +1,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imc_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imc.la else @@ -13,7 +11,8 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imc.la endif libstrongswan_tnc_imc_la_SOURCES = \ - tnc_imc_plugin.h tnc_imc_plugin.c + tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ + tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imc/Makefile.in b/src/libcharon/plugins/tnc_imc/Makefile.in index 9a8794e93..dc44408ff 100644 --- a/src/libcharon/plugins/tnc_imc/Makefile.in +++ b/src/libcharon/plugins/tnc_imc/Makefile.in @@ -74,8 +74,9 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnc_imc_la_DEPENDENCIES = -am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo +libstrongswan_tnc_imc_la_LIBADD = +am_libstrongswan_tnc_imc_la_OBJECTS = tnc_imc_plugin.lo tnc_imc.lo \ + tnc_imc_manager.lo tnc_imc_bind_function.lo libstrongswan_tnc_imc_la_OBJECTS = \ $(am_libstrongswan_tnc_imc_la_OBJECTS) libstrongswan_tnc_imc_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -221,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,14 +274,14 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imc_la_LIBADD = -ltnc @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imc.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imc.la libstrongswan_tnc_imc_la_SOURCES = \ - tnc_imc_plugin.h tnc_imc_plugin.c + tnc_imc_plugin.h tnc_imc_plugin.c tnc_imc.h tnc_imc.c \ + tnc_imc_manager.h tnc_imc_manager.c tnc_imc_bind_function.c libstrongswan_tnc_imc_la_LDFLAGS = -module -avoid-version all: all-am @@ -366,6 +367,9 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_bind_function.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imc_plugin.Plo@am__quote@ .c.o: diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.c b/src/libcharon/plugins/tnc_imc/tnc_imc.c new file mode 100644 index 000000000..174084436 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc.c @@ -0,0 +1,207 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc.h" + +#include + +#include +#include + +typedef struct private_tnc_imc_t private_tnc_imc_t; + +/** + * Private data of an imv_t object. + */ +struct private_tnc_imc_t { + + /** + * Public members of imc_t. + */ + imc_t public; + + /** + * Path of loaded IMC + */ + char *path; + + /** + * Name of loaded IMC + */ + char *name; + + /** + * Handle of loaded IMC + */ + void *handle; + + /** + * ID of loaded IMC + */ + TNC_IMCID id; + + /** + * List of message types supported by IMC + */ + TNC_MessageTypeList supported_types; + + /** + * Number of supported message types + */ + TNC_UInt32 type_count; +}; + +METHOD(imc_t, set_id, void, + private_tnc_imc_t *this, TNC_IMCID id) +{ + this->id = id; +} + +METHOD(imc_t, get_id, TNC_IMCID, + private_tnc_imc_t *this) +{ + return this->id; +} + +METHOD(imc_t, get_name, char*, + private_tnc_imc_t *this) +{ + return this->name; +} + +METHOD(imc_t, set_message_types, void, + private_tnc_imc_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + /* Free an existing MessageType list */ + free(this->supported_types); + this->supported_types = NULL; + + /* Store the new MessageType list */ + this->type_count = type_count; + if (type_count && supported_types) + { + size_t size = type_count * sizeof(TNC_MessageType); + + this->supported_types = malloc(size); + memcpy(this->supported_types, supported_types, size); + } + DBG2(DBG_TNC, "IMC %u supports %u message types", this->id, type_count); +} + +METHOD(imc_t, type_supported, bool, + private_tnc_imc_t *this, TNC_MessageType message_type) +{ + TNC_VendorID msg_vid, vid; + TNC_MessageSubtype msg_subtype, subtype; + int i; + + msg_vid = (message_type >> 8) & TNC_VENDORID_ANY; + msg_subtype = message_type & TNC_SUBTYPE_ANY; + + for (i = 0; i < this->type_count; i++) + { + vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY; + subtype = this->supported_types[i] & TNC_SUBTYPE_ANY; + + if (this->supported_types[i] == message_type + || (subtype == TNC_SUBTYPE_ANY + && (msg_vid == vid || vid == TNC_VENDORID_ANY)) + || (vid == TNC_VENDORID_ANY + && (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY))) + { + return TRUE; + } + } + return FALSE; +} + +METHOD(imc_t, destroy, void, + private_tnc_imc_t *this) +{ + dlclose(this->handle); + free(this->supported_types); + free(this->name); + free(this->path); + free(this); +} + +/** + * Described in header. + */ +imc_t* tnc_imc_create(char *name, char *path) +{ + private_tnc_imc_t *this; + + INIT(this, + .public = { + .set_id = _set_id, + .get_id = _get_id, + .get_name = _get_name, + .set_message_types = _set_message_types, + .type_supported = _type_supported, + .destroy = _destroy, + }, + .name = name, + .path = path, + ); + + this->handle = dlopen(path, RTLD_LAZY); + if (!this->handle) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to load: %s", name, dlerror()); + free(this); + return NULL; + } + + this->public.initialize = dlsym(this->handle, "TNC_IMC_Initialize"); + if (!this->public.initialize) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_Initialize in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.notify_connection_change = + dlsym(this->handle, "TNC_IMC_NotifyConnectionChange"); + this->public.begin_handshake = dlsym(this->handle, "TNC_IMC_BeginHandshake"); + if (!this->public.begin_handshake) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_BeginHandshake in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.receive_message = + dlsym(this->handle, "TNC_IMC_ReceiveMessage"); + this->public.batch_ending = + dlsym(this->handle, "TNC_IMC_BatchEnding"); + this->public.terminate = + dlsym(this->handle, "TNC_IMC_Terminate"); + this->public.provide_bind_function = + dlsym(this->handle, "TNC_IMC_ProvideBindFunction"); + if (!this->public.provide_bind_function) + { + DBG1(DBG_TNC, "could not resolve TNC_IMC_ProvideBindFunction in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc.h b/src/libcharon/plugins/tnc_imc/tnc_imc.h new file mode 100644 index 000000000..10a67f90b --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imc_t tnc_imc + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_H_ +#define TNC_IMC_H_ + +#include + +/** + * Create an Integrity Measurement Collector. + * + * @param name name of the IMC + * @param filename path to the dynamic IMC library + * @return instance of the imc_t interface + */ +imc_t* tnc_imc_create(char *name, char *filename); + +#endif /** TNC_IMC_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c new file mode 100644 index 000000000..e18f1b006 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_bind_function.c @@ -0,0 +1,83 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc.h" + +#include +#include + +#define TNC_IMVID_ANY 0xffff + +/** + * Called by the IMC to inform a TNCC about the set of message types the IMC + * is able to receive + */ +TNC_Result TNC_TNCC_ReportMessageTypes(TNC_IMCID imc_id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + return charon->imcs->set_message_types(charon->imcs, imc_id, + supported_types, type_count); +} + +/** + * Called by the IMC to ask a TNCC to retry an Integrity Check Handshake + */ +TNC_Result TNC_TNCC_RequestHandshakeRetry(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_RetryReason reason) +{ + return charon->tnccs->request_handshake_retry(charon->tnccs, TRUE, imc_id, + connection_id, reason); +} + +/** + * Called by the IMC when an IMC-IMV message is to be sent + */ +TNC_Result TNC_TNCC_SendMessage(TNC_IMCID imc_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + return charon->tnccs->send_message(charon->tnccs, imc_id, TNC_IMVID_ANY, + connection_id, msg, msg_len, msg_type); +} + +/** + * Called by the IMC when it needs a function pointer + */ +TNC_Result TNC_TNCC_BindFunction(TNC_IMCID id, + char *function_name, + void **function_pointer) +{ + if (streq(function_name, "TNC_TNCC_ReportMessageTypes")) + { + *function_pointer = (void*)TNC_TNCC_ReportMessageTypes; + } + else if (streq(function_name, "TNC_TNCC_RequestHandshakeRetry")) + { + *function_pointer = (void*)TNC_TNCC_RequestHandshakeRetry; + } + else if (streq(function_name, "TNC_TNCC_SendMessage")) + { + *function_pointer = (void*)TNC_TNCC_SendMessage; + } + else + { + return TNC_RESULT_INVALID_PARAMETER; + } + return TNC_RESULT_SUCCESS; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c new file mode 100644 index 000000000..aa20534f5 --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.c @@ -0,0 +1,238 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imc_manager.h" + +#include +#include + +#include +#include +#include + +typedef struct private_tnc_imc_manager_t private_tnc_imc_manager_t; + +/** + * Private data of an imc_manager_t object. + */ +struct private_tnc_imc_manager_t { + + /** + * Public members of imc_manager_t. + */ + imc_manager_t public; + + /** + * Linked list of IMCs + */ + linked_list_t *imcs; + + /** + * Next IMC ID to be assigned + */ + TNC_IMCID next_imc_id; +}; + +METHOD(imc_manager_t, add, bool, + private_tnc_imc_manager_t *this, imc_t *imc) +{ + TNC_Version version; + + /* Initialize the module */ + imc->set_id(imc, this->next_imc_id); + if (imc->initialize(imc->get_id(imc), TNC_IFIMC_VERSION_1, + TNC_IFIMC_VERSION_1, &version) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to initialize", imc->get_name(imc)); + return FALSE; + } + this->imcs->insert_last(this->imcs, imc); + this->next_imc_id++; + + if (imc->provide_bind_function(imc->get_id(imc), TNC_TNCC_BindFunction) + != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" failed to obtain bind function", + imc->get_name(imc)); + this->imcs->remove_last(this->imcs, (void**)&imc); + return FALSE; + } + + return TRUE; +} + +METHOD(imc_manager_t, remove_, imc_t*, + private_tnc_imc_manager_t *this, TNC_IMCID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (id == imc->get_id(imc)) + { + this->imcs->remove_at(this->imcs, enumerator); + return imc; + } + } + enumerator->destroy(enumerator); + return NULL; +} + +METHOD(imc_manager_t, get_preferred_language, char*, + private_tnc_imc_manager_t *this) +{ + return lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imc.preferred_language", "en"); +} + +METHOD(imc_manager_t, notify_connection_change, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id, + TNC_ConnectionState state) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->notify_connection_change) + { + imc->notify_connection_change(imc->get_id(imc), id, state); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, begin_handshake, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + imc->begin_handshake(imc->get_id(imc), id); + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, set_message_types, TNC_Result, + private_tnc_imc_manager_t *this, TNC_IMCID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + enumerator_t *enumerator; + imc_t *imc; + TNC_Result result = TNC_RESULT_FATAL; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (id == imc->get_id(imc)) + { + imc->set_message_types(imc, supported_types, type_count); + result = TNC_RESULT_SUCCESS; + break; + } + } + enumerator->destroy(enumerator); + return result; +} + +METHOD(imc_manager_t, receive_message, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->receive_message && imc->type_supported(imc, message_type)) + { + imc->receive_message(imc->get_id(imc), connection_id, + message, message_len, message_type); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, batch_ending, void, + private_tnc_imc_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imc_t *imc; + + enumerator = this->imcs->create_enumerator(this->imcs); + while (enumerator->enumerate(enumerator, &imc)) + { + if (imc->batch_ending) + { + imc->batch_ending(imc->get_id(imc), id); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imc_manager_t, destroy, void, + private_tnc_imc_manager_t *this) +{ + imc_t *imc; + + while (this->imcs->remove_last(this->imcs, (void**)&imc) == SUCCESS) + { + if (imc->terminate && + imc->terminate(imc->get_id(imc)) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMC \"%s\" not terminated successfully", + imc->get_name(imc)); + } + imc->destroy(imc); + } + this->imcs->destroy(this->imcs); + free(this); +} + +/** + * Described in header. + */ +imc_manager_t* tnc_imc_manager_create(void) +{ + private_tnc_imc_manager_t *this; + + INIT(this, + .public = { + .add = _add, + .remove = _remove_, /* avoid name conflict with stdio.h */ + .get_preferred_language = _get_preferred_language, + .notify_connection_change = _notify_connection_change, + .begin_handshake = _begin_handshake, + .set_message_types = _set_message_types, + .receive_message = _receive_message, + .batch_ending = _batch_ending, + .destroy = _destroy, + }, + .imcs = linked_list_create(), + .next_imc_id = 1, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h new file mode 100644 index 000000000..ed490293b --- /dev/null +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_manager.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imc_manager tnc_imc_manager + * @{ @ingroup tnc_imc + */ + +#ifndef TNC_IMC_MANAGER_H_ +#define TNC_IMC_MANAGER_H_ + +#include + +/** + * Create an IMC manager instance. + */ +imc_manager_t *tnc_imc_manager_create(); + +#endif /** TNC_IMC_MANAGER_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c index 0ce930ba3..89888040a 100644 --- a/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c +++ b/src/libcharon/plugins/tnc_imc/tnc_imc_plugin.c @@ -14,15 +14,137 @@ */ #include "tnc_imc_plugin.h" +#include "tnc_imc_manager.h" +#include "tnc_imc.h" -#include +#include +#include +#include +#include +#include +#include #include +#include + +/** + * load IMCs from a configuration file + */ +static bool load_imcs(char *filename) +{ + int fd, line_nr = 0; + chunk_t src, line; + struct stat sb; + void *addr; + + DBG1(DBG_TNC, "loading IMCs from '%s'", filename); + fd = open(filename, O_RDONLY); + if (fd == -1) + { + DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename, + strerror(errno)); + return FALSE; + } + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename, + strerror(errno)); + close(fd); + return FALSE; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno)); + close(fd); + return FALSE; + } + src = chunk_create(addr, sb.st_size); + + while (fetchline(&src, &line)) + { + char *name, *path; + chunk_t token; + imc_t *imc; + + line_nr++; + + /* skip comments or empty lines */ + if (*line.ptr == '#' || !eat_whitespace(&line)) + { + continue; + } + + /* determine keyword */ + if (!extract_token(&token, ' ', &line)) + { + DBG1(DBG_TNC, "line %d: keyword must be followed by a space", + line_nr); + return FALSE; + } + + /* only interested in IMCs */ + if (!match("IMC", &token)) + { + continue; + } + + /* advance to the IMC name and extract it */ + if (!extract_token(&token, '"', &line) || + !extract_token(&token, '"', &line)) + { + DBG1(DBG_TNC, "line %d: IMC name must be set in double quotes", + line_nr); + return FALSE; + } + + /* copy the IMC name */ + name = malloc(token.len + 1); + memcpy(name, token.ptr, token.len); + name[token.len] = '\0'; + + /* advance to the IMC path and extract it */ + if (!eat_whitespace(&line)) + { + DBG1(DBG_TNC, "line %d: IMC path is missing", line_nr); + free(name); + return FALSE; + } + if (!extract_token(&token, ' ', &line)) + { + token = line; + } + + /* copy the IMC path */ + path = malloc(token.len + 1); + memcpy(path, token.ptr, token.len); + path[token.len] = '\0'; + + /* load and register IMC instance */ + imc = tnc_imc_create(name, path); + if (!imc) + { + free(name); + free(path); + return FALSE; + } + if (!charon->imcs->add(charon->imcs, imc)) + { + imc->destroy(imc); + return FALSE; + } + DBG1(DBG_TNC, "IMC %u \"%s\" loaded from '%s'", imc->get_id(imc), + name, path); + } + munmap(addr, sb.st_size); + close(fd); + return TRUE; +} METHOD(plugin_t, destroy, void, tnc_imc_plugin_t *this) { - libtnc_tncc_Terminate(); + charon->imcs->destroy(charon->imcs); free(this); } @@ -31,7 +153,7 @@ METHOD(plugin_t, destroy, void, */ plugin_t *tnc_imc_plugin_create() { - char *tnc_config, *pref_lang; + char *tnc_config; tnc_imc_plugin_t *this; INIT(this, @@ -40,18 +162,19 @@ plugin_t *tnc_imc_plugin_create() }, ); - pref_lang = lib->settings->get_str(lib->settings, - "charon.plugins.tnc-imc.preferred_language", "en"); + /* Create IMC manager */ + charon->imcs = tnc_imc_manager_create(); + + /* Load IMCs and abort if not all instances initalize successfully */ tnc_config = lib->settings->get_str(lib->settings, "charon.plugins.tnc-imc.tnc_config", "/etc/tnc_config"); - - if (libtnc_tncc_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + if (!load_imcs(tnc_config)) { + charon->imcs->destroy(charon->imcs); + charon->imcs = NULL; free(this); - DBG1(DBG_TNC, "TNC IMC initialization failed"); return NULL; } - return &this->plugin; } diff --git a/src/libcharon/plugins/tnc_imv/Makefile.am b/src/libcharon/plugins/tnc_imv/Makefile.am index 9c3b47364..3ba283bb7 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.am +++ b/src/libcharon/plugins/tnc_imv/Makefile.am @@ -1,11 +1,9 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imv_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnc-imv.la else @@ -13,7 +11,9 @@ plugin_LTLIBRARIES = libstrongswan-tnc-imv.la endif libstrongswan_tnc_imv_la_SOURCES = \ - tnc_imv_plugin.h tnc_imv_plugin.c + tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ + tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ + tnc_imv_recommendations.h tnc_imv_recommendations.c libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnc_imv/Makefile.in b/src/libcharon/plugins/tnc_imv/Makefile.in index f89b5e03b..0324d2eb9 100644 --- a/src/libcharon/plugins/tnc_imv/Makefile.in +++ b/src/libcharon/plugins/tnc_imv/Makefile.in @@ -74,8 +74,10 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnc_imv_la_DEPENDENCIES = -am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo +libstrongswan_tnc_imv_la_LIBADD = +am_libstrongswan_tnc_imv_la_OBJECTS = tnc_imv_plugin.lo tnc_imv.lo \ + tnc_imv_manager.lo tnc_imv_bind_function.lo \ + tnc_imv_recommendations.lo libstrongswan_tnc_imv_la_OBJECTS = \ $(am_libstrongswan_tnc_imv_la_OBJECTS) libstrongswan_tnc_imv_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -221,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -273,14 +275,15 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon AM_CFLAGS = -rdynamic -libstrongswan_tnc_imv_la_LIBADD = -ltnc @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnc-imv.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnc-imv.la libstrongswan_tnc_imv_la_SOURCES = \ - tnc_imv_plugin.h tnc_imv_plugin.c + tnc_imv_plugin.h tnc_imv_plugin.c tnc_imv.h tnc_imv.c \ + tnc_imv_manager.h tnc_imv_manager.c tnc_imv_bind_function.c \ + tnc_imv_recommendations.h tnc_imv_recommendations.c libstrongswan_tnc_imv_la_LDFLAGS = -module -avoid-version all: all-am @@ -366,7 +369,11 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_bind_function.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_manager.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnc_imv_recommendations.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.c b/src/libcharon/plugins/tnc_imv/tnc_imv.c new file mode 100644 index 000000000..f88b645d6 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv.c @@ -0,0 +1,208 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv.h" + +#include + +#include +#include + +typedef struct private_tnc_imv_t private_tnc_imv_t; + +/** + * Private data of an imv_t object. + */ +struct private_tnc_imv_t { + + /** + * Public members of imv_t. + */ + imv_t public; + + /** + * Path of loaded IMV + */ + char *path; + + /** + * Name of loaded IMV + */ + char *name; + + /** + * Handle of loaded IMV + */ + void *handle; + + /** + * ID of loaded IMV + */ + TNC_IMVID id; + + /** + * List of message types supported by IMC + */ + TNC_MessageTypeList supported_types; + + /** + * Number of supported message types + */ + TNC_UInt32 type_count; +}; + +METHOD(imv_t, set_id, void, + private_tnc_imv_t *this, TNC_IMVID id) +{ + this->id = id; +} + +METHOD(imv_t, get_id, TNC_IMVID, + private_tnc_imv_t *this) +{ + return this->id; +} + +METHOD(imv_t, get_name, char*, + private_tnc_imv_t *this) +{ + return this->name; +} + +METHOD(imv_t, set_message_types, void, + private_tnc_imv_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + /* Free an existing MessageType list */ + free(this->supported_types); + this->supported_types = NULL; + + /* Store the new MessageType list */ + this->type_count = type_count; + if (type_count && supported_types) + { + size_t size = type_count * sizeof(TNC_MessageType); + + this->supported_types = malloc(size); + memcpy(this->supported_types, supported_types, size); + } + DBG2(DBG_TNC, "IMV %u supports %u message types", this->id, type_count); +} + +METHOD(imv_t, type_supported, bool, + private_tnc_imv_t *this, TNC_MessageType message_type) +{ + TNC_VendorID msg_vid, vid; + TNC_MessageSubtype msg_subtype, subtype; + int i; + + msg_vid = (message_type >> 8) & TNC_VENDORID_ANY; + msg_subtype = message_type & TNC_SUBTYPE_ANY; + + for (i = 0; i < this->type_count; i++) + { + vid = (this->supported_types[i] >> 8) & TNC_VENDORID_ANY; + subtype = this->supported_types[i] & TNC_SUBTYPE_ANY; + + if (this->supported_types[i] == message_type + || (subtype == TNC_SUBTYPE_ANY + && (msg_vid == vid || vid == TNC_VENDORID_ANY)) + || (vid == TNC_VENDORID_ANY + && (msg_subtype == subtype || subtype == TNC_SUBTYPE_ANY))) + { + return TRUE; + } + } + return FALSE; +} + +METHOD(imv_t, destroy, void, + private_tnc_imv_t *this) +{ + dlclose(this->handle); + free(this->supported_types); + free(this->name); + free(this->path); + free(this); +} + +/** + * Described in header. + */ +imv_t* tnc_imv_create(char *name, char *path) +{ + private_tnc_imv_t *this; + + INIT(this, + .public = { + .set_id = _set_id, + .get_id = _get_id, + .get_name = _get_name, + .set_message_types = _set_message_types, + .type_supported = _type_supported, + .destroy = _destroy, + }, + .name = name, + .path = path, + ); + + this->handle = dlopen(path, RTLD_LAZY); + if (!this->handle) + { + DBG1(DBG_TNC, "IMV \"%s\" failed to load: %s", name, dlerror()); + free(this); + return NULL; + } + + this->public.initialize = dlsym(this->handle, "TNC_IMV_Initialize"); + if (!this->public.initialize) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_Initialize in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.notify_connection_change = + dlsym(this->handle, "TNC_IMV_NotifyConnectionChange"); + this->public.solicit_recommendation = + dlsym(this->handle, "TNC_IMV_SolicitRecommendation"); + if (!this->public.solicit_recommendation) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_SolicitRecommendation in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + this->public.receive_message = + dlsym(this->handle, "TNC_IMV_ReceiveMessage"); + this->public.batch_ending = + dlsym(this->handle, "TNC_IMV_BatchEnding"); + this->public.terminate = + dlsym(this->handle, "TNC_IMV_Terminate"); + this->public.provide_bind_function = + dlsym(this->handle, "TNC_IMV_ProvideBindFunction"); + if (!this->public.provide_bind_function) + { + DBG1(DBG_TNC, "could not resolve TNC_IMV_ProvideBindFunction in %s: %s\n", + path, dlerror()); + dlclose(this->handle); + free(this); + return NULL; + } + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv.h b/src/libcharon/plugins/tnc_imv/tnc_imv.h new file mode 100644 index 000000000..75939e54c --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_t tnc_imv + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_H_ +#define TNC_IMV_H_ + +#include + +/** + * Create an Integrity Measurement Verifier. + * + * @param name name of the IMV + * @param filename path to the dynamic IMV library + * @return instance of the imv_t interface + */ +imv_t* tnc_imv_create(char *name, char *filename); + +#endif /** TNC_IMV_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c new file mode 100644 index 000000000..0ea52f08e --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_bind_function.c @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv.h" + +#include +#include + +#define TNC_IMCID_ANY 0xffff + +/** + * Called by the IMV to inform a TNCS about the set of message types the IMV + * is able to receive + */ +TNC_Result TNC_TNCS_ReportMessageTypes(TNC_IMVID imv_id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + return charon->imvs->set_message_types(charon->imvs, imv_id, + supported_types, type_count); +} + +/** + * Called by the IMV to ask a TNCS to retry an Integrity Check Handshake + */ +TNC_Result TNC_TNCS_RequestHandshakeRetry(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_RetryReason reason) +{ + return charon->tnccs->request_handshake_retry(charon->tnccs, FALSE, imv_id, + connection_id, reason); +} + +/** + * Called by the IMV when an IMV-IMC message is to be sent + */ +TNC_Result TNC_TNCS_SendMessage(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + return charon->tnccs->send_message(charon->tnccs, TNC_IMCID_ANY, imv_id, + connection_id, msg, msg_len, msg_type); +} + +/** + * Called by the IMV to deliver its IMV Action Recommendation and IMV Evaluation + * Result to the TNCS + */ +TNC_Result TNC_TNCS_ProvideRecommendation(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_IMV_Action_Recommendation recommendation, + TNC_IMV_Evaluation_Result evaluation) +{ + return charon->tnccs->provide_recommendation(charon->tnccs, imv_id, + connection_id, recommendation, evaluation); +} + +/** + * Called by the IMV to get the value of an attribute associated with a + * connection or with the TNCS as a whole. + */ +TNC_Result TNC_TNCS_GetAttribute(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len) +{ + return charon->tnccs->get_attribute(charon->tnccs, imv_id, connection_id, + attribute_id, buffer_len, buffer, out_value_len); +} + +/** + * Called by the IMV to set the value of an attribute associated with a + * connection or with the TNCS as a whole. + */ +TNC_Result TNC_TNCS_SetAttribute(TNC_IMVID imv_id, + TNC_ConnectionID connection_id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer) +{ + return charon->tnccs->set_attribute(charon->tnccs, imv_id, connection_id, + attribute_id, buffer_len, buffer); +} + +/** + * Called by the IMV when it needs a function pointer + */ +TNC_Result TNC_TNCS_BindFunction(TNC_IMVID id, + char *function_name, + void **function_pointer) +{ + if (streq(function_name, "TNC_TNCS_ReportMessageTypes")) + { + *function_pointer = (void*)TNC_TNCS_ReportMessageTypes; + } + else if (streq(function_name, "TNC_TNCS_RequestHandshakeRetry")) + { + *function_pointer = (void*)TNC_TNCS_RequestHandshakeRetry; + } + else if (streq(function_name, "TNC_TNCS_SendMessage")) + { + *function_pointer = (void*)TNC_TNCS_SendMessage; + } + else if (streq(function_name, "TNC_TNCS_ProvideRecommendation")) + { + *function_pointer = (void*)TNC_TNCS_ProvideRecommendation; + } + else if (streq(function_name, "TNC_TNCS_GetAttribute")) + { + *function_pointer = (void*)TNC_TNCS_GetAttribute; + } + else if (streq(function_name, "TNC_TNCS_SetAttribute")) + { + *function_pointer = (void*)TNC_TNCS_SetAttribute; + } + else + { + return TNC_RESULT_INVALID_PARAMETER; + } + return TNC_RESULT_SUCCESS; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c new file mode 100644 index 000000000..559de86d0 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.c @@ -0,0 +1,295 @@ +/* + * Copyright (C) 2006 Mike McCauley + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnc_imv_manager.h" +#include "tnc_imv_recommendations.h" + +#include +#include + +#include +#include +#include + +typedef struct private_tnc_imv_manager_t private_tnc_imv_manager_t; + + +/** + * Private data of an imv_manager_t object. + */ +struct private_tnc_imv_manager_t { + + /** + * Public members of imv_manager_t. + */ + imv_manager_t public; + + /** + * Linked list of IMVs + */ + linked_list_t *imvs; + + /** + * Next IMV ID to be assigned + */ + TNC_IMVID next_imv_id; + + /** + * Policy defining how to derive final recommendation from individual ones + */ + recommendation_policy_t policy; +}; + +METHOD(imv_manager_t, add, bool, + private_tnc_imv_manager_t *this, imv_t *imv) +{ + TNC_Version version; + + /* Initialize the IMV module */ + imv->set_id(imv, this->next_imv_id); + if (imv->initialize(imv->get_id(imv), TNC_IFIMV_VERSION_1, + TNC_IFIMV_VERSION_1, &version) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" failed to initialize", imv->get_name(imv)); + return FALSE; + } + this->imvs->insert_last(this->imvs, imv); + this->next_imv_id++; + + if (imv->provide_bind_function(imv->get_id(imv), TNC_TNCS_BindFunction) + != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" could failed to obtain bind function", + imv->get_name(imv)); + this->imvs->remove_last(this->imvs, (void**)&imv); + return FALSE; + } + + return TRUE; +} + +METHOD(imv_manager_t, remove_, imv_t*, + private_tnc_imv_manager_t *this, TNC_IMVID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (id == imv->get_id(imv)) + { + this->imvs->remove_at(this->imvs, enumerator); + return imv; + } + } + enumerator->destroy(enumerator); + return NULL; +} + +METHOD(imv_manager_t, get_recommendation_policy, recommendation_policy_t, + private_tnc_imv_manager_t *this) +{ + return this->policy; +} + +METHOD(imv_manager_t, create_recommendations, recommendations_t*, + private_tnc_imv_manager_t *this) +{ + return tnc_imv_recommendations_create(this->imvs); +} + +METHOD(imv_manager_t, enforce_recommendation, bool, + private_tnc_imv_manager_t *this, TNC_IMV_Action_Recommendation rec) +{ + char *group; + identification_t *id; + ike_sa_t *ike_sa; + auth_cfg_t *auth; + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + DBG1(DBG_TNC, "TNC recommendation is allow"); + group = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + DBG1(DBG_TNC, "TNC recommendation is isolate"); + group = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + DBG1(DBG_TNC, "TNC recommendation is none"); + return FALSE; + } + ike_sa = charon->bus->get_sa(charon->bus); + if (ike_sa) + { + auth = ike_sa->get_auth_cfg(ike_sa, FALSE); + id = identification_create_from_string(group); + auth->add(auth, AUTH_RULE_GROUP, id); + DBG1(DBG_TNC, "TNC added group membership '%s'", group); + } + return TRUE; +} + + +METHOD(imv_manager_t, notify_connection_change, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id, + TNC_ConnectionState state) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->notify_connection_change) + { + imv->notify_connection_change(imv->get_id(imv), id, state); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, set_message_types, TNC_Result, + private_tnc_imv_manager_t *this, TNC_IMVID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count) +{ + enumerator_t *enumerator; + imv_t *imv; + TNC_Result result = TNC_RESULT_FATAL; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (id == imv->get_id(imv)) + { + imv->set_message_types(imv, supported_types, type_count); + result = TNC_RESULT_SUCCESS; + break; + } + } + enumerator->destroy(enumerator); + return result; +} + +METHOD(imv_manager_t, solicit_recommendation, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + imv->solicit_recommendation(imv->get_id(imv), id); + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, receive_message, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->receive_message && imv->type_supported(imv, message_type)) + { + imv->receive_message(imv->get_id(imv), connection_id, + message, message_len, message_type); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, batch_ending, void, + private_tnc_imv_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + imv_t *imv; + + enumerator = this->imvs->create_enumerator(this->imvs); + while (enumerator->enumerate(enumerator, &imv)) + { + if (imv->batch_ending) + { + imv->batch_ending(imv->get_id(imv), id); + } + } + enumerator->destroy(enumerator); +} + +METHOD(imv_manager_t, destroy, void, + private_tnc_imv_manager_t *this) +{ + imv_t *imv; + + while (this->imvs->remove_last(this->imvs, (void**)&imv) == SUCCESS) + { + if (imv->terminate && + imv->terminate(imv->get_id(imv)) != TNC_RESULT_SUCCESS) + { + DBG1(DBG_TNC, "IMV \"%s\" not terminated successfully", + imv->get_name(imv)); + } + imv->destroy(imv); + } + this->imvs->destroy(this->imvs); + free(this); +} + +/** + * Described in header. + */ +imv_manager_t* tnc_imv_manager_create(void) +{ + private_tnc_imv_manager_t *this; + recommendation_policy_t policy; + + INIT(this, + .public = { + .add = _add, + .remove = _remove_, /* avoid name conflict with stdio.h */ + .get_recommendation_policy = _get_recommendation_policy, + .create_recommendations = _create_recommendations, + .enforce_recommendation = _enforce_recommendation, + .notify_connection_change = _notify_connection_change, + .set_message_types = _set_message_types, + .solicit_recommendation = _solicit_recommendation, + .receive_message = _receive_message, + .batch_ending = _batch_ending, + .destroy = _destroy, + }, + .imvs = linked_list_create(), + .next_imv_id = 1, + ); + policy = enum_from_name(recommendation_policy_names, + lib->settings->get_str(lib->settings, + "charon.plugins.tnc-imv.recommendation_policy", "default")); + this->policy = (policy != -1) ? policy : RECOMMENDATION_POLICY_DEFAULT; + DBG1(DBG_TNC, "TNC recommendation policy is '%N'", + recommendation_policy_names, this->policy); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h new file mode 100644 index 000000000..2fe9e7ae3 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_manager.h @@ -0,0 +1,32 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_manager tnc_imv_manager + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_MANAGER_H_ +#define TNC_IMV_MANAGER_H_ + +#include + +/** + * Create an IMV manager instance. + */ +imv_manager_t *tnc_imv_manager_create(); + +#endif /** TNC_IMV_MANAGER_H_ @}*/ diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c index 5b3d3892d..f238f01ea 100644 --- a/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_plugin.c @@ -14,15 +14,137 @@ */ #include "tnc_imv_plugin.h" +#include "tnc_imv_manager.h" +#include "tnc_imv.h" -#include +#include +#include +#include +#include +#include +#include #include +#include + +/** + * load IMVs from a configuration file + */ +static bool load_imvs(char *filename) +{ + int fd, line_nr = 0; + chunk_t src, line; + struct stat sb; + void *addr; + + DBG1(DBG_TNC, "loading IMVs from '%s'", filename); + fd = open(filename, O_RDONLY); + if (fd == -1) + { + DBG1(DBG_TNC, "opening configuration file '%s' failed: %s", filename, + strerror(errno)); + return FALSE; + } + if (fstat(fd, &sb) == -1) + { + DBG1(DBG_LIB, "getting file size of '%s' failed: %s", filename, + strerror(errno)); + close(fd); + return FALSE; + } + addr = mmap(NULL, sb.st_size, PROT_READ | PROT_WRITE, MAP_PRIVATE, fd, 0); + if (addr == MAP_FAILED) + { + DBG1(DBG_LIB, "mapping '%s' failed: %s", filename, strerror(errno)); + close(fd); + return FALSE; + } + src = chunk_create(addr, sb.st_size); + + while (fetchline(&src, &line)) + { + char *name, *path; + chunk_t token; + imv_t *imv; + + line_nr++; + + /* skip comments or empty lines */ + if (*line.ptr == '#' || !eat_whitespace(&line)) + { + continue; + } + + /* determine keyword */ + if (!extract_token(&token, ' ', &line)) + { + DBG1(DBG_TNC, "line %d: keyword must be followed by a space", + line_nr); + return FALSE; + } + + /* only interested in IMVs */ + if (!match("IMV", &token)) + { + continue; + } + + /* advance to the IMV name and extract it */ + if (!extract_token(&token, '"', &line) || + !extract_token(&token, '"', &line)) + { + DBG1(DBG_TNC, "line %d: IMV name must be set in double quotes", + line_nr); + return FALSE; + } + + /* copy the IMV name */ + name = malloc(token.len + 1); + memcpy(name, token.ptr, token.len); + name[token.len] = '\0'; + + /* advance to the IMV path and extract it */ + if (!eat_whitespace(&line)) + { + DBG1(DBG_TNC, "line %d: IMV path is missing", line_nr); + free(name); + return FALSE; + } + if (!extract_token(&token, ' ', &line)) + { + token = line; + } + + /* copy the IMV path */ + path = malloc(token.len + 1); + memcpy(path, token.ptr, token.len); + path[token.len] = '\0'; + + /* load and register IMV instance */ + imv = tnc_imv_create(name, path); + if (!imv) + { + free(name); + free(path); + return FALSE; + } + if (!charon->imvs->add(charon->imvs, imv)) + { + imv->destroy(imv); + return FALSE; + } + DBG1(DBG_TNC, "IMV %u \"%s\" loaded from '%s'", imv->get_id(imv), + name, path); + } + munmap(addr, sb.st_size); + close(fd); + return TRUE; +} METHOD(plugin_t, destroy, void, tnc_imv_plugin_t *this) { - libtnc_tncs_Terminate(); + charon->imvs->destroy(charon->imvs); free(this); } @@ -42,13 +164,18 @@ plugin_t *tnc_imv_plugin_create() tnc_config = lib->settings->get_str(lib->settings, "charon.plugins.tnc-imv.tnc_config", "/etc/tnc_config"); - if (libtnc_tncs_Initialize(tnc_config) != TNC_RESULT_SUCCESS) + + /* Create IMV manager */ + charon->imvs = tnc_imv_manager_create(); + + /* Load IMVs and abort if not all instances initalize successfully */ + if (!load_imvs(tnc_config)) { + charon->imvs->destroy(charon->imvs); + charon->imvs = NULL; free(this); - DBG1(DBG_TNC, "TNC IMV initialization failed"); return NULL; } - return &this->plugin; } diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c new file mode 100644 index 000000000..5cc6b0ced --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.c @@ -0,0 +1,415 @@ +/* + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include +#include +#include +#include +#include + +typedef struct private_tnc_imv_recommendations_t private_tnc_imv_recommendations_t; +typedef struct recommendation_entry_t recommendation_entry_t; + +/** + * Recommendation entry + */ +struct recommendation_entry_t { + + /** + * IMV ID + */ + TNC_IMVID id; + + /** + * Received a recommendation message from this IMV? + */ + bool have_recommendation; + + /** + * Action Recommendation provided by IMV instance + */ + TNC_IMV_Action_Recommendation rec; + + /** + * Evaluation Result provided by IMV instance + */ + TNC_IMV_Evaluation_Result eval; + + /** + * Reason string provided by IMV instance + */ + chunk_t reason; + + /** + * Reason language provided by IMV instance + */ + chunk_t reason_language; +}; + +/** + * Private data of a recommendations_t object. + */ +struct private_tnc_imv_recommendations_t { + + /** + * Public members of recommendations_t. + */ + recommendations_t public; + + /** + * list of recommendations and evaluations provided by IMVs + */ + linked_list_t *recs; + + /** + * Preferred language for remediation messages + */ + chunk_t preferred_language; +}; + +METHOD(recommendations_t, provide_recommendation, TNC_Result, + private_tnc_imv_recommendations_t* this, TNC_IMVID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u provides recommendation '%N' and evaluation '%N'", id, + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + entry->have_recommendation = TRUE; + entry->rec = rec; + entry->eval = eval; + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_FATAL; +} + +METHOD(recommendations_t, have_recommendation, bool, + private_tnc_imv_recommendations_t *this, TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + recommendation_policy_t policy; + TNC_IMV_Action_Recommendation final_rec; + TNC_IMV_Evaluation_Result final_eval; + bool first = TRUE, incomplete = FALSE; + + *rec = final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + *eval = final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + + if (this->recs->get_count(this->recs) == 0) + { + DBG1(DBG_TNC, "there are no IMVs to make a recommendation"); + return TRUE; + } + policy = charon->imvs->get_recommendation_policy(charon->imvs); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (!entry->have_recommendation) + { + incomplete = TRUE; + break; + } + if (first) + { + final_rec = entry->rec; + final_eval = entry->eval; + first = FALSE; + continue; + } + switch (policy) + { + case RECOMMENDATION_POLICY_DEFAULT: + switch (entry->rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + final_rec = entry->rec; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + break; + } + switch (entry->eval) + { + case TNC_IMV_EVALUATION_RESULT_ERROR: + final_eval = entry->eval; + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_ERROR && + final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_COMPLIANT: + if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_DONT_KNOW: + break; + } + break; + + case RECOMMENDATION_POLICY_ALL: + if (entry->rec != final_rec) + { + final_rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + } + if (entry->eval != final_eval) + { + final_eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + } + break; + + case RECOMMENDATION_POLICY_ANY: + switch (entry->rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + final_rec = entry->rec; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + if (final_rec != TNC_IMV_ACTION_RECOMMENDATION_ALLOW) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + if (final_rec == TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION) + { + final_rec = entry->rec; + }; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + break; + } + switch (entry->eval) + { + case TNC_IMV_EVALUATION_RESULT_COMPLIANT: + final_eval = entry->eval; + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR: + if (final_eval != TNC_IMV_EVALUATION_RESULT_COMPLIANT && + final_eval != TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_ERROR: + if (final_eval == TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + final_eval = entry->eval; + } + break; + case TNC_IMV_EVALUATION_RESULT_DONT_KNOW: + break; + } + } + } + enumerator->destroy(enumerator); + + if (incomplete) + { + return FALSE; + } + *rec = final_rec; + *eval = final_eval; + return TRUE; +} + +METHOD(recommendations_t, get_preferred_language, chunk_t, + private_tnc_imv_recommendations_t *this) +{ + return this->preferred_language; +} + +METHOD(recommendations_t, set_preferred_language, void, + private_tnc_imv_recommendations_t *this, chunk_t pref_lang) +{ + free(this->preferred_language.ptr); + this->preferred_language = chunk_clone(pref_lang); +} + +METHOD(recommendations_t, set_reason_string, TNC_Result, + private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u is setting reason string to '%.*s'", + id, reason.len, reason.ptr); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + free(entry->reason.ptr); + entry->reason = chunk_clone(reason); + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(recommendations_t, set_reason_language, TNC_Result, + private_tnc_imv_recommendations_t *this, TNC_IMVID id, chunk_t reason_lang) +{ + enumerator_t *enumerator; + recommendation_entry_t *entry; + bool found = FALSE; + + DBG2(DBG_TNC, "IMV %u is setting reason language to '%.*s'", + id, reason_lang.len, reason_lang.ptr); + + enumerator = this->recs->create_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &entry)) + { + if (entry->id == id) + { + found = TRUE; + free(entry->reason_language.ptr); + entry->reason_language = chunk_clone(reason_lang); + break; + } + } + enumerator->destroy(enumerator); + return found ? TNC_RESULT_SUCCESS : TNC_RESULT_INVALID_PARAMETER; +} + +/** + * Enumerate reason and reason_language, not recommendation entries + */ +static bool reason_filter(void *null, recommendation_entry_t **entry, + TNC_IMVID *id, void *i2, chunk_t *reason, void *i3, + chunk_t *reason_language) +{ + if ((*entry)->reason.len) + { + *id = (*entry)->id; + *reason = (*entry)->reason; + *reason_language = (*entry)->reason_language; + return TRUE; + } + else + { + return FALSE; + } +} + +METHOD(recommendations_t, create_reason_enumerator, enumerator_t*, + private_tnc_imv_recommendations_t *this) +{ + return enumerator_create_filter(this->recs->create_enumerator(this->recs), + (void*)reason_filter, NULL, NULL); +} + +METHOD(recommendations_t, destroy, void, + private_tnc_imv_recommendations_t *this) +{ + recommendation_entry_t *entry; + + while (this->recs->remove_last(this->recs, (void**)&entry) == SUCCESS) + { + free(entry->reason.ptr); + free(entry->reason_language.ptr); + free(entry); + } + this->recs->destroy(this->recs); + free(this->preferred_language.ptr); + free(this); +} + +/** + * Described in header. + */ +recommendations_t* tnc_imv_recommendations_create(linked_list_t *imv_list) +{ + private_tnc_imv_recommendations_t *this; + recommendation_entry_t *entry; + enumerator_t *enumerator; + imv_t *imv; + + INIT(this, + .public = { + .provide_recommendation = _provide_recommendation, + .have_recommendation = _have_recommendation, + .get_preferred_language = _get_preferred_language, + .set_preferred_language = _set_preferred_language, + .set_reason_string = _set_reason_string, + .set_reason_language = _set_reason_language, + .create_reason_enumerator = _create_reason_enumerator, + .destroy = _destroy, + }, + .recs = linked_list_create(), + ); + + enumerator = imv_list->create_enumerator(imv_list); + while (enumerator->enumerate(enumerator, &imv)) + { + entry = malloc_thing(recommendation_entry_t); + entry->id = imv->get_id(imv); + entry->have_recommendation = FALSE; + entry->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION; + entry->eval = TNC_IMV_EVALUATION_RESULT_DONT_KNOW; + entry->reason = chunk_empty; + entry->reason_language = chunk_empty; + this->recs->insert_last(this->recs, entry); + } + enumerator->destroy(enumerator); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h new file mode 100644 index 000000000..6d65a2521 --- /dev/null +++ b/src/libcharon/plugins/tnc_imv/tnc_imv_recommendations.h @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * + * @defgroup tnc_imv_manager tnc_imv_manager + * @{ @ingroup tnc_imv + */ + +#ifndef TNC_IMV_RECOMMENDATIONS_H_ +#define TNC_IMV_RECOMMENDATIONS_H_ + +#include +#include + +/** + * Create an IMV empty recommendations instance + */ +recommendations_t *tnc_imv_recommendations_create(); + +#endif /** TNC_IMV_RECOMMENDATIONS_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/Makefile.am b/src/libcharon/plugins/tnccs_11/Makefile.am index 7ccd0dfee..1042c3514 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.am +++ b/src/libcharon/plugins/tnccs_11/Makefile.am @@ -1,21 +1,27 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic -libstrongswan_tnccs_11_la_LIBADD = -ltnc +libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-11.la else plugin_LTLIBRARIES = libstrongswan-tnccs-11.la -libstrongswan_tnccs_11_la_LIBADD += $(top_builddir)/src/libtls/libtls.la endif libstrongswan_tnccs_11_la_SOURCES = \ - tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \ + batch/tnccs_batch.h batch/tnccs_batch.c \ + messages/tnccs_msg.h messages/tnccs_msg.c \ + messages/imc_imv_msg.h messages/imc_imv_msg.c \ + messages/tnccs_error_msg.h messages/tnccs_error_msg.c \ + messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \ + messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ + messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ + messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnccs_11/Makefile.in b/src/libcharon/plugins/tnccs_11/Makefile.in index 200ff7a0a..5ab7ccbca 100644 --- a/src/libcharon/plugins/tnccs_11/Makefile.in +++ b/src/libcharon/plugins/tnccs_11/Makefile.in @@ -34,7 +34,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la subdir = src/libcharon/plugins/tnccs_11 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -75,8 +74,12 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__append_1) -am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo +am__DEPENDENCIES_1 = +libstrongswan_tnccs_11_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_tnccs_11_la_OBJECTS = tnccs_11_plugin.lo tnccs_11.lo \ + tnccs_batch.lo tnccs_msg.lo imc_imv_msg.lo tnccs_error_msg.lo \ + tnccs_preferred_language_msg.lo tnccs_reason_strings_msg.lo \ + tnccs_recommendation_msg.lo tnccs_tncs_contact_info_msg.lo libstrongswan_tnccs_11_la_OBJECTS = \ $(am_libstrongswan_tnccs_11_la_OBJECTS) libstrongswan_tnccs_11_la_LINK = $(LIBTOOL) --tag=CC \ @@ -223,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -275,15 +278,22 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls ${xml_CFLAGS} AM_CFLAGS = -rdynamic -libstrongswan_tnccs_11_la_LIBADD = -ltnc $(am__append_1) +libstrongswan_tnccs_11_la_LIBADD = ${xml_LIBS} @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-11.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-11.la libstrongswan_tnccs_11_la_SOURCES = \ - tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c + tnccs_11_plugin.h tnccs_11_plugin.c tnccs_11.h tnccs_11.c \ + batch/tnccs_batch.h batch/tnccs_batch.c \ + messages/tnccs_msg.h messages/tnccs_msg.c \ + messages/imc_imv_msg.h messages/imc_imv_msg.c \ + messages/tnccs_error_msg.h messages/tnccs_error_msg.c \ + messages/tnccs_preferred_language_msg.h messages/tnccs_preferred_language_msg.c \ + messages/tnccs_reason_strings_msg.h messages/tnccs_reason_strings_msg.c \ + messages/tnccs_recommendation_msg.h messages/tnccs_recommendation_msg.c \ + messages/tnccs_tncs_contact_info_msg.h messages/tnccs_tncs_contact_info_msg.c libstrongswan_tnccs_11_la_LDFLAGS = -module -avoid-version all: all-am @@ -369,8 +379,16 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/imc_imv_msg.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_11_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_batch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_error_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_preferred_language_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_reason_strings_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_recommendation_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_tncs_contact_info_msg.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -393,6 +411,62 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +tnccs_batch.lo: batch/tnccs_batch.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_batch.lo -MD -MP -MF $(DEPDIR)/tnccs_batch.Tpo -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_batch.Tpo $(DEPDIR)/tnccs_batch.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='batch/tnccs_batch.c' object='tnccs_batch.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_batch.lo `test -f 'batch/tnccs_batch.c' || echo '$(srcdir)/'`batch/tnccs_batch.c + +tnccs_msg.lo: messages/tnccs_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_msg.Tpo -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_msg.Tpo $(DEPDIR)/tnccs_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_msg.c' object='tnccs_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_msg.lo `test -f 'messages/tnccs_msg.c' || echo '$(srcdir)/'`messages/tnccs_msg.c + +imc_imv_msg.lo: messages/imc_imv_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT imc_imv_msg.lo -MD -MP -MF $(DEPDIR)/imc_imv_msg.Tpo -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/imc_imv_msg.Tpo $(DEPDIR)/imc_imv_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/imc_imv_msg.c' object='imc_imv_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o imc_imv_msg.lo `test -f 'messages/imc_imv_msg.c' || echo '$(srcdir)/'`messages/imc_imv_msg.c + +tnccs_error_msg.lo: messages/tnccs_error_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_error_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_error_msg.Tpo -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_error_msg.Tpo $(DEPDIR)/tnccs_error_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_error_msg.c' object='tnccs_error_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_error_msg.lo `test -f 'messages/tnccs_error_msg.c' || echo '$(srcdir)/'`messages/tnccs_error_msg.c + +tnccs_preferred_language_msg.lo: messages/tnccs_preferred_language_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_preferred_language_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_preferred_language_msg.Tpo -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_preferred_language_msg.Tpo $(DEPDIR)/tnccs_preferred_language_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_preferred_language_msg.c' object='tnccs_preferred_language_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_preferred_language_msg.lo `test -f 'messages/tnccs_preferred_language_msg.c' || echo '$(srcdir)/'`messages/tnccs_preferred_language_msg.c + +tnccs_reason_strings_msg.lo: messages/tnccs_reason_strings_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_reason_strings_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_reason_strings_msg.Tpo -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_reason_strings_msg.Tpo $(DEPDIR)/tnccs_reason_strings_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_reason_strings_msg.c' object='tnccs_reason_strings_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_reason_strings_msg.lo `test -f 'messages/tnccs_reason_strings_msg.c' || echo '$(srcdir)/'`messages/tnccs_reason_strings_msg.c + +tnccs_recommendation_msg.lo: messages/tnccs_recommendation_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_recommendation_msg.Tpo -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_recommendation_msg.Tpo $(DEPDIR)/tnccs_recommendation_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_recommendation_msg.c' object='tnccs_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_recommendation_msg.lo `test -f 'messages/tnccs_recommendation_msg.c' || echo '$(srcdir)/'`messages/tnccs_recommendation_msg.c + +tnccs_tncs_contact_info_msg.lo: messages/tnccs_tncs_contact_info_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT tnccs_tncs_contact_info_msg.lo -MD -MP -MF $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/tnccs_tncs_contact_info_msg.Tpo $(DEPDIR)/tnccs_tncs_contact_info_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/tnccs_tncs_contact_info_msg.c' object='tnccs_tncs_contact_info_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o tnccs_tncs_contact_info_msg.lo `test -f 'messages/tnccs_tncs_contact_info_msg.c' || echo '$(srcdir)/'`messages/tnccs_tncs_contact_info_msg.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c new file mode 100644 index 000000000..0f6f3a675 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.c @@ -0,0 +1,323 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_batch.h" +#include "messages/tnccs_error_msg.h" + +#include +#include +#include + +#include + +typedef struct private_tnccs_batch_t private_tnccs_batch_t; + +/** + * Private data of a tnccs_batch_t object. + * + */ +struct private_tnccs_batch_t { + /** + * Public tnccs_batch_t interface. + */ + tnccs_batch_t public; + + /** + * Batch ID + */ + int batch_id; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * linked list of TNCCS messages + */ + linked_list_t *messages; + + /** + * linked list of TNCCS error messages + */ + linked_list_t *errors; + + /** + * XML document + */ + xmlDocPtr doc; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(tnccs_batch_t, get_encoding, chunk_t, + private_tnccs_batch_t *this) +{ + return this->encoding; +} + +METHOD(tnccs_batch_t, add_msg, void, + private_tnccs_batch_t *this, tnccs_msg_t* msg) +{ + xmlNodePtr root; + + DBG2(DBG_TNC, "adding %N message", tnccs_msg_type_names, + msg->get_type(msg)); + this->messages->insert_last(this->messages, msg); + root = xmlDocGetRootElement(this->doc); + xmlAddChild(root, msg->get_node(msg)); +} + +METHOD(tnccs_batch_t, build, void, + private_tnccs_batch_t *this) +{ + xmlChar *xmlbuf; + int buf_size; + + xmlDocDumpFormatMemory(this->doc, &xmlbuf, &buf_size, 1); + this->encoding = chunk_create((u_char*)xmlbuf, buf_size); + this->encoding = chunk_clone(this->encoding); + xmlFree(xmlbuf); +} + +METHOD(tnccs_batch_t, process, status_t, + private_tnccs_batch_t *this) +{ + tnccs_msg_t *tnccs_msg, *msg; + tnccs_error_type_t error_type = TNCCS_ERROR_OTHER; + char *error_msg, buf[BUF_LEN]; + xmlNodePtr cur; + xmlNsPtr ns; + xmlChar *batchid, *recipient; + int batch_id; + + this->doc = xmlParseMemory(this->encoding.ptr, this->encoding.len); + if (!this->doc) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "failed to parse XML message"; + goto fatal; + } + + /* check out the XML document */ + cur = xmlDocGetRootElement(this->doc); + if (!cur) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "empty XML document"; + goto fatal; + } + + /* check TNCCS namespace */ + ns = xmlSearchNsByHref(this->doc, cur, (const xmlChar*) + "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"); + if (!ns) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = "TNCCS namespace not found"; + goto fatal; + } + + /* check XML document type */ + if (xmlStrcmp(cur->name, (const xmlChar*)"TNCCS-Batch")) + { + error_type = TNCCS_ERROR_MALFORMED_BATCH; + error_msg = buf; + snprintf(buf, BUF_LEN, "wrong XML document type '%s', expected TNCCS-Batch", + cur->name); + goto fatal; + } + + /* check presence of BatchID property */ + batchid = xmlGetProp(cur, (const xmlChar*)"BatchId"); + if (!batchid) + { + error_type = TNCCS_ERROR_INVALID_BATCH_ID; + error_msg = "BatchId is missing"; + goto fatal; + } + + /* check BatchID */ + batch_id = atoi((char*)batchid); + xmlFree(batchid); + if (batch_id != this->batch_id) + { + error_type = TNCCS_ERROR_INVALID_BATCH_ID; + error_msg = buf; + snprintf(buf, BUF_LEN, "BatchId %d expected, got %d", this->batch_id, + batch_id); + goto fatal; + } + + /* check presence of Recipient property */ + recipient = xmlGetProp(cur, (const xmlChar*)"Recipient"); + if (!recipient) + { + error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE; + error_msg = "Recipient is missing"; + goto fatal; + } + + /* check recipient */ + if (!streq((char*)recipient, this->is_server ? "TNCS" : "TNCC")) + { + error_type = TNCCS_ERROR_INVALID_RECIPIENT_TYPE; + error_msg = buf; + snprintf(buf, BUF_LEN, "message recipient expected '%s', got '%s'", + this->is_server ? "TNCS" : "TNCC", (char*)recipient); + xmlFree(recipient); + goto fatal; + } + xmlFree(recipient); + + DBG2(DBG_TNC, "processing TNCCS Batch #%d", batch_id); + + /* Now walk the tree, handling message nodes as we go */ + for (cur = cur->xmlChildrenNode; cur != NULL; cur = cur->next) + { + /* ignore empty or blank nodes */ + if (xmlIsBlankNode(cur)) + { + continue; + } + + /* ignore nodes with wrong namespace */ + if (cur->ns != ns) + { + DBG1(DBG_TNC, "ignoring message node '%s' having wrong namespace", + (char*)cur->name); + continue; + } + + tnccs_msg = tnccs_msg_create_from_node(cur, this->errors); + + /* exit if a message parsing error occurred */ + if (this->errors->get_count(this->errors) > 0) + { + return FAILED; + } + + /* ignore unrecognized messages */ + if (!tnccs_msg) + { + continue; + } + + this->messages->insert_last(this->messages, tnccs_msg); + } + return SUCCESS; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +METHOD(tnccs_batch_t, create_msg_enumerator, enumerator_t*, + private_tnccs_batch_t *this) +{ + return this->messages->create_enumerator(this->messages); +} + +METHOD(tnccs_batch_t, create_error_enumerator, enumerator_t*, + private_tnccs_batch_t *this) +{ + return this->errors->create_enumerator(this->errors); +} + +METHOD(tnccs_batch_t, destroy, void, + private_tnccs_batch_t *this) +{ + this->messages->destroy_offset(this->messages, + offsetof(tnccs_msg_t, destroy)); + this->errors->destroy_offset(this->errors, + offsetof(tnccs_msg_t, destroy)); + xmlFreeDoc(this->doc); + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id) +{ + private_tnccs_batch_t *this; + xmlNodePtr n; + char buf[12]; + const char *recipient; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .messages = linked_list_create(), + .errors = linked_list_create(), + .batch_id = batch_id, + .doc = xmlNewDoc(BAD_CAST "1.0"), + ); + + DBG2(DBG_TNC, "creating TNCCS Batch #%d", this->batch_id); + n = xmlNewNode(NULL, BAD_CAST "TNCCS-Batch"); + snprintf(buf, sizeof(buf), "%d", batch_id); + recipient = this->is_server ? "TNCC" : "TNCS"; + xmlNewProp(n, BAD_CAST "BatchId", BAD_CAST buf); + xmlNewProp(n, BAD_CAST "Recipient", BAD_CAST recipient); + xmlNewProp(n, BAD_CAST "xmlns", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS#"); + xmlNewProp(n, BAD_CAST "xmlns:xsi", BAD_CAST "http://www.w3.org/2001/XMLSchema-instance"); + xmlNewProp(n, BAD_CAST "xsi:schemaLocation", BAD_CAST "http://www.trustedcomputinggroup.org/IWG/TNC/1_0/IF_TNCCS# " + "https://www.trustedcomputinggroup.org/XML/SCHEMA/TNCCS_1.0.xsd"); + xmlDocSetRootElement(this->doc, n); + + return &this->public; +} + +/** + * See header + */ +tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id, chunk_t data) +{ + private_tnccs_batch_t *this; + + INIT(this, + .public = { + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .batch_id = batch_id, + .messages = linked_list_create(), + .errors = linked_list_create(), + .encoding = chunk_clone(data), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h new file mode 100644 index 000000000..25301f763 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/batch/tnccs_batch.h @@ -0,0 +1,100 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_batch tnccs_batch + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_BATCH_H_ +#define TNCCS_BATCH_H_ + +typedef enum tnccs_batch_type_t tnccs_batch_type_t; +typedef struct tnccs_batch_t tnccs_batch_t; + +#include "messages/tnccs_msg.h" + +#include + +/** + * Interface for a TNCCS 1.x Batch. + */ +struct tnccs_batch_t { + + /** + * Get the encoding of the TNCCS 1.x Batch + * + * @return encoded TNCCS 1.x batch + */ + chunk_t (*get_encoding)(tnccs_batch_t *this); + + /** + * Add TNCCS message + * + * @param msg TNCCS message to be addedd + */ + void (*add_msg)(tnccs_batch_t *this, tnccs_msg_t* msg); + + /** + * Build the TNCCS 1.x Batch + */ + void (*build)(tnccs_batch_t *this); + + /** + * Process the TNCCS 1.x Batch + * + * @return return processing status + */ + status_t (*process)(tnccs_batch_t *this); + + /** + * Enumerates over all TNCCS Messages + * + * @return return message enumerator + */ + enumerator_t* (*create_msg_enumerator)(tnccs_batch_t *this); + + /** + * Enumerates over all parsing errors + * + * @return return error enumerator + */ + enumerator_t* (*create_error_enumerator)(tnccs_batch_t *this); + + /** + * Destroys a tnccs_batch_t object. + */ + void (*destroy)(tnccs_batch_t *this); +}; + +/** + * Create an empty TNCCS 1.x Batch + * + * @param is_server TRUE if server, FALSE if client + * @param batch_id number of the batch to be sent + */ +tnccs_batch_t* tnccs_batch_create(bool is_server, int batch_id); + +/** + * Create an unprocessed TNCCS 1.x Batch from data + * + * @param is_server TRUE if server, FALSE if client + * @param batch_id current Batch ID + * @param data encoded PB-TNC batch + */ +tnccs_batch_t* tnccs_batch_create_from_data(bool is_server, int batch_id, + chunk_t data); + +#endif /** TNCCS_BATCH_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c new file mode 100644 index 000000000..f24c0dac9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.c @@ -0,0 +1,242 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imc_imv_msg.h" + +#include +#include +#include + +typedef struct private_imc_imv_msg_t private_imc_imv_msg_t; + +#define BYTES_PER_LINE 57 + +/** + * Private data of a imc_imv_msg_t object. + * + */ +struct private_imc_imv_msg_t { + /** + * Public imc_imv_msg_t interface. + */ + imc_imv_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * IMC-IMV message type + */ + TNC_MessageType msg_type; + + /** + * IMC-IMV message body + */ + chunk_t msg_body; + +}; + +/** + * Encodes message data into multiple base64-encoded lines + */ +static chunk_t encode_base64(chunk_t data) +{ + chunk_t encoding; + u_char *pos; + size_t b64_chars, b64_lines; + + /* handle empty message data object */ + if (data.len == 0) + { + encoding = chunk_alloc(1); + *encoding.ptr = '\0'; + return encoding; + } + + /* compute and allocate maximum size of base64 object */ + b64_chars = 4 * ((data.len + 2) / 3); + b64_lines = (data.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE; + encoding = chunk_alloc(b64_chars + b64_lines); + pos = encoding.ptr; + + /* encode lines */ + while (b64_lines--) + { + chunk_t data_line, b64_line; + + data_line = chunk_create(data.ptr, min(data.len, BYTES_PER_LINE)); + data.ptr += data_line.len; + data.len -= data_line.len; + b64_line = chunk_to_base64(data_line, pos); + pos += b64_line.len; + *pos = '\n'; + pos++; + } + /* terminate last line with NULL character instead of newline */ + *(pos-1) = '\0'; + + return encoding; +} + +/** + * Decodes message data from multiple base64-encoded lines + */ +static chunk_t decode_base64(chunk_t data) +{ + chunk_t decoding, data_line, b64_line; + u_char *pos; + + /* compute and allocate maximum size of decoded message data */ + decoding = chunk_alloc(3 * ((data.len + 3) / 4)); + pos = decoding.ptr; + decoding.len = 0; + + while (fetchline(&data, &b64_line)) + { + data_line = chunk_from_base64(b64_line, pos); + pos += data_line.len; + decoding.len += data_line.len; + } + + return decoding; +} + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_imc_imv_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_imc_imv_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_imc_imv_msg_t *this) +{ + free(this->msg_body.ptr); + free(this); +} + +METHOD(imc_imv_msg_t, get_msg_type, TNC_MessageType, + private_imc_imv_msg_t *this) +{ + return this->msg_type; +} + +METHOD(imc_imv_msg_t, get_msg_body, chunk_t, + private_imc_imv_msg_t *this) +{ + return this->msg_body; +} + +/** + * See header + */ +tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors) +{ + private_imc_imv_msg_t *this; + xmlNsPtr ns; + xmlNodePtr cur; + xmlChar *content; + chunk_t b64_body; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_msg_type = _get_msg_type, + .get_msg_body = _get_msg_body, + }, + .type = IMC_IMV_MSG, + .node = node, + ); + + ns = node->ns; + cur = node->xmlChildrenNode; + while (cur) + { + if (streq((char*)cur->name, "Type") && cur->ns == ns) + { + content = xmlNodeGetContent(cur); + this->msg_type = strtoul((char*)content, NULL, 16); + xmlFree(content); + } + else if (streq((char*)cur->name, "Base64") && cur->ns == ns) + { + content = xmlNodeGetContent(cur); + b64_body = chunk_create((char*)content, strlen((char*)content)); + this->msg_body = decode_base64(b64_body); + xmlFree(content); + } + cur = cur->next; + } + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body) +{ + private_imc_imv_msg_t *this; + chunk_t b64_body; + char buf[10]; /* big enough for hex-encoded message type */ + xmlNodePtr n; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_msg_type = _get_msg_type, + .get_msg_body = _get_msg_body, + }, + .type = IMC_IMV_MSG, + .node = xmlNewNode(NULL, BAD_CAST "IMC-IMV-Message"), + .msg_type = msg_type, + .msg_body = chunk_clone(msg_body), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + snprintf(buf, 10, "%08x", this->msg_type); + xmlNodeSetContent(n, BAD_CAST buf); + xmlAddChild(this->node, n); + + /* encode the message as a Base64 node */ + n = xmlNewNode(NULL, BAD_CAST "Base64"); + b64_body = encode_base64(this->msg_body); + xmlNodeSetContent(n, BAD_CAST b64_body.ptr); + xmlAddChild(this->node, n); + free(b64_body.ptr); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h new file mode 100644 index 000000000..02f07199f --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/imc_imv_msg.h @@ -0,0 +1,71 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_imv_msg imc_imv_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef IMC_IMV_MSG_H_ +#define IMC_IMV_MSG_H_ + +typedef struct imc_imv_msg_t imc_imv_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Classs representing the PB-PA message type. + */ +struct imc_imv_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get IMC-IMV message type + * + * @return IMC-IMV message type + */ + TNC_MessageType (*get_msg_type)(imc_imv_msg_t *this); + + /** + * Get IMC-IMV message body + * + * @return IMC-IMV message body + */ + chunk_t (*get_msg_body)(imc_imv_msg_t *this); +}; + +/** + * Create an IMC-IMV message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages +*/ +tnccs_msg_t *imc_imv_msg_create_from_node(xmlNodePtr node, linked_list_t *errors); + +/** + * Create an IMC-IMV message from parameters + * + * @param msg_type IMC-IMV message type + * @param msg_body IMC-IMV message body + */ +tnccs_msg_t *imc_imv_msg_create(TNC_MessageType msg_type, chunk_t msg_body); + +#endif /** IMC_IMV_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c new file mode 100644 index 000000000..d0df4e7ca --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.c @@ -0,0 +1,191 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_error_msg.h" + +#include + +ENUM(tnccs_error_type_names, TNCCS_ERROR_BATCH_TOO_LONG, TNCCS_ERROR_OTHER, + "batch-too-long", + "malformed-batch", + "invalid-batch-id", + "invalid-recipient-type", + "internal-error", + "other" +); + +typedef struct private_tnccs_error_msg_t private_tnccs_error_msg_t; + +/** + * Private data of a tnccs_error_msg_t object. + * + */ +struct private_tnccs_error_msg_t { + /** + * Public tnccs_error_msg_t interface. + */ + tnccs_error_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Error type + */ + tnccs_error_type_t error_type; + + /** + * Error message + */ + char *error_msg; + + /** + * reference count + */ + refcount_t ref; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_error_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_error_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, get_ref, tnccs_msg_t*, + private_tnccs_error_msg_t *this) +{ + ref_get(&this->ref); + return &this->public.tnccs_msg_interface; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_error_msg_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->error_msg); + free(this); + } +} + +METHOD(tnccs_error_msg_t, get_message, char*, + private_tnccs_error_msg_t *this, tnccs_error_type_t *type) +{ + *type = this->error_type; + + return this->error_msg; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node) +{ + private_tnccs_error_msg_t *this; + xmlChar *error_type_name, *error_msg; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_message = _get_message, + }, + .type = TNCCS_MSG_ERROR, + .ref = 1, + .node = node, + .error_type = TNCCS_ERROR_OTHER, + ); + + error_type_name = xmlGetProp(node, (const xmlChar*)"type"); + if (error_type_name) + { + this->error_type = enum_from_name(tnccs_error_type_names, + (char*)error_type_name); + if (this->error_type == -1) + { + this->error_type = TNCCS_ERROR_OTHER; + } + xmlFree(error_type_name); + } + + error_msg = xmlNodeGetContent(node); + if (error_msg) + { + this->error_msg = strdup((char*)error_msg); + xmlFree(error_msg); + } + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg) +{ + private_tnccs_error_msg_t *this; + xmlNodePtr n, n2; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_message = _get_message, + }, + .type = TNCCS_MSG_ERROR, + .ref = 1, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .error_type = type, + .error_msg = strdup(msg), + ); + + DBG1(DBG_TNC, "%s", msg); + + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000002"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNewProp(n2, BAD_CAST "type", + BAD_CAST enum_to_name(tnccs_error_type_names, type)); + xmlNodeSetContent(n2, BAD_CAST msg); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h new file mode 100644 index 000000000..ce2ce9755 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_error_msg.h @@ -0,0 +1,80 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_error_msg tnccs_error_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_ERROR_MSG_H_ +#define TNCCS_ERROR_MSG_H_ + +typedef enum tnccs_error_type_t tnccs_error_type_t; +typedef struct tnccs_error_msg_t tnccs_error_msg_t; + +#include "tnccs_msg.h" + +/** + * TNCCS error types as defined in section 8.1.4 of TCG TNC IF-TNCCS v1.2 + */ +enum tnccs_error_type_t { + TNCCS_ERROR_BATCH_TOO_LONG, + TNCCS_ERROR_MALFORMED_BATCH, + TNCCS_ERROR_INVALID_BATCH_ID, + TNCCS_ERROR_INVALID_RECIPIENT_TYPE, + TNCCS_ERROR_INTERNAL_ERROR, + TNCCS_ERROR_OTHER +}; + +/** + * enum name for tnccs_error_type_t. + */ +extern enum_name_t *tnccs_error_type_names; + +/** + * Class representing the TNCCS-Error message type + */ +struct tnccs_error_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get error message and type + * + * @param type TNCCS error type + * @return arbitrary error message + */ + char* (*get_message)(tnccs_error_msg_t *this, tnccs_error_type_t *type); +}; + +/** + * Create a TNCCS-Error message from XML-encoded message node + * + * @param node XML-encoded message node + */ +tnccs_msg_t *tnccs_error_msg_create_from_node(xmlNodePtr node); + +/** + * Create a TNCCS-Error message from parameters + * + * @param type TNCCS error type + * @param msg arbitrary error message + */ +tnccs_msg_t *tnccs_error_msg_create(tnccs_error_type_t type, char *msg); + +#endif /** TNCCS_ERROR_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c new file mode 100644 index 000000000..5a050393a --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.c @@ -0,0 +1,140 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_msg.h" +#include "imc_imv_msg.h" +#include "tnccs_error_msg.h" +#include "tnccs_preferred_language_msg.h" +#include "tnccs_reason_strings_msg.h" +#include "tnccs_recommendation_msg.h" +#include "tnccs_tncs_contact_info_msg.h" + +#include +#include + +ENUM(tnccs_msg_type_names, IMC_IMV_MSG, TNCCS_MSG_ROOF, + "IMC-IMV", + "TNCCS-Recommendation", + "TNCCS-Error", + "TNCCS-PreferredLanguage", + "TNCCS-ReasonStrings", + "TNCCS-TNCSContactInfo" +); + +/** + * See header + */ +tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors) +{ + char *error_msg, buf[BUF_LEN]; + tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH; + tnccs_msg_t *msg; + tnccs_msg_type_t type = IMC_IMV_MSG; + + if (streq((char*)node->name, "IMC-IMV-Message")) + { + DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type); + return imc_imv_msg_create_from_node(node, errors); + } + else if (streq((char*)node->name, "TNCC-TNCS-Message")) + { + bool found = FALSE; + xmlNsPtr ns = node->ns; + xmlNodePtr cur = node->xmlChildrenNode; + xmlNodePtr xml_msg_node = NULL; + + while (cur) + { + if (streq((char*)cur->name, "Type") && cur->ns == ns) + { + xmlChar *content = xmlNodeGetContent(cur); + + type = strtol((char*)content, NULL, 16); + xmlFree(content); + found = TRUE; + } + else if (streq((char*)cur->name, "XML") && cur->ns == ns) + { + xml_msg_node = cur->xmlChildrenNode; + } + cur = cur->next; + } + if (!found) + { + error_msg = "Type is missing in TNCC-TNCS-Message"; + goto fatal; + } + if (!xml_msg_node) + { + error_msg = "XML node is missing in TNCC-TNCS-Message"; + goto fatal; + } + cur = xml_msg_node; + + /* skip empty and blank nodes */ + while (cur && xmlIsBlankNode(cur)) + { + cur = cur->next; + } + if (!cur) + { + error_msg = "XML node is empty"; + goto fatal; + } + + /* check if TNCCS message type and node name agree */ + if (type >= TNCCS_MSG_RECOMMENDATION && type <= TNCCS_MSG_ROOF) + { + DBG2(DBG_TNC, "processing %N message", tnccs_msg_type_names, type); + if (cur->ns != ns) + { + error_msg = "node is not in the TNCCS message namespace"; + goto fatal; + } + if (type != enum_from_name(tnccs_msg_type_names, (char*)cur->name)) + { + error_msg = buf; + snprintf(buf, BUF_LEN, "expected '%N' node but was '%s'", + tnccs_msg_type_names, type, (char*)cur->name); + goto fatal; + } + } + + switch (type) + { + case TNCCS_MSG_RECOMMENDATION: + return tnccs_recommendation_msg_create_from_node(cur, errors); + case TNCCS_MSG_ERROR: + return tnccs_error_msg_create_from_node(cur); + case TNCCS_MSG_PREFERRED_LANGUAGE: + return tnccs_preferred_language_msg_create_from_node(cur, errors); + case TNCCS_MSG_REASON_STRINGS: + return tnccs_reason_strings_msg_create_from_node(cur, errors); + case TNCCS_MSG_TNCS_CONTACT_INFO: + return tnccs_tncs_contact_info_msg_create_from_node(cur, errors); + default: + DBG1(DBG_TNC, "ignoring TNCC-TNCS-Message with type %d", type); + return NULL; + } + } + DBG1(DBG_TNC, "ignoring unknown message node '%s'", (char*)node->name); + return NULL; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + errors->insert_last(errors, msg); + return NULL; +} + diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h new file mode 100644 index 000000000..e0b54449a --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_msg.h @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_msg tnccs_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_MSG_H_ +#define TNCCS_MSG_H_ + +typedef enum tnccs_msg_type_t tnccs_msg_type_t; +typedef struct tnccs_msg_t tnccs_msg_t; + +#include +#include +#include + +/** + * TNCC-TNCS messages as defined in section 2.8.5 of TCG TNC IF-TNCCS v1.2 + */ +enum tnccs_msg_type_t { + IMC_IMV_MSG = 0, + TNCCS_MSG_RECOMMENDATION = 1, + TNCCS_MSG_ERROR = 2, + TNCCS_MSG_PREFERRED_LANGUAGE = 3, + TNCCS_MSG_REASON_STRINGS = 4, + TNCCS_MSG_TNCS_CONTACT_INFO = 5, + TNCCS_MSG_ROOF = 5 +}; + +/** + * enum name for tnccs_msg_type_t. + */ +extern enum_name_t *tnccs_msg_type_names; + +/** + * Generic interface for all TNCCS message types. + * + * To handle all messages in a generic way, this interface + * must be implemented by each message type. + */ +struct tnccs_msg_t { + + /** + * Get the TNCCS Message Type + * + * @return TNCCS Message Type + */ + tnccs_msg_type_t (*get_type)(tnccs_msg_t *this); + + /** + * Get the XML-encoded Message Node + * + * @return Message Node + */ + xmlNodePtr (*get_node)(tnccs_msg_t *this); + + /** + * Process the TNCCS Message + * + * @return return processing status + */ + status_t (*process)(tnccs_msg_t *this); + + /** + * Get a new reference to the message. + * + * @return this, with an increased refcount + */ + tnccs_msg_t* (*get_ref)(tnccs_msg_t *this); + + /** + * Destroys a tnccs_msg_t object. + */ + void (*destroy)(tnccs_msg_t *this); +}; + +/** + * Create a pre-processed TNCCS message + * + * Useful for the parser which wants a generic constructor for all + * tnccs_msg_t types. + * + * @param node TNCCS message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t* tnccs_msg_create_from_node(xmlNodePtr node, linked_list_t *errors); + +#endif /** TNCCS_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c new file mode 100644 index 000000000..fd85350b5 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.c @@ -0,0 +1,137 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_preferred_language_msg.h" + +#include + +typedef struct private_tnccs_preferred_language_msg_t private_tnccs_preferred_language_msg_t; + +/** + * Private data of a tnccs_preferred_language_msg_t object. + * + */ +struct private_tnccs_preferred_language_msg_t { + /** + * Public tnccs_preferred_language_msg_t interface. + */ + tnccs_preferred_language_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Preferred language + */ + char *preferred_language; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_preferred_language_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_preferred_language_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_preferred_language_msg_t *this) +{ + free(this->preferred_language); + free(this); +} + +METHOD(tnccs_preferred_language_msg_t, get_preferred_language, char*, + private_tnccs_preferred_language_msg_t *this) +{ + return this->preferred_language; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_preferred_language_msg_t *this; + xmlChar *language; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_preferred_language = _get_preferred_language, + }, + .type = TNCCS_MSG_PREFERRED_LANGUAGE, + .node = node, + ); + + language = xmlNodeGetContent(node); + this->preferred_language = strdup((char*)language); + xmlFree(language); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_preferred_language_msg_create(char *language) +{ + private_tnccs_preferred_language_msg_t *this; + xmlNodePtr n, n2; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_preferred_language = _get_preferred_language, + }, + .type = TNCCS_MSG_PREFERRED_LANGUAGE, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .preferred_language = strdup(language), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000003"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNodeSetContent(n2, BAD_CAST language); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h new file mode 100644 index 000000000..d301ab2bb --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_preferred_language_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_preferred_language_msg tnccs_preferred_language_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_PREFERRED_LANGUAGE_MSG_H_ +#define TNCCS_PREFERRED_LANGUAGE_MSG_H_ + +typedef struct tnccs_preferred_language_msg_t tnccs_preferred_language_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Class representing the TNCCS-PreferredLanguage message type + */ +struct tnccs_preferred_language_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get preferred language string + * + * @return preferred language string + */ + char* (*get_preferred_language)(tnccs_preferred_language_msg_t *this); +}; + +/** + * Create a TNCCS-PreferredLanguage message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_preferred_language_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-PreferredLanguage message from parameters + * + * @param language preferred language string + */ +tnccs_msg_t *tnccs_preferred_language_msg_create(char *language); + +#endif /** TNCCS_PREFERRED_LANGUAGE_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c new file mode 100644 index 000000000..d4b5d9bf9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.c @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_reason_strings_msg.h" + +#include + +typedef struct private_tnccs_reason_strings_msg_t private_tnccs_reason_strings_msg_t; + +/** + * Private data of a tnccs_reason_strings_msg_t object. + * + */ +struct private_tnccs_reason_strings_msg_t { + /** + * Public tnccs_reason_strings_msg_t interface. + */ + tnccs_reason_strings_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Reason String + */ + chunk_t reason; + + /** + * Reason Language + */ + chunk_t language; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_reason_strings_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_reason_strings_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_reason_strings_msg_t *this) +{ + free(this->reason.ptr); + free(this->language.ptr); + free(this); +} + +METHOD(tnccs_reason_strings_msg_t, get_reason, chunk_t, + private_tnccs_reason_strings_msg_t *this, chunk_t *language) +{ + *language = this->language; + + return this->reason; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_reason_strings_msg_t *this; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_reason = _get_reason, + }, + .type = TNCCS_MSG_REASON_STRINGS, + .node = node, + ); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language) +{ + private_tnccs_reason_strings_msg_t *this; + xmlNodePtr n, n2, n3; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_reason = _get_reason, + }, + .type = TNCCS_MSG_REASON_STRINGS, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .reason = chunk_create_clone(malloc(reason.len + 1), reason), + .language = chunk_create_clone(malloc(language.len + 1), language), + ); + + /* add NULL termination for XML string representation */ + this->reason.ptr[this->reason.len] = '\0'; + this->language.ptr[this->language.len] = '\0'; + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000004"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + + /* could add multiple reasons here, if we had them */ + n3 = xmlNewNode(NULL, BAD_CAST "ReasonString"); + xmlNewProp(n3, BAD_CAST "xml:lang", BAD_CAST this->language.ptr); + xmlNodeSetContent(n3, BAD_CAST this->reason.ptr); + xmlAddChild(n2, n3); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h new file mode 100644 index 000000000..0046a5789 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_reason_strings_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_reason_strings_msg tnccs_reason_strings_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_REASON_STRINGS_MSG_H_ +#define TNCCS_REASON_STRINGS_MSG_H_ + +typedef struct tnccs_reason_strings_msg_t tnccs_reason_strings_msg_t; + +#include "tnccs_msg.h" + +/** + * Class representing the TNCCS-ReasonStrings message type + */ +struct tnccs_reason_strings_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get reason string and language + * + * @param language reason language + * @return reason string + */ + chunk_t (*get_reason)(tnccs_reason_strings_msg_t *this, chunk_t *language); +}; + +/** + * Create a TNCCS-ReasonStrings message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_reason_strings_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-ReasonStrings message from parameters + * + * @param reason reason string + * @param language reason language + */ +tnccs_msg_t *tnccs_reason_strings_msg_create(chunk_t reason, chunk_t language); + +#endif /** TNCCS_REASON_STRINGS_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c new file mode 100644 index 000000000..adc7b54b9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.c @@ -0,0 +1,186 @@ +/* + * Copyright (C) 2006 Mike McCauley (mikem@open.com.au) + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_recommendation_msg.h" +#include "tnccs_error_msg.h" + +#include + +typedef struct private_tnccs_recommendation_msg_t private_tnccs_recommendation_msg_t; + +/** + * Private data of a tnccs_recommendation_msg_t object. + * + */ +struct private_tnccs_recommendation_msg_t { + /** + * Public tnccs_recommendation_msg_t interface. + */ + tnccs_recommendation_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; + + /** + * Action Recommendation + */ + TNC_IMV_Action_Recommendation rec; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_recommendation_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_recommendation_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_recommendation_msg_t *this) +{ + free(this); +} + +METHOD(tnccs_recommendation_msg_t, get_recommendation, TNC_IMV_Action_Recommendation, + private_tnccs_recommendation_msg_t *this) +{ + return this->rec; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_recommendation_msg_t *this; + xmlChar *rec_string; + char *error_msg, buf[BUF_LEN]; + tnccs_error_type_t error_type = TNCCS_ERROR_MALFORMED_BATCH; + tnccs_msg_t *msg; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_recommendation = _get_recommendation, + }, + .type = TNCCS_MSG_RECOMMENDATION, + .node = node, + ); + + rec_string = xmlGetProp(node, (const xmlChar*)"type"); + if (!rec_string) + { + error_msg = "type property in TNCCS-Recommendation is missing"; + goto fatal; + } + else if (streq((char*)rec_string, "allow")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_ALLOW; + } + else if (streq((char*)rec_string, "isolate")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_ISOLATE; + } + else if (streq((char*)rec_string, "none")) + { + this->rec = TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS; + } + else + { + error_msg = buf; + snprintf(buf, BUF_LEN, "unsupported type property value '%s' " + "in TNCCS-Recommendation", rec_string); + xmlFree(rec_string); + goto fatal; + } + xmlFree(rec_string); + + return &this->public.tnccs_msg_interface; + +fatal: + msg = tnccs_error_msg_create(error_type, error_msg); + errors->insert_last(errors, msg); + _destroy(this); + return NULL; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec) +{ + private_tnccs_recommendation_msg_t *this; + xmlNodePtr n, n2; + char *rec_string; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + .get_recommendation = _get_recommendation, + }, + .type = TNCCS_MSG_RECOMMENDATION, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + .rec = rec, + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000001"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + rec_string = "allow"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + rec_string = "isolate"; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: + default: + rec_string = "none"; + } + + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNewProp(n2, BAD_CAST "type", BAD_CAST rec_string); + xmlNodeSetContent(n2, ""); + xmlAddChild(n, n2); + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h new file mode 100644 index 000000000..685049e95 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_recommendation_msg.h @@ -0,0 +1,64 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_recommendation_msg tnccs_recommendation_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_RECOMMENDATION_MSG_H_ +#define TNCCS_RECOMMENDATION_MSG_H_ + +typedef struct tnccs_recommendation_msg_t tnccs_recommendation_msg_t; + +#include "tnccs_msg.h" + +#include + +/** + * Class representing the TNCCS-Recommendation message type + */ +struct tnccs_recommendation_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; + + /** + * Get Action Recommendation + * + * @return Action Recommendation + */ + TNC_IMV_Action_Recommendation (*get_recommendation)(tnccs_recommendation_msg_t *this); +}; + +/** + * Create a TNCCS-Recommendation message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_recommendation_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-Recommendation message from parameters + * + * @param rec Action Recommendation + */ +tnccs_msg_t *tnccs_recommendation_msg_create(TNC_IMV_Action_Recommendation rec); + +#endif /** TNCCS_RECOMMENDATION_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c new file mode 100644 index 000000000..b8aac30fa --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.c @@ -0,0 +1,118 @@ +/* + * Copyright (C) 2010 Andreas Steffen, HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_tncs_contact_info_msg.h" + +#include + +typedef struct private_tnccs_tncs_contact_info_msg_t private_tnccs_tncs_contact_info_msg_t; + +/** + * Private data of a tnccs_tncs_contact_info_msg_t object. + * + */ +struct private_tnccs_tncs_contact_info_msg_t { + /** + * Public tnccs_tncs_contact_info_msg_t interface. + */ + tnccs_tncs_contact_info_msg_t public; + + /** + * TNCCS message type + */ + tnccs_msg_type_t type; + + /** + * XML-encoded message node + */ + xmlNodePtr node; +}; + +METHOD(tnccs_msg_t, get_type, tnccs_msg_type_t, + private_tnccs_tncs_contact_info_msg_t *this) +{ + return this->type; +} + +METHOD(tnccs_msg_t, get_node, xmlNodePtr, + private_tnccs_tncs_contact_info_msg_t *this) +{ + return this->node; +} + +METHOD(tnccs_msg_t, destroy, void, + private_tnccs_tncs_contact_info_msg_t *this) +{ + free(this); +} + +/** + * See header + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors) +{ + private_tnccs_tncs_contact_info_msg_t *this; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + }, + .type = TNCCS_MSG_TNCS_CONTACT_INFO, + .node = node, + ); + + return &this->public.tnccs_msg_interface; +} + +/** + * See header + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void) +{ + private_tnccs_tncs_contact_info_msg_t *this; + xmlNodePtr n /*, n2 */; + + INIT(this, + .public = { + .tnccs_msg_interface = { + .get_type = _get_type, + .get_node = _get_node, + .destroy = _destroy, + }, + }, + .type = TNCCS_MSG_TNCS_CONTACT_INFO, + .node = xmlNewNode(NULL, BAD_CAST "TNCC-TNCS-Message"), + ); + + /* add the message type number in hex */ + n = xmlNewNode(NULL, BAD_CAST "Type"); + xmlNodeSetContent(n, BAD_CAST "00000005"); + xmlAddChild(this->node, n); + + n = xmlNewNode(NULL, BAD_CAST "XML"); + xmlAddChild(this->node, n); + +/* TODO + n2 = xmlNewNode(NULL, BAD_CAST enum_to_name(tnccs_msg_type_names, this->type)); + xmlNodeSetContent(n2, BAD_CAST language); + xmlAddChild(n, n2); +*/ + + return &this->public.tnccs_msg_interface; +} diff --git a/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h new file mode 100644 index 000000000..8ed210a57 --- /dev/null +++ b/src/libcharon/plugins/tnccs_11/messages/tnccs_tncs_contact_info_msg.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_tncs_contact_info_msg tnccs_tncs_contact_info_msg + * @{ @ingroup tnccs_11 + */ + +#ifndef TNCCS_TNCS_CONTACT_INFO_MSG_H_ +#define TNCCS_TNCS_CONTACT_INFO_MSG_H_ + +typedef struct tnccs_tncs_contact_info_msg_t tnccs_tncs_contact_info_msg_t; + +#include "tnccs_msg.h" + +/** + * Class representing the TNCCS-TNCSContactInfo message type + */ +struct tnccs_tncs_contact_info_msg_t { + + /** + * TNCCS Message interface + */ + tnccs_msg_t tnccs_msg_interface; +}; + +/** + * Create a TNCCS-TNCSContactInfo message from XML-encoded message node + * + * @param node XML-encoded message node + * @param errors linked list of TNCCS error messages + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create_from_node(xmlNodePtr node, + linked_list_t *errors); + +/** + * Create a TNCCS-TNCSContactInfo message from parameters + * + */ +tnccs_msg_t *tnccs_tncs_contact_info_msg_create(void); + +#endif /** TNCCS_TNCS_CONTACT_INFO_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_11/tnccs_11.c b/src/libcharon/plugins/tnccs_11/tnccs_11.c index 704bf64ed..2104bf401 100644 --- a/src/libcharon/plugins/tnccs_11/tnccs_11.c +++ b/src/libcharon/plugins/tnccs_11/tnccs_11.c @@ -14,81 +14,20 @@ */ #include "tnccs_11.h" - -#include -#include +#include "batch/tnccs_batch.h" +#include "messages/tnccs_msg.h" +#include "messages/imc_imv_msg.h" +#include "messages/tnccs_error_msg.h" +#include "messages/tnccs_preferred_language_msg.h" +#include "messages/tnccs_reason_strings_msg.h" +#include "messages/tnccs_recommendation_msg.h" #include #include - -#define TNC_SEND_BUFFER_SIZE 32 - -static chunk_t tnc_send_buffer[TNC_SEND_BUFFER_SIZE]; - -/** - * Buffers TNCCS batch to be sent (TODO make the buffer scalable) - */ -static TNC_Result buffer_batch(u_int32_t id, const char *data, size_t len) -{ - if (id >= TNC_SEND_BUFFER_SIZE) - { - DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be stored in " - "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); - return TNC_RESULT_FATAL; - } - if (tnc_send_buffer[id].ptr) - { - DBG1(DBG_TNC, "send buffer slot for Connection ID %u is already " - "occupied", id); - return TNC_RESULT_FATAL; - } - tnc_send_buffer[id] = chunk_alloc(len); - memcpy(tnc_send_buffer[id].ptr, data, len); - - return TNC_RESULT_SUCCESS; -} - -/** - * Retrieves TNCCS batch to be sent - */ -static bool retrieve_batch(u_int32_t id, chunk_t *batch) -{ - if (id >= TNC_SEND_BUFFER_SIZE) - { - DBG1(DBG_TNC, "TNCCS Batch for Connection ID %u cannot be retrieved from " - "send buffer with size %d", id, TNC_SEND_BUFFER_SIZE); - return FALSE; - } - - *batch = tnc_send_buffer[id]; - return TRUE; -} - -/** - * Frees TNCCS batch that was sent - */ -static void free_batch(u_int32_t id) -{ - if (id < TNC_SEND_BUFFER_SIZE) - { - chunk_free(&tnc_send_buffer[id]); - } -} - -/** - * Define callback functions called by the libtnc library - */ -TNC_Result TNC_TNCC_SendBatch(libtnc_tncc_connection* conn, - const char* messageBuffer, size_t messageLength) -{ - return buffer_batch(conn->connectionID, messageBuffer, messageLength); -} - -TNC_Result TNC_TNCS_SendBatch(libtnc_tncs_connection* conn, - const char* messageBuffer, size_t messageLength) -{ - return buffer_batch(conn->connectionID, messageBuffer, messageLength); -} +#include +#include +#include +#include typedef struct private_tnccs_11_t private_tnccs_11_t; @@ -108,116 +47,372 @@ struct private_tnccs_11_t { bool is_server; /** - * TNCC Connection to IMCs + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * Last TNCCS batch ID + */ + int batch_id; + + /** + * TNCCS batch being constructed + */ + tnccs_batch_t *batch; + + /** + * Mutex locking the batch in construction */ - libtnc_tncc_connection* tncc_connection; + mutex_t *mutex; /** - * TNCS Connection to IMVs + * Flag set while processing */ - libtnc_tncs_connection* tncs_connection; + bool fatal_error; + + /** + * Flag set by TNCCS-Recommendation message + */ + bool delete_state; + + /** + * Flag set by IMC/IMV RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * Set of IMV recommendations (TNC Server only) + */ + recommendations_t *recs; }; -METHOD(tls_t, process, status_t, - private_tnccs_11_t *this, void *buf, size_t buflen) +METHOD(tnccs_t, send_msg, void, + private_tnccs_11_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) { - u_int32_t conn_id; + tnccs_msg_t *tnccs_msg; - if (this->is_server && !this->tncs_connection) + tnccs_msg = imc_imv_msg_create(msg_type, chunk_create(msg, msg_len)); + + /* adding an IMC-IMV Message to TNCCS batch */ + this->mutex->lock(this->mutex); + if (!this->batch) { - this->tncs_connection = libtnc_tncs_CreateConnection(NULL); - if (!this->tncs_connection) + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + } + this->batch->add_msg(this->batch, tnccs_msg); + this->mutex->unlock(this->mutex); +} + +/** + * Handle a single TNCCS message according to its type + */ +static void handle_message(private_tnccs_11_t *this, tnccs_msg_t *msg) +{ + switch (msg->get_type(msg)) + { + case IMC_IMV_MSG: { - DBG1(DBG_TNC, "TNCS CreateConnection failed"); - return FAILED; + imc_imv_msg_t *imc_imv_msg; + TNC_MessageType msg_type; + chunk_t msg_body; + + imc_imv_msg = (imc_imv_msg_t*)msg; + msg_type = imc_imv_msg->get_msg_type(imc_imv_msg); + msg_body = imc_imv_msg->get_msg_body(imc_imv_msg); + + DBG2(DBG_TNC, "handling IMC_IMV message type 0x%08x", msg_type); + + if (this->is_server) + { + charon->imvs->receive_message(charon->imvs, + this->connection_id, msg_body.ptr, msg_body.len, msg_type); + } + else + { + charon->imcs->receive_message(charon->imcs, + this->connection_id, msg_body.ptr, msg_body.len,msg_type); + } + break; + } + case TNCCS_MSG_RECOMMENDATION: + { + tnccs_recommendation_msg_t *rec_msg; + TNC_IMV_Action_Recommendation rec; + TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; + + rec_msg = (tnccs_recommendation_msg_t*)msg; + rec = rec_msg->get_recommendation(rec_msg); + if (this->is_server) + { + DBG1(DBG_TNC, "ignoring NCCS-Recommendation message from " + " TNC client"); + break; + } + DBG1(DBG_TNC, "TNC recommendation is '%N'", + TNC_IMV_Action_Recommendation_names, rec); + switch (rec) + { + case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + break; + case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: + default: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + } + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, state); + this->delete_state = TRUE; + break; + } + case TNCCS_MSG_ERROR: + { + tnccs_error_msg_t *err_msg; + tnccs_error_type_t error_type; + char *error_msg; + + err_msg = (tnccs_error_msg_t*)msg; + error_msg = err_msg->get_message(err_msg, &error_type); + DBG1(DBG_TNC, "received '%N' TNCCS-Error: %s", + tnccs_error_type_names, error_type, error_msg); + + /* we assume that all errors are fatal */ + this->fatal_error = TRUE; + break; } - DBG1(DBG_TNC, "assigned TNCS Connection ID %u", - this->tncs_connection->connectionID); - if (libtnc_tncs_BeginSession(this->tncs_connection) != TNC_RESULT_SUCCESS) + case TNCCS_MSG_PREFERRED_LANGUAGE: + { + tnccs_preferred_language_msg_t *lang_msg; + char *lang; + + lang_msg = (tnccs_preferred_language_msg_t*)msg; + lang = lang_msg->get_preferred_language(lang_msg); + + DBG2(DBG_TNC, "setting preferred language to '%s'", lang); + this->recs->set_preferred_language(this->recs, + chunk_create(lang, strlen(lang))); + break; + } + case TNCCS_MSG_REASON_STRINGS: + { + tnccs_reason_strings_msg_t *reason_msg; + chunk_t reason_string, reason_lang; + + reason_msg = (tnccs_reason_strings_msg_t*)msg; + reason_string = reason_msg->get_reason(reason_msg, &reason_lang); + DBG2(DBG_TNC, "reason string is '%.*s", reason_string.len, + reason_string.ptr); + DBG2(DBG_TNC, "reason language is '%.*s", reason_lang.len, + reason_lang.ptr); + break; + } + default: + break; + } +} + +METHOD(tls_t, process, status_t, + private_tnccs_11_t *this, void *buf, size_t buflen) +{ + chunk_t data; + tnccs_batch_t *batch; + tnccs_msg_t *msg; + enumerator_t *enumerator; + status_t status; + + if (this->is_server && !this->connection_id) + { + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, &this->recs); + if (!this->connection_id) { - DBG1(DBG_TNC, "TNCS BeginSession failed"); return FAILED; } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); } - conn_id = this->is_server ? this->tncs_connection->connectionID - : this->tncc_connection->connectionID; + data = chunk_create(buf, buflen); DBG1(DBG_TNC, "received TNCCS Batch (%u bytes) for Connection ID %u", - buflen, conn_id); - DBG3(DBG_TNC, "%.*s", buflen, buf); + data.len, this->connection_id); + DBG3(DBG_TNC, "%.*s", data.len, data.ptr); + batch = tnccs_batch_create_from_data(this->is_server, ++this->batch_id, data); + status = batch->process(batch); - if (this->is_server) + if (status == FAILED) { - if (libtnc_tncs_ReceiveBatch(this->tncs_connection, buf, buflen) != - TNC_RESULT_SUCCESS) + this->fatal_error = TRUE; + this->mutex->lock(this->mutex); + if (this->batch) { - DBG1(DBG_TNC, "TNCS ReceiveBatch failed"); - return FAILED; + DBG1(DBG_TNC, "cancelling TNCCS batch"); + this->batch->destroy(this->batch); + this->batch_id--; + } + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + + /* add error messages to outbound batch */ + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->batch->add_msg(this->batch, msg->get_ref(msg)); } + enumerator->destroy(enumerator); + this->mutex->unlock(this->mutex); } else { - if (libtnc_tncc_ReceiveBatch(this->tncc_connection, buf, buflen) != - TNC_RESULT_SUCCESS) + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) { - DBG1(DBG_TNC, "TNCC ReceiveBatch failed"); + handle_message(this, msg); + } + enumerator->destroy(enumerator); + + /* received any TNCCS-Error messages */ + if (this->fatal_error) + { + DBG1(DBG_TNC, "a fatal TNCCS-Error occurred, terminating connection"); + batch->destroy(batch); return FAILED; } + + if (this->is_server) + { + charon->imvs->batch_ending(charon->imvs, this->connection_id); + } + else + { + charon->imcs->batch_ending(charon->imcs, this->connection_id); + } } + batch->destroy(batch); + return NEED_MORE; } -METHOD(tls_t, build, status_t, - private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +/** + * Add a recommendation message if a final recommendation is available + */ +static void check_and_build_recommendation(private_tnccs_11_t *this) { - chunk_t batch; - u_int32_t conn_id; - size_t len; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_IMVID id; + chunk_t reason, language; + enumerator_t *enumerator; + tnccs_msg_t *msg; - if (!this->is_server && !this->tncc_connection) + if (!this->recs->have_recommendation(this->recs, &rec, &eval)) + { + charon->imvs->solicit_recommendation(charon->imvs, this->connection_id); + } + if (this->recs->have_recommendation(this->recs, &rec, &eval)) { - this->tncc_connection = libtnc_tncc_CreateConnection(NULL); - if (!this->tncc_connection) + if (!this->batch) { - DBG1(DBG_TNC, "TNCC CreateConnection failed"); - return FAILED; + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); } - DBG1(DBG_TNC, "assigned TNCC Connection ID %u", - this->tncc_connection->connectionID); - if (libtnc_tncc_BeginSession(this->tncc_connection) != TNC_RESULT_SUCCESS) + + msg = tnccs_recommendation_msg_create(rec); + this->batch->add_msg(this->batch, msg); + + /* currently we just send the first Reason String */ + enumerator = this->recs->create_reason_enumerator(this->recs); + if (enumerator->enumerate(enumerator, &id, &reason, &language)) { - DBG1(DBG_TNC, "TNCC BeginSession failed"); - return FAILED; + msg = tnccs_reason_strings_msg_create(reason, language); + this->batch->add_msg(this->batch, msg); } + enumerator->destroy(enumerator); + + /* we have reache the final state */ + this->delete_state = TRUE; } - conn_id = this->is_server ? this->tncs_connection->connectionID - : this->tncc_connection->connectionID; - - if (!retrieve_batch(conn_id, &batch)) +} + +METHOD(tls_t, build, status_t, + private_tnccs_11_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + status_t status; + + /* Initialize the connection */ + if (!this->is_server && !this->connection_id) { - return FAILED; + tnccs_msg_t *msg; + char *pref_lang; + + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, NULL); + if (!this->connection_id) + { + return FAILED; + } + + /* Create TNCCS-PreferredLanguage message */ + pref_lang = charon->imcs->get_preferred_language(charon->imcs); + msg = tnccs_preferred_language_msg_create(pref_lang); + this->mutex->lock(this->mutex); + this->batch = tnccs_batch_create(this->is_server, ++this->batch_id); + this->batch->add_msg(this->batch, msg); + this->mutex->unlock(this->mutex); + + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); } - len = *buflen; - len = min(len, batch.len); - *buflen = len; - if (msglen) + + /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->is_server && !this->delete_state && + (!this->batch || this->fatal_error)) { - *msglen = batch.len; + check_and_build_recommendation(this); } - if (batch.len) + if (this->batch) { + chunk_t data; + + this->batch->build(this->batch); + data = this->batch->get_encoding(this->batch); DBG1(DBG_TNC, "sending TNCCS Batch (%d bytes) for Connection ID %u", - batch.len, conn_id); - DBG3(DBG_TNC, "%.*s", batch.len, batch.ptr); - memcpy(buf, batch.ptr, len); - free_batch(conn_id); - return ALREADY_DONE; + data.len, this->connection_id); + DBG3(DBG_TNC, "%.*s", data.len, data.ptr); + *msglen = data.len; + + if (data.len > *buflen) + { + DBG1(DBG_TNC, "fragmentation of TNCCS batch not supported yet"); + } + else + { + *buflen = data.len; + } + memcpy(buf, data.ptr, *buflen); + this->batch->destroy(this->batch); + this->batch = NULL; + status = ALREADY_DONE; } else { - return INVALID_STATE; + DBG1(DBG_TNC, "no TNCCS Batch to send"); + status = INVALID_STATE; } + this->mutex->unlock(this->mutex); + + return status; } METHOD(tls_t, is_server, bool, @@ -237,39 +432,14 @@ METHOD(tls_t, is_complete, bool, { TNC_IMV_Action_Recommendation rec; TNC_IMV_Evaluation_Result eval; - char *group; - identification_t *id; - ike_sa_t *ike_sa; - auth_cfg_t *auth; - - if (libtnc_tncs_HaveRecommendation(this->tncs_connection, &rec, &eval) == - TNC_RESULT_SUCCESS) + + if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) { - switch (rec) - { - case TNC_IMV_ACTION_RECOMMENDATION_ALLOW: - DBG1(DBG_TNC, "TNC recommendation is allow"); - group = "allow"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_ISOLATE: - DBG1(DBG_TNC, "TNC recommendation is isolate"); - group = "isolate"; - break; - case TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS: - case TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION: - default: - DBG1(DBG_TNC, "TNC recommendation is none"); - return FALSE; - } - ike_sa = charon->bus->get_sa(charon->bus); - if (ike_sa) - { - auth = ike_sa->get_auth_cfg(ike_sa, FALSE); - id = identification_create_from_string(group); - auth->add(auth, AUTH_RULE_GROUP, id); - DBG1(DBG_TNC, "added group membership '%s' based on TNC recommendation", group); - } - return TRUE; + DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return charon->imvs->enforce_recommendation(charon->imvs, rec); } else { @@ -288,19 +458,17 @@ METHOD(tls_t, destroy, void, { if (this->is_server) { - if (this->tncs_connection) - { - libtnc_tncs_DeleteConnection(this->tncs_connection); - } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); } else { - if (this->tncc_connection) - { - libtnc_tncc_DeleteConnection(this->tncc_connection); - } - libtnc_tncc_Terminate(); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); } + charon->tnccs->remove_connection(charon->tnccs, this->connection_id); + this->mutex->destroy(this->mutex); + DESTROY_IF(this->batch); free(this); } @@ -322,6 +490,7 @@ tls_t *tnccs_11_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); return &this->public; diff --git a/src/libcharon/plugins/tnccs_20/Makefile.am b/src/libcharon/plugins/tnccs_20/Makefile.am index 3018121e3..d72fd3e34 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.am +++ b/src/libcharon/plugins/tnccs_20/Makefile.am @@ -1,21 +1,28 @@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic -libstrongswan_tnccs_20_la_LIBADD = -ltnc - if MONOLITHIC noinst_LTLIBRARIES = libstrongswan-tnccs-20.la else plugin_LTLIBRARIES = libstrongswan-tnccs-20.la -libstrongswan_tnccs_20_la_LIBADD += $(top_builddir)/src/libtls/libtls.la +libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la endif libstrongswan_tnccs_20_la_SOURCES = \ - tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ + messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ + messages/pb_experimental_msg.h messages/pb_experimental_msg.c \ + messages/pb_pa_msg.h messages/pb_pa_msg.c \ + messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \ + messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \ + messages/pb_error_msg.h messages/pb_error_msg.c \ + messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \ + messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \ + messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \ + state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version - diff --git a/src/libcharon/plugins/tnccs_20/Makefile.in b/src/libcharon/plugins/tnccs_20/Makefile.in index 6101f91df..9853be338 100644 --- a/src/libcharon/plugins/tnccs_20/Makefile.in +++ b/src/libcharon/plugins/tnccs_20/Makefile.in @@ -34,7 +34,6 @@ PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ -@MONOLITHIC_FALSE@am__append_1 = $(top_builddir)/src/libtls/libtls.la subdir = src/libcharon/plugins/tnccs_20 DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -75,8 +74,14 @@ am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(plugindir)" LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) -libstrongswan_tnccs_20_la_DEPENDENCIES = $(am__append_1) -am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo +@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_tnccs_20_la_OBJECTS = tnccs_20_plugin.lo tnccs_20.lo \ + pb_tnc_batch.lo pb_tnc_msg.lo pb_experimental_msg.lo \ + pb_pa_msg.lo pb_assessment_result_msg.lo \ + pb_access_recommendation_msg.lo pb_error_msg.lo \ + pb_language_preference_msg.lo pb_reason_string_msg.lo \ + pb_remediation_parameters_msg.lo pb_tnc_state_machine.lo libstrongswan_tnccs_20_la_OBJECTS = \ $(am_libstrongswan_tnccs_20_la_OBJECTS) libstrongswan_tnccs_20_la_LINK = $(LIBTOOL) --tag=CC \ @@ -223,9 +228,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +267,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -275,15 +280,25 @@ urandom_device = @urandom_device@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ - -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls \ - `xml2-config --cflags` + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls AM_CFLAGS = -rdynamic -libstrongswan_tnccs_20_la_LIBADD = -ltnc $(am__append_1) @MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-20.la @MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-20.la +@MONOLITHIC_FALSE@libstrongswan_tnccs_20_la_LIBADD = $(top_builddir)/src/libtls/libtls.la libstrongswan_tnccs_20_la_SOURCES = \ - tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c + tnccs_20_plugin.h tnccs_20_plugin.c tnccs_20.h tnccs_20.c \ + batch/pb_tnc_batch.h batch/pb_tnc_batch.c \ + messages/pb_tnc_msg.h messages/pb_tnc_msg.c \ + messages/pb_experimental_msg.h messages/pb_experimental_msg.c \ + messages/pb_pa_msg.h messages/pb_pa_msg.c \ + messages/pb_assessment_result_msg.h messages/pb_assessment_result_msg.c \ + messages/pb_access_recommendation_msg.h messages/pb_access_recommendation_msg.c \ + messages/pb_error_msg.h messages/pb_error_msg.c \ + messages/pb_language_preference_msg.h messages/pb_language_preference_msg.c \ + messages/pb_reason_string_msg.h messages/pb_reason_string_msg.c \ + messages/pb_remediation_parameters_msg.h messages/pb_remediation_parameters_msg.c \ + state_machine/pb_tnc_state_machine.h state_machine/pb_tnc_state_machine.c libstrongswan_tnccs_20_la_LDFLAGS = -module -avoid-version all: all-am @@ -369,6 +384,17 @@ mostlyclean-compile: distclean-compile: -rm -f *.tab.c +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_access_recommendation_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_assessment_result_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_error_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_experimental_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_language_preference_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_pa_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_reason_string_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_remediation_parameters_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_batch.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_msg.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pb_tnc_state_machine.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_20_plugin.Plo@am__quote@ @@ -393,6 +419,83 @@ distclean-compile: @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< +pb_tnc_batch.lo: batch/pb_tnc_batch.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_batch.lo -MD -MP -MF $(DEPDIR)/pb_tnc_batch.Tpo -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_batch.Tpo $(DEPDIR)/pb_tnc_batch.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='batch/pb_tnc_batch.c' object='pb_tnc_batch.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_batch.lo `test -f 'batch/pb_tnc_batch.c' || echo '$(srcdir)/'`batch/pb_tnc_batch.c + +pb_tnc_msg.lo: messages/pb_tnc_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_msg.lo -MD -MP -MF $(DEPDIR)/pb_tnc_msg.Tpo -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_msg.Tpo $(DEPDIR)/pb_tnc_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_tnc_msg.c' object='pb_tnc_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_msg.lo `test -f 'messages/pb_tnc_msg.c' || echo '$(srcdir)/'`messages/pb_tnc_msg.c + +pb_experimental_msg.lo: messages/pb_experimental_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_experimental_msg.lo -MD -MP -MF $(DEPDIR)/pb_experimental_msg.Tpo -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_experimental_msg.Tpo $(DEPDIR)/pb_experimental_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_experimental_msg.c' object='pb_experimental_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_experimental_msg.lo `test -f 'messages/pb_experimental_msg.c' || echo '$(srcdir)/'`messages/pb_experimental_msg.c + +pb_pa_msg.lo: messages/pb_pa_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_pa_msg.lo -MD -MP -MF $(DEPDIR)/pb_pa_msg.Tpo -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_pa_msg.Tpo $(DEPDIR)/pb_pa_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_pa_msg.c' object='pb_pa_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_pa_msg.lo `test -f 'messages/pb_pa_msg.c' || echo '$(srcdir)/'`messages/pb_pa_msg.c + +pb_assessment_result_msg.lo: messages/pb_assessment_result_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_assessment_result_msg.lo -MD -MP -MF $(DEPDIR)/pb_assessment_result_msg.Tpo -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_assessment_result_msg.Tpo $(DEPDIR)/pb_assessment_result_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_assessment_result_msg.c' object='pb_assessment_result_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_assessment_result_msg.lo `test -f 'messages/pb_assessment_result_msg.c' || echo '$(srcdir)/'`messages/pb_assessment_result_msg.c + +pb_access_recommendation_msg.lo: messages/pb_access_recommendation_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_access_recommendation_msg.lo -MD -MP -MF $(DEPDIR)/pb_access_recommendation_msg.Tpo -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_access_recommendation_msg.Tpo $(DEPDIR)/pb_access_recommendation_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_access_recommendation_msg.c' object='pb_access_recommendation_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_access_recommendation_msg.lo `test -f 'messages/pb_access_recommendation_msg.c' || echo '$(srcdir)/'`messages/pb_access_recommendation_msg.c + +pb_error_msg.lo: messages/pb_error_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_error_msg.lo -MD -MP -MF $(DEPDIR)/pb_error_msg.Tpo -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_error_msg.Tpo $(DEPDIR)/pb_error_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_error_msg.c' object='pb_error_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_error_msg.lo `test -f 'messages/pb_error_msg.c' || echo '$(srcdir)/'`messages/pb_error_msg.c + +pb_language_preference_msg.lo: messages/pb_language_preference_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_language_preference_msg.lo -MD -MP -MF $(DEPDIR)/pb_language_preference_msg.Tpo -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_language_preference_msg.Tpo $(DEPDIR)/pb_language_preference_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_language_preference_msg.c' object='pb_language_preference_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_language_preference_msg.lo `test -f 'messages/pb_language_preference_msg.c' || echo '$(srcdir)/'`messages/pb_language_preference_msg.c + +pb_reason_string_msg.lo: messages/pb_reason_string_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_reason_string_msg.lo -MD -MP -MF $(DEPDIR)/pb_reason_string_msg.Tpo -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_reason_string_msg.Tpo $(DEPDIR)/pb_reason_string_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_reason_string_msg.c' object='pb_reason_string_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_reason_string_msg.lo `test -f 'messages/pb_reason_string_msg.c' || echo '$(srcdir)/'`messages/pb_reason_string_msg.c + +pb_remediation_parameters_msg.lo: messages/pb_remediation_parameters_msg.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_remediation_parameters_msg.lo -MD -MP -MF $(DEPDIR)/pb_remediation_parameters_msg.Tpo -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_remediation_parameters_msg.Tpo $(DEPDIR)/pb_remediation_parameters_msg.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='messages/pb_remediation_parameters_msg.c' object='pb_remediation_parameters_msg.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_remediation_parameters_msg.lo `test -f 'messages/pb_remediation_parameters_msg.c' || echo '$(srcdir)/'`messages/pb_remediation_parameters_msg.c + +pb_tnc_state_machine.lo: state_machine/pb_tnc_state_machine.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT pb_tnc_state_machine.lo -MD -MP -MF $(DEPDIR)/pb_tnc_state_machine.Tpo -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/pb_tnc_state_machine.Tpo $(DEPDIR)/pb_tnc_state_machine.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='state_machine/pb_tnc_state_machine.c' object='pb_tnc_state_machine.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o pb_tnc_state_machine.lo `test -f 'state_machine/pb_tnc_state_machine.c' || echo '$(srcdir)/'`state_machine/pb_tnc_state_machine.c + mostlyclean-libtool: -rm -f *.lo diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c new file mode 100644 index 000000000..3f38543ed --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.c @@ -0,0 +1,543 @@ +/* + * Copyright (C) 2010 Sansar Choinyanbuu + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_batch.h" +#include "messages/pb_error_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include +#include +#include +#include +#include + +ENUM(pb_tnc_batch_type_names, PB_BATCH_CDATA, PB_BATCH_CLOSE, + "CDATA", + "SDATA", + "RESULT", + "CRETRY", + "SRETRY", + "CLOSE" +); + +typedef struct private_pb_tnc_batch_t private_pb_tnc_batch_t; + +/** + * PB-Batch Header (see section 4.1 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Version |D| Reserved | B-Type| + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Batch Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_TNC_BATCH_FLAG_NONE 0x00 +#define PB_TNC_BATCH_FLAG_D (1<<7) +#define PB_TNC_BATCH_HEADER_SIZE 8 + +/** + * PB-TNC Message (see section 4.2 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | PB-TNC Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PB-TNC Message Value (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_TNC_FLAG_NONE 0x00 +#define PB_TNC_FLAG_NOSKIP (1<<7) +#define PB_TNC_HEADER_SIZE 12 + +#define PB_TNC_RESERVED_MSG_TYPE 0xffffffff + +/** + * Private data of a pb_tnc_batch_t object. + * + */ +struct private_pb_tnc_batch_t { + /** + * Public pb_pa_msg_t interface. + */ + pb_tnc_batch_t public; + + /** + * TNCC if TRUE, TNCS if FALSE + */ + bool is_server; + + /** + * PB-TNC Batch type + */ + pb_tnc_batch_type_t type; + + /** + * linked list of PB-TNC messages + */ + linked_list_t *messages; + + /** + * linked list of PB-TNC error messages + */ + linked_list_t *errors; + + /** + * Encoded message + */ + chunk_t encoding; + + /** + * Offset into encoding (used for error reporting) + */ + u_int32_t offset; +}; + +METHOD(pb_tnc_batch_t, get_type, pb_tnc_batch_type_t, + private_pb_tnc_batch_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_batch_t, get_encoding, chunk_t, + private_pb_tnc_batch_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_batch_t, add_msg, void, + private_pb_tnc_batch_t *this, pb_tnc_msg_t* msg) +{ + DBG2(DBG_TNC, "adding %N message", pb_tnc_msg_type_names, + msg->get_type(msg)); + this->messages->insert_last(this->messages, msg); +} + +METHOD(pb_tnc_batch_t, build, void, + private_pb_tnc_batch_t *this) +{ + u_int32_t batch_len, msg_len; + chunk_t msg_value; + enumerator_t *enumerator; + pb_tnc_msg_type_t msg_type; + pb_tnc_msg_t *msg; + tls_writer_t *writer; + + /* compute total PB-TNC batch size by summing over all messages */ + batch_len = PB_TNC_BATCH_HEADER_SIZE; + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + msg->build(msg); + msg_value = msg->get_encoding(msg); + batch_len += PB_TNC_HEADER_SIZE + msg_value.len; + } + enumerator->destroy(enumerator); + + /* build PB-TNC batch header */ + writer = tls_writer_create(batch_len); + writer->write_uint8 (writer, PB_TNC_VERSION); + writer->write_uint8 (writer, this->is_server ? + PB_TNC_BATCH_FLAG_D : PB_TNC_BATCH_FLAG_NONE); + writer->write_uint16(writer, this->type); + writer->write_uint32(writer, batch_len); + + /* build PB-TNC messages */ + enumerator = this->messages->create_enumerator(this->messages); + while (enumerator->enumerate(enumerator, &msg)) + { + u_int8_t flags = PB_TNC_FLAG_NONE; + + /* build PB-TNC message */ + msg_value = msg->get_encoding(msg); + msg_len = PB_TNC_HEADER_SIZE + msg_value.len; + msg_type = msg->get_type(msg); + if (pb_tnc_msg_infos[msg_type].has_noskip_flag) + { + flags |= PB_TNC_FLAG_NOSKIP; + } + writer->write_uint8 (writer, flags); + writer->write_uint24(writer, IETF_VENDOR_ID); + writer->write_uint32(writer, msg_type); + writer->write_uint32(writer, msg_len); + writer->write_data (writer, msg_value); + } + enumerator->destroy(enumerator); + + this->encoding = chunk_clone(writer->get_buf(writer)); + writer->destroy(writer); +} + +static status_t process_batch_header(private_pb_tnc_batch_t *this, + pb_tnc_state_machine_t *state_machine) +{ + tls_reader_t *reader; + pb_tnc_msg_t *msg; + pb_error_msg_t *err_msg; + u_int8_t version, flags, reserved, type; + u_int32_t batch_len; + bool directionality; + + if (this->encoding.len < PB_TNC_BATCH_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC batch header", + this->encoding.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 0); + goto fatal; + } + + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &version); + reader->read_uint8 (reader, &flags); + reader->read_uint8 (reader, &reserved); + reader->read_uint8 (reader, &type); + reader->read_uint32(reader, &batch_len); + reader->destroy(reader); + + /* Version */ + if (version != PB_TNC_VERSION) + { + DBG1(DBG_TNC, "unsupported TNCCS batch version 0x%01x", version); + msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID, + PB_ERROR_VERSION_NOT_SUPPORTED); + err_msg = (pb_error_msg_t*)msg; + err_msg->set_bad_version(err_msg, version); + goto fatal; + } + + /* Directionality */ + directionality = (flags & PB_TNC_BATCH_FLAG_D) != PB_TNC_BATCH_FLAG_NONE; + if (directionality == this->is_server) + { + DBG1(DBG_TNC, "wrong Directionality: batch is from a PB %s", + directionality ? "server" : "client"); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 1); + goto fatal; + } + + /* Batch Type */ + this->type = type & 0x0F; + if (this->type > PB_BATCH_ROOF) + { + DBG1(DBG_TNC, "unknown PB-TNC batch type: %d", this->type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 3); + goto fatal; + } + + if (!state_machine->receive_batch(state_machine, this->type)) + { + DBG1(DBG_TNC, "unexpected PB-TNC batch type: %N", + pb_tnc_batch_type_names, this->type); + msg = pb_error_msg_create(TRUE, IETF_VENDOR_ID, + PB_ERROR_UNEXPECTED_BATCH_TYPE); + goto fatal; + } + + /* Batch Length */ + if (this->encoding.len != batch_len) + { + DBG1(DBG_TNC, "%u bytes of data is not equal to batch length of %u bytes", + this->encoding.len, batch_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, 4); + goto fatal; + } + + this->offset = PB_TNC_BATCH_HEADER_SIZE; + return SUCCESS; + +fatal: + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +static status_t process_tnc_msg(private_pb_tnc_batch_t *this) +{ + tls_reader_t *reader; + pb_tnc_msg_t *pb_tnc_msg, *msg; + u_int8_t flags; + u_int32_t vendor_id, msg_type, msg_len, offset; + chunk_t data, msg_value; + bool noskip_flag; + status_t status; + + data = chunk_skip(this->encoding, this->offset); + + if (data.len < PB_TNC_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message header", + data.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + + reader = tls_reader_create(data); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &vendor_id); + reader->read_uint32(reader, &msg_type); + reader->read_uint32(reader, &msg_len); + reader->destroy(reader); + + noskip_flag = (flags & PB_TNC_FLAG_NOSKIP) != PB_TNC_FLAG_NONE; + + if (msg_len > data.len) + { + DBG1(DBG_TNC, "%u bytes insufficient to parse PB-TNC message", data.len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 8); + goto fatal; + } + + if (vendor_id == RESERVED_VENDOR_ID) + { + DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 1); + goto fatal; + + } + + if (msg_type == PB_TNC_RESERVED_MSG_TYPE) + { + DBG1(DBG_TNC, "PB-TNC message Type 0x%08x is reserved", + PB_TNC_RESERVED_MSG_TYPE); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 4); + goto fatal; + } + + + if (vendor_id != IETF_VENDOR_ID || msg_type > PB_MSG_ROOF) + { + if (msg_len < PB_TNC_HEADER_SIZE) + { + DBG1(DBG_TNC, "%u bytes too small for PB-TNC message length", + msg_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset + 8); + goto fatal; + } + + if (noskip_flag) + { + DBG1(DBG_TNC, "reject PB-TNC message (Vendor ID 0x%06x / " + "Type 0x%08x)", vendor_id, msg_type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_UNSUPPORTED_MANDATORY_MSG, this->offset); + goto fatal; + } + else + { + DBG1(DBG_TNC, "ignore PB-TNC message (Vendor ID 0x%06x / " + "Type 0x%08x)", vendor_id, msg_type); + this->offset += msg_len; + return SUCCESS; + } + } + else + { + if (pb_tnc_msg_infos[msg_type].has_noskip_flag != TRUE_OR_FALSE && + pb_tnc_msg_infos[msg_type].has_noskip_flag != noskip_flag) + { + DBG1(DBG_TNC, "%N message must%s have NOSKIP flag set", + pb_tnc_msg_type_names, msg_type, + pb_tnc_msg_infos[msg_type].has_noskip_flag ? "" : " not"); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + + if (msg_len < pb_tnc_msg_infos[msg_type].min_size || + (pb_tnc_msg_infos[msg_type].exact_size && + msg_len != pb_tnc_msg_infos[msg_type].min_size)) + { + DBG1(DBG_TNC, "%N message length must be %s %u bytes but is %u bytes", + pb_tnc_msg_type_names, msg_type, + pb_tnc_msg_infos[msg_type].exact_size ? "exactly" : "at least", + pb_tnc_msg_infos[msg_type].min_size, msg_len); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + } + + if (pb_tnc_msg_infos[msg_type].in_result_batch && + this->type != PB_BATCH_RESULT) + { + if (this->is_server) + { + DBG1(DBG_TNC,"reject %N message received from a PB-TNC client", + pb_tnc_msg_type_names, msg_type); + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + goto fatal; + } + else + { + DBG1(DBG_TNC,"ignore %N message not received within RESULT batch", + pb_tnc_msg_type_names, msg_type); + this->offset += msg_len; + return SUCCESS; + } + } + + DBG2(DBG_TNC, "processing %N message (%u bytes)", pb_tnc_msg_type_names, + msg_type, msg_len); + data.len = msg_len; + msg_value = chunk_skip(data, PB_TNC_HEADER_SIZE); + pb_tnc_msg = pb_tnc_msg_create_from_data(msg_type, msg_value); + + status = pb_tnc_msg->process(pb_tnc_msg, &offset); + if (status == FAILED || status == VERIFY_ERROR) + { + msg = pb_error_msg_create_with_offset(TRUE, IETF_VENDOR_ID, + PB_ERROR_INVALID_PARAMETER, this->offset); + this->errors->insert_last(this->errors, msg); + } + if (status == FAILED) + { + pb_tnc_msg->destroy(pb_tnc_msg); + return FAILED; + } + this->messages->insert_last(this->messages, pb_tnc_msg); + this->offset += msg_len; + return status; + +fatal: + this->errors->insert_last(this->errors, msg); + return FAILED; +} + +METHOD(pb_tnc_batch_t, process, status_t, + private_pb_tnc_batch_t *this, pb_tnc_state_machine_t *state_machine) +{ + status_t status; + + status = process_batch_header(this, state_machine); + if (status != SUCCESS) + { + return FAILED; + } + DBG1(DBG_TNC, "processing PB-TNC %N batch", pb_tnc_batch_type_names, + this->type); + while (this->offset < this->encoding.len) + { + switch (process_tnc_msg(this)) + { + case FAILED: + return FAILED; + case VERIFY_ERROR: + status = VERIFY_ERROR; + break; + case SUCCESS: + default: + break; + } + } + return status; +} + +METHOD(pb_tnc_batch_t, create_msg_enumerator, enumerator_t*, + private_pb_tnc_batch_t *this) +{ + return this->messages->create_enumerator(this->messages); +} + +METHOD(pb_tnc_batch_t, create_error_enumerator, enumerator_t*, + private_pb_tnc_batch_t *this) +{ + return this->errors->create_enumerator(this->errors); +} + +METHOD(pb_tnc_batch_t, destroy, void, + private_pb_tnc_batch_t *this) +{ + this->messages->destroy_offset(this->messages, + offsetof(pb_tnc_msg_t, destroy)); + this->errors->destroy_offset(this->errors, + offsetof(pb_tnc_msg_t, destroy)); + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type) +{ + private_pb_tnc_batch_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .type = type, + .messages = linked_list_create(), + .errors = linked_list_create(), + ); + + DBG2(DBG_TNC, "creating PB-TNC %N batch", pb_tnc_batch_type_names, type); + + return &this->public; +} + +/** + * See header + */ +pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data) +{ + private_pb_tnc_batch_t *this; + + INIT(this, + .public = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .add_msg = _add_msg, + .build = _build, + .process = _process, + .create_msg_enumerator = _create_msg_enumerator, + .create_error_enumerator = _create_error_enumerator, + .destroy = _destroy, + }, + .is_server = is_server, + .messages = linked_list_create(), + .errors = linked_list_create(), + .encoding = chunk_clone(data), + ); + + return &this->public; +} + diff --git a/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h new file mode 100644 index 000000000..17e5fff4c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/batch/pb_tnc_batch.h @@ -0,0 +1,126 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_batch pb_tnc_batch + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_BATCH_H_ +#define PB_TNC_BATCH_H_ + +typedef enum pb_tnc_batch_type_t pb_tnc_batch_type_t; +typedef struct pb_tnc_batch_t pb_tnc_batch_t; + +#include "messages/pb_tnc_msg.h" +#include "state_machine/pb_tnc_state_machine.h" + +#include + +/** + * PB-TNC Batch Types as defined in section 4.1 of RFC 5793 + */ +enum pb_tnc_batch_type_t { + PB_BATCH_CDATA = 1, + PB_BATCH_SDATA = 2, + PB_BATCH_RESULT = 3, + PB_BATCH_CRETRY = 4, + PB_BATCH_SRETRY = 5, + PB_BATCH_CLOSE = 6, + PB_BATCH_ROOF = 6 +}; + +/** + * enum name for pb_tnc_batch_type_t. + */ +extern enum_name_t *pb_tnc_batch_type_names; + +/** + * Interface for all PB-TNC Batch Types. + */ +struct pb_tnc_batch_t { + + /** + * Get the PB-TNC Message Type + * + * @return PB-TNC batch type + */ + pb_tnc_batch_type_t (*get_type)(pb_tnc_batch_t *this); + + /** + * Get the encoding of the PB-TNC Batch + * + * @return encoded PB-TNC batch + */ + chunk_t (*get_encoding)(pb_tnc_batch_t *this); + + /** + * Add a PB-TNC Message + * + * @param msg PB-TNC message to be addedd + */ + void (*add_msg)(pb_tnc_batch_t *this, pb_tnc_msg_t* msg); + + /** + * Build the PB-TNC Batch + */ + void (*build)(pb_tnc_batch_t *this); + + /** + * Process the PB-TNC Batch + * + * @param PB-TNC state machine + * @return return processing status + */ + status_t (*process)(pb_tnc_batch_t *this, + pb_tnc_state_machine_t *state_machine); + + /** + * Enumerates over all PB-TNC Messages + * + * @return return message enumerator + */ + enumerator_t* (*create_msg_enumerator)(pb_tnc_batch_t *this); + + /** + * Enumerates over all parsing errors + * + * @return return error enumerator + */ + enumerator_t* (*create_error_enumerator)(pb_tnc_batch_t *this); + + /** + * Destroys a pb_tnc_batch_t object. + */ + void (*destroy)(pb_tnc_batch_t *this); +}; + +/** + * Create an empty PB-TNC Batch of a given type + * + * @param is_server TRUE if server, FALSE if client + * @param type PB-TNC batch type + */ +pb_tnc_batch_t* pb_tnc_batch_create(bool is_server, pb_tnc_batch_type_t type); + +/** + * Create an unprocessed PB-TNC Batch from data + * + * @param is_server TRUE if server, FALSE if client + * @param data encoded PB-TNC batch + */ +pb_tnc_batch_t* pb_tnc_batch_create_from_data(bool is_server, chunk_t data); + +#endif /** PB_TNC_BATCH_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c new file mode 100644 index 000000000..41b9e31f6 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.c @@ -0,0 +1,180 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_access_recommendation_msg.h" + +#include +#include +#include + +ENUM(pb_access_recommendation_code_names, PB_REC_ACCESS_ALLOWED, PB_REC_QUARANTINED, + "Access Allowed", + "Access Denied", + "Quarantined" +); + +typedef struct private_pb_access_recommendation_msg_t private_pb_access_recommendation_msg_t; + +/** + * PB-Access-Recommendation message (see section 4.7 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Access Recommendation Code | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ACCESS_RECOMMENDATION_RESERVED 0x0000 +#define ACCESS_RECOMMENDATION_MSG_SIZE 4 +/** + * Private data of a pb_access_recommendation_msg_t object. + * + */ +struct private_pb_access_recommendation_msg_t { + /** + * Public pb_access_recommendation_msg_t interface. + */ + pb_access_recommendation_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Access recommendation code + */ + u_int16_t recommendation; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_access_recommendation_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(ACCESS_RECOMMENDATION_MSG_SIZE); + writer->write_uint16(writer, ACCESS_RECOMMENDATION_RESERVED); + writer->write_uint16(writer, this->recommendation); + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_access_recommendation_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + u_int16_t reserved; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint16(reader, &reserved); + reader->read_uint16(reader, &this->recommendation); + reader->destroy(reader); + + if (this->recommendation < PB_REC_ACCESS_ALLOWED || + this->recommendation > PB_REC_QUARANTINED) + { + DBG1(DBG_TNC, "invalid access recommendation code (%u)", + this->recommendation); + *offset = 2; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_access_recommendation_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +METHOD(pb_access_recommendation_msg_t, get_access_recommendation, u_int16_t, + private_pb_access_recommendation_msg_t *this) +{ + return this->recommendation; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_access_recommendation_msg_create_from_data(chunk_t data) +{ + private_pb_access_recommendation_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_access_recommendation = _get_access_recommendation, + }, + .type = PB_MSG_ACCESS_RECOMMENDATION, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_access_recommendation_msg_create(u_int16_t recommendation) +{ + private_pb_access_recommendation_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_access_recommendation = _get_access_recommendation, + }, + .type = PB_MSG_ACCESS_RECOMMENDATION, + .recommendation = recommendation, + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h new file mode 100644 index 000000000..01b83cfd7 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_access_recommendation_msg.h @@ -0,0 +1,76 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_access_recommendation_msg pb_access_recommendation_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ACCESS_RECOMMENDATION_MSG_H_ +#define PB_ACCESS_RECOMMENDATION_MSG_H_ + +typedef enum pb_access_recommendation_code_t pb_access_recommendation_code_t; +typedef struct pb_access_recommendation_msg_t pb_access_recommendation_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB Access Recommendation Codes as defined in section 4.7 of RFC 5793 + */ +enum pb_access_recommendation_code_t { + PB_REC_ACCESS_ALLOWED = 1, + PB_REC_ACCESS_DENIED = 2, + PB_REC_QUARANTINED = 3, +}; + +/** + * enum name for pb_access_recommendation_code_t. + */ +extern enum_name_t *pb_access_recommendation_code_names; + + +/** + * Class representing the PB-Access-Recommendation message type. + */ +struct pb_access_recommendation_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Access Recommendation + * + * @return PB Access Recommendation + */ + u_int16_t (*get_access_recommendation)(pb_access_recommendation_msg_t *this); +}; + +/** + * Create a PB-Access-Recommendation message from parameters + * + * @param recommendation Access Recommendation code + */ +pb_tnc_msg_t* pb_access_recommendation_msg_create(u_int16_t recommendation); + +/** + * Create an unprocessed PB-Access-Recommendation message from raw data + * + * @param data PB-Access-Recommendation message data + */ +pb_tnc_msg_t* pb_access_recommendation_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c new file mode 100644 index 000000000..c91e54176 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.c @@ -0,0 +1,172 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_assessment_result_msg.h" + +#include +#include +#include +#include + +typedef struct private_pb_assessment_result_msg_t private_pb_assessment_result_msg_t; + +/** + * PB-Assessment-Result message (see section 4.6 of RFC 5793) + * + * 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Assessment Result | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ASSESSMENT_RESULT_MSG_SIZE 4 + +/** + * Private data of a pb_assessment_result_msg_t object. + * + */ +struct private_pb_assessment_result_msg_t { + /** + * Public pb_assessment_result_msg_t interface. + */ + pb_assessment_result_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Assessment result code + */ + u_int32_t assessment_result; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_assessment_result_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_assessment_result_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_assessment_result_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(ASSESSMENT_RESULT_MSG_SIZE); + writer->write_uint32(writer, this->assessment_result); + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_assessment_result_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint32(reader, &this->assessment_result); + reader->destroy(reader); + + if (this->assessment_result < TNC_IMV_EVALUATION_RESULT_COMPLIANT || + this->assessment_result > TNC_IMV_EVALUATION_RESULT_DONT_KNOW) + { + DBG1(DBG_TNC, "invalid assessment result (%u)", + this->assessment_result); + *offset = 0; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_assessment_result_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +METHOD(pb_assessment_result_msg_t, get_assessment_result, u_int32_t, + private_pb_assessment_result_msg_t *this) +{ + return this->assessment_result; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_assessment_result_msg_create_from_data(chunk_t data) +{ + private_pb_assessment_result_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_assessment_result = _get_assessment_result, + }, + .type = PB_MSG_ASSESSMENT_RESULT, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_assessment_result_msg_create(u_int32_t assessment_result) +{ + private_pb_assessment_result_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_assessment_result = _get_assessment_result, + }, + .type = PB_MSG_ASSESSMENT_RESULT, + .assessment_result = assessment_result, + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h new file mode 100644 index 000000000..d2b005114 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_assessment_result_msg.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_assessment_result_msg pb_assessment_result_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ASSESSMENT_RESULT_MSG_H_ +#define PB_ASSESSMENT_RESULT_MSG_H_ + +typedef struct pb_assessment_result_msg_t pb_assessment_result_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Assessment-Result message type. + */ +struct pb_assessment_result_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Assessment result + * + * @return PB Assessment result + */ + u_int32_t (*get_assessment_result)(pb_assessment_result_msg_t *this); +}; + +/** + * Create a PB-Assessment-Result message from parameters + * + * @param assessment_result Assessment result code + */ +pb_tnc_msg_t* pb_assessment_result_msg_create(u_int32_t assessment_result); + +/** + * Create an unprocessed PB-Assessment-Result message from raw data + * + * @param data PB-Assessment-Result message data + */ +pb_tnc_msg_t* pb_assessment_result_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c new file mode 100644 index 000000000..e1755c512 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.c @@ -0,0 +1,346 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_error_msg.h" + +#include +#include +#include +#include + +ENUM(pb_tnc_error_code_names, PB_ERROR_UNEXPECTED_BATCH_TYPE, + PB_ERROR_VERSION_NOT_SUPPORTED, + "Unexpected Batch Type", + "Invalid Parameter", + "Local Error", + "Unsupported Mandatory Message", + "Version Not Supported" +); + +typedef struct private_pb_error_msg_t private_pb_error_msg_t; + +/** + * PB-Error message (see section 4.9 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | Error Code Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Error Code | Reserved | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Error Parameters (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define ERROR_FLAG_NONE 0x00 +#define ERROR_FLAG_FATAL (1<<7) +#define ERROR_RESERVED 0x0000 +#define ERROR_HEADER_SIZE 8 + +/** + * Private data of a pb_error_msg_t object. + * + */ +struct private_pb_error_msg_t { + /** + * Public pb_error_msg_t interface. + */ + pb_error_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Fatal flag + */ + bool fatal; + + /** + * PB Error Code Vendor ID + */ + u_int32_t vendor_id; + + /** + * PB Error Code + */ + u_int16_t error_code; + + /** + * PB Error Offset + */ + u_int32_t error_offset; + + /** + * Bad PB-TNC version received + */ + u_int8_t bad_version; + + /** + * Encoded message + */ + chunk_t encoding; + + /** + * reference count + */ + refcount_t ref; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_error_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_error_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_error_msg_t *this) +{ + tls_writer_t *writer; + + /* build message header */ + writer = tls_writer_create(ERROR_HEADER_SIZE); + writer->write_uint8 (writer, this->fatal ? + ERROR_FLAG_FATAL : ERROR_FLAG_NONE); + writer->write_uint24(writer, this->vendor_id); + writer->write_uint16(writer, this->error_code); + writer->write_uint16(writer, ERROR_RESERVED); + + /* build message body */ + if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED) + { + /* Bad version */ + writer->write_uint8(writer, this->bad_version); + writer->write_uint8(writer, PB_TNC_VERSION); /* Max version */ + writer->write_uint8(writer, PB_TNC_VERSION); /* Min version */ + writer->write_uint8(writer, 0x00); /* Reserved */ + } + else + { + /* Error Offset */ + writer->write_uint32(writer, this->error_offset); + } + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_error_msg_t *this, u_int32_t *offset) +{ + u_int8_t flags, max_version, min_version; + u_int16_t reserved; + tls_reader_t *reader; + + if (this->encoding.len < ERROR_HEADER_SIZE) + { + DBG1(DBG_TNC,"%N message is shorter than header size of %u bytes", + pb_tnc_msg_type_names, PB_MSG_ERROR, ERROR_HEADER_SIZE); + return FAILED; + } + + /* process message header */ + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &this->vendor_id); + reader->read_uint16(reader, &this->error_code); + reader->read_uint16(reader, &reserved); + this->fatal = (flags & ERROR_FLAG_FATAL) != ERROR_FLAG_NONE; + + if (this->vendor_id == IETF_VENDOR_ID && reader->remaining(reader) == 4) + { + if (this->error_code == PB_ERROR_VERSION_NOT_SUPPORTED) + { + reader->read_uint8(reader, &this->bad_version); + reader->read_uint8(reader, &max_version); + reader->read_uint8(reader, &min_version); + } + else + { + reader->read_uint32(reader, &this->error_offset); + } + } + reader->destroy(reader); + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, get_ref, pb_tnc_msg_t*, + private_pb_error_msg_t *this) +{ + ref_get(&this->ref); + return &this->public.pb_interface; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_error_msg_t *this) +{ + if (ref_put(&this->ref)) + { + free(this->encoding.ptr); + free(this); + } +} + +METHOD(pb_error_msg_t, get_fatal_flag, bool, + private_pb_error_msg_t *this) +{ + return this->fatal; +} + +METHOD(pb_error_msg_t, get_vendor_id, u_int32_t, + private_pb_error_msg_t *this) +{ + return this->vendor_id; +} + +METHOD(pb_error_msg_t, get_error_code, u_int16_t, + private_pb_error_msg_t *this) +{ + return this->error_code; +} + +METHOD(pb_error_msg_t, get_offset, u_int32_t, + private_pb_error_msg_t *this) +{ + return this->error_offset; +} + +METHOD(pb_error_msg_t, get_bad_version, u_int8_t, + private_pb_error_msg_t *this) +{ + return this->bad_version; +} + +METHOD(pb_error_msg_t, set_bad_version, void, + private_pb_error_msg_t *this, u_int8_t version) +{ + this->bad_version = version; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .fatal = fatal, + .vendor_id = vendor_id, + .error_code = error_code, + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code, + u_int32_t error_offset) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .fatal = fatal, + .vendor_id = vendor_id, + .error_code = error_code, + .error_offset = error_offset, + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_error_msg_create_from_data(chunk_t data) +{ + private_pb_error_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_fatal_flag = _get_fatal_flag, + .get_vendor_id = _get_vendor_id, + .get_error_code = _get_error_code, + .get_offset = _get_offset, + .get_bad_version = _get_bad_version, + .set_bad_version = _set_bad_version, + }, + .type = PB_MSG_ERROR, + .ref = 1, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h new file mode 100644 index 000000000..8b92742b5 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_error_msg.h @@ -0,0 +1,127 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_error_msg pb_error_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_ERROR_MSG_H_ +#define PB_ERROR_MSG_H_ + +typedef enum pb_tnc_error_code_t pb_tnc_error_code_t; +typedef struct pb_error_msg_t pb_error_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB-TNC Error Codes as defined in section 4.9.1 of RFC 5793 + */ +enum pb_tnc_error_code_t { + PB_ERROR_UNEXPECTED_BATCH_TYPE = 0, + PB_ERROR_INVALID_PARAMETER = 1, + PB_ERROR_LOCAL_ERROR = 2, + PB_ERROR_UNSUPPORTED_MANDATORY_MSG = 3, + PB_ERROR_VERSION_NOT_SUPPORTED = 4 +}; + +/** + * enum name for pb_tnc_error_code_t. + */ +extern enum_name_t *pb_tnc_error_code_names; + +/** + * Class representing the PB-Error message type. + */ +struct pb_error_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get the fatal flag + * + * @return fatal flag + */ + bool (*get_fatal_flag)(pb_error_msg_t *this); + + /** + * Get PB Error code Vendor ID + * + * @return PB Error Code Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_error_msg_t *this); + + /** + * Get PB Error Code + * + * @return PB Error Code + */ + u_int16_t (*get_error_code)(pb_error_msg_t *this); + + /** + * Get the PB Error Offset + * + * @return PB Error Offset + */ + u_int32_t (*get_offset)(pb_error_msg_t *this); + + /** + * Get the PB Bad Version + * + * @return PB Bad Version + */ + u_int8_t (*get_bad_version)(pb_error_msg_t *this); + + /** + * Set the PB Bad Version + * + * @param version PB Bad Version + */ + void (*set_bad_version)(pb_error_msg_t *this, u_int8_t version); +}; + +/** + * Create a PB-Error message from parameters + * + * @param fatal fatal flag + * @param vendor_id Error Code Vendor ID + * @param error_code Error Code + */ +pb_tnc_msg_t* pb_error_msg_create(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code); + +/** + * Create a PB-Error message from parameters with offset field + * + * @param fatal fatal flag + * @param vendor_id Error Code Vendor ID + * @param error_code Error Code + * @param error_offset Error Offset + */ +pb_tnc_msg_t* pb_error_msg_create_with_offset(bool fatal, u_int32_t vendor_id, + pb_tnc_error_code_t error_code, + u_int32_t error_offset); + +/** + * Create an unprocessed PB-Error message from raw data + * + * @param data PB-Error message data + */ +pb_tnc_msg_t* pb_error_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c new file mode 100644 index 000000000..7dfba136f --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.c @@ -0,0 +1,102 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_experimental_msg.h" + +typedef struct private_pb_experimental_msg_t private_pb_experimental_msg_t; + +/** + * Private data of a pb_experimental_msg_t object. + * + */ +struct private_pb_experimental_msg_t { + /** + * Public pb_experimental_msg_t interface. + */ + pb_experimental_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_experimental_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_experimental_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_experimental_msg_t *this) +{ + /* nothing to do since message contents equal encoding */ +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_experimental_msg_t *this, u_int32_t *offset) +{ + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_experimental_msg_t *this) +{ + free(this->encoding.ptr); + free(this); +} + +/** + * See header + */ +pb_tnc_msg_t *pb_experimental_msg_create_from_data(chunk_t data) +{ + private_pb_experimental_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + }, + .type = PB_MSG_EXPERIMENTAL, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_experimental_msg_create(chunk_t body) +{ + return pb_experimental_msg_create_from_data(body); +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h new file mode 100644 index 000000000..b1cc4f46e --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_experimental_msg.h @@ -0,0 +1,53 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_experimental_msg pb_experimental_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_EXPERIMENTAL_MSG_H_ +#define PB_EXPERIMENTAL_MSG_H_ + +typedef struct pb_experimental_msg_t pb_experimental_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Experimental message type. + */ +struct pb_experimental_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; +}; + +/** + * Create a PB-Experimental message from parameters + * + * @param body message body + */ +pb_tnc_msg_t* pb_experimental_msg_create(chunk_t body); + +/** + * Create an unprocessed PB-Experimental message from raw data + * + * @param data PB-Experimental message data + */ +pb_tnc_msg_t* pb_experimental_msg_create_from_data(chunk_t data); + +#endif /** PB_EXPERIMENTAL_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c new file mode 100644 index 000000000..9a94edf30 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.c @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_language_preference_msg.h" + +#include +#include +#include + +typedef struct private_pb_language_preference_msg_t private_pb_language_preference_msg_t; + +/** + * PB-Language-Preference message (see section 4.10 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Language Preference (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PB_LANG_PREFIX "Accept-Language: " +#define PB_LANG_PREFIX_LEN strlen(PB_LANG_PREFIX) + +/** + * Private data of a pb_language_preference_msg_t object. + * + */ +struct private_pb_language_preference_msg_t { + /** + * Public pb_access_recommendation_msg_t interface. + */ + pb_language_preference_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Language preference + */ + chunk_t language_preference; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_language_preference_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_language_preference_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_language_preference_msg_t *this) +{ + this->encoding = chunk_cat("cc", + chunk_create(PB_LANG_PREFIX, PB_LANG_PREFIX_LEN), + this->language_preference); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_language_preference_msg_t *this, u_int32_t *offset) +{ + chunk_t lang; + + if (this->encoding.len >= PB_LANG_PREFIX_LEN && + memeq(this->encoding.ptr, PB_LANG_PREFIX, PB_LANG_PREFIX_LEN)) + { + lang = chunk_skip(this->encoding, PB_LANG_PREFIX_LEN); + this->language_preference = lang.len ? chunk_clone(lang) : chunk_empty; + } + else + { + DBG1(DBG_TNC, "language preference must be preceded by '%s'", + PB_LANG_PREFIX); + *offset = 0; + return FAILED; + } + + if (this->language_preference.len && + this->language_preference.ptr[this->language_preference.len-1] == '\0') + { + DBG1(DBG_TNC, "language preference must not be null terminated"); + *offset = PB_LANG_PREFIX_LEN + this->language_preference.len - 1; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_language_preference_msg_t *this) +{ + free(this->encoding.ptr); + free(this->language_preference.ptr); + free(this); +} + +METHOD(pb_language_preference_msg_t, get_language_preference, chunk_t, + private_pb_language_preference_msg_t *this) +{ + return this->language_preference; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_language_preference_msg_create_from_data(chunk_t data) +{ + private_pb_language_preference_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_language_preference = _get_language_preference, + }, + .type = PB_MSG_LANGUAGE_PREFERENCE, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_language_preference_msg_create(chunk_t language_preference) +{ + private_pb_language_preference_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_language_preference = _get_language_preference, + }, + .type = PB_MSG_LANGUAGE_PREFERENCE, + .language_preference = chunk_clone(language_preference), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h new file mode 100644 index 000000000..17106f6fa --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_language_preference_msg.h @@ -0,0 +1,60 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_language_preference_msg pb_language_preference_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_LANGUAGE_PREFERENCE_MSG_H_ +#define PB_LANGUAGE_PREFERENCE_MSG_H_ + +typedef struct pb_language_preference_msg_t pb_language_preference_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Language-Preference message type. + */ +struct pb_language_preference_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PB Language Preference + * + * @return Language preference + */ + chunk_t (*get_language_preference)(pb_language_preference_msg_t *this); +}; + +/** + * Create a PB-Language-Preference message from parameters + * + * @param language_preference Preferred language(s) + */ +pb_tnc_msg_t* pb_language_preference_msg_create(chunk_t language_preference); + +/** + * Create an unprocessed PB-Language-Preference message from raw data + * + * @param data PB-Language-Preference message data + */ +pb_tnc_msg_t* pb_language_preference_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c new file mode 100644 index 000000000..8315bfb76 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.c @@ -0,0 +1,293 @@ +/* + * Copyright (C) 2010 Sansar Choinyanbuu + * Copyright (C) 2010 Andreas Steffen + * + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_pa_msg.h" + +#include +#include +#include +#include + +ENUM(pa_tnc_subtype_names, PA_SUBTYPE_TESTING, PA_SUBTYPE_NEA_CLIENT, + "Testing", + "Operating System", + "Anti-Virus", + "Anti-Spyware", + "Anti-Malware", + "Firewall", + "IDPS", + "VPN", + "NEA Client" +); + +typedef struct private_pb_pa_msg_t private_pb_pa_msg_t; + +/** + * PB-PA message + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Flags | PA Message Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PA Subtype | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Posture Collector Identifier | Posture Validator Identifier | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | PA Message Body (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +#define PA_FLAG_NONE 0x00 +#define PA_FLAG_EXCL (1<<7) +#define PA_RESERVED_SUBTYPE 0xffffffff + + +/** + * Private data of a pb_pa_msg_t object. + * + */ +struct private_pb_pa_msg_t { + /** + * Public pb_pa_msg_t interface. + */ + pb_pa_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Exclusive flag + */ + bool excl; + + /** + * PA Message Vendor ID + */ + u_int32_t vendor_id; + + /** + * PA Subtype + */ + u_int32_t subtype; + + /** + * Posture Validator Identifier + */ + u_int16_t collector_id; + + /** + * Posture Validator Identifier + */ + u_int16_t validator_id; + + /** + * PA Message Body + */ + chunk_t msg_body; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_pa_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_pa_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_pa_msg_t *this) +{ + chunk_t msg_header; + tls_writer_t *writer; + + /* build message header */ + writer = tls_writer_create(64); + writer->write_uint8 (writer, this->excl ? PA_FLAG_EXCL : PA_FLAG_NONE); + writer->write_uint24(writer, this->vendor_id); + writer->write_uint32(writer, this->subtype); + writer->write_uint16(writer, this->collector_id); + writer->write_uint16(writer, this->validator_id); + msg_header = writer->get_buf(writer); + + /* create encoding by concatenating message header and message body */ + free(this->encoding.ptr); + this->encoding = chunk_cat("cc", msg_header, this->msg_body); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_pa_msg_t *this, u_int32_t *offset) +{ + u_int8_t flags; + size_t msg_body_len; + tls_reader_t *reader; + + /* process message header */ + reader = tls_reader_create(this->encoding); + reader->read_uint8 (reader, &flags); + reader->read_uint24(reader, &this->vendor_id); + reader->read_uint32(reader, &this->subtype); + reader->read_uint16(reader, &this->collector_id); + reader->read_uint16(reader, &this->validator_id); + this->excl = ((flags & PA_FLAG_EXCL) != PA_FLAG_NONE); + + /* process message body */ + msg_body_len = reader->remaining(reader); + if (msg_body_len) + { + reader->read_data(reader, msg_body_len, &this->msg_body); + this->msg_body = chunk_clone(this->msg_body); + } + reader->destroy(reader); + + if (this->vendor_id == RESERVED_VENDOR_ID) + { + DBG1(DBG_TNC, "Vendor ID 0x%06x is reserved", RESERVED_VENDOR_ID); + *offset = 1; + return FAILED; + } + + if (this->subtype == PA_RESERVED_SUBTYPE) + { + DBG1(DBG_TNC, "PA Subtype 0x%08x is reserved", PA_RESERVED_SUBTYPE); + *offset = 4; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_pa_msg_t *this) +{ + free(this->encoding.ptr); + free(this->msg_body.ptr); + free(this); +} + +METHOD(pb_pa_msg_t, get_vendor_id, u_int32_t, + private_pb_pa_msg_t *this, u_int32_t *subtype) +{ + *subtype = this->subtype; + return this->vendor_id; +} + +METHOD(pb_pa_msg_t, get_collector_id, u_int16_t, + private_pb_pa_msg_t *this) +{ + return this->collector_id; +} + +METHOD(pb_pa_msg_t, get_validator_id, u_int16_t, + private_pb_pa_msg_t *this) +{ + return this->validator_id; +} + +METHOD(pb_pa_msg_t, get_body, chunk_t, + private_pb_pa_msg_t *this) +{ + return this->msg_body; +} + +METHOD(pb_pa_msg_t, get_exclusive_flag, bool, + private_pb_pa_msg_t *this) +{ + return this->excl; +} + +METHOD(pb_pa_msg_t, set_exclusive_flag, void, + private_pb_pa_msg_t *this, bool excl) +{ + this->excl = excl; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_pa_msg_create_from_data(chunk_t data) +{ + private_pb_pa_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_collector_id = _get_collector_id, + .get_validator_id = _get_validator_id, + .get_body = _get_body, + .get_exclusive_flag = _get_exclusive_flag, + .set_exclusive_flag = _set_exclusive_flag, + }, + .type = PB_MSG_PA, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, + u_int16_t collector_id, u_int16_t validator_id, + chunk_t msg_body) +{ + private_pb_pa_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_collector_id = _get_collector_id, + .get_validator_id = _get_validator_id, + .get_body = _get_body, + .get_exclusive_flag = _get_exclusive_flag, + .set_exclusive_flag = _set_exclusive_flag, + }, + .type = PB_MSG_PA, + .vendor_id = vendor_id, + .subtype = subtype, + .collector_id = collector_id, + .validator_id = validator_id, + .msg_body = chunk_clone(msg_body), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h new file mode 100644 index 000000000..366d790f6 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_pa_msg.h @@ -0,0 +1,123 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_pa_msg pb_pa_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_PA_MSG_H_ +#define PB_PA_MSG_H_ + +typedef enum pa_tnc_subtype_t pa_tnc_subtype_t; +typedef struct pb_pa_msg_t pb_pa_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PA-TNC Subtypes as defined in section 3.5 of RFC 5792 + */ + enum pa_tnc_subtype_t { + PA_SUBTYPE_TESTING = 0, + PA_SUBTYPE_OPERATING_SYSTEM = 1, + PA_SUBTYPE_ANTI_VIRUS = 2, + PA_SUBTYPE_ANTI_SPYWARE = 3, + PA_SUBTYPE_ANTI_MALWARE = 4, + PA_SUBTYPE_FIREWALL = 5, + PA_SUBTYPE_IDPS = 6, + PA_SUBTYPE_VPN = 7, + PA_SUBTYPE_NEA_CLIENT = 8 +}; + +/** + * enum name for pa_tnc_subtype_t. + */ +extern enum_name_t *pa_tnc_subtype_names; + +/** + * Class representing the PB-PA message type. + */ +struct pb_pa_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get PA Message Vendor ID and Subtype + * + * @param subtype PA Subtype + * @return PA Message Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_pa_msg_t *this, u_int32_t *subtype); + + /** + * Get Posture Collector ID + * + * @return Posture Collector ID + */ + u_int16_t (*get_collector_id)(pb_pa_msg_t *this); + + /** + * Get Posture Validator ID + * + * @return Posture Validator ID + */ + u_int16_t (*get_validator_id)(pb_pa_msg_t *this); + + /** + * Get the PA Message Body + * + * @return PA Message Body + */ + chunk_t (*get_body)(pb_pa_msg_t *this); + + /** + * Get the exclusive flag + * + * @return exclusive flag + */ + bool (*get_exclusive_flag)(pb_pa_msg_t *this); + + /** + * Set the exclusive flag + * + * @param excl vexclusive flag + */ + void (*set_exclusive_flag)(pb_pa_msg_t *this, bool excl); +}; + +/** + * Create a PB-PA message from parameters + * + * @param vendor_id PA Message Vendor ID + * @param subtype PA Subtype + * @param collector_id Posture Collector ID + * @param validator_id Posture Validator ID + * @param msg_body PA Message Body + */ +pb_tnc_msg_t *pb_pa_msg_create(u_int32_t vendor_id, u_int32_t subtype, + u_int16_t collector_id, u_int16_t validator_id, + chunk_t msg_body); + +/** + * Create an unprocessed PB-PA message from raw data + * + * @param data PB-PA message data + */ +pb_tnc_msg_t* pb_pa_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c new file mode 100644 index 000000000..e361cf2b2 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.c @@ -0,0 +1,216 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_reason_string_msg.h" + +#include +#include +#include + +typedef struct private_pb_reason_string_msg_t private_pb_reason_string_msg_t; + +/** + * PB-Language-Preference message (see section 4.11 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reason String Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reason String (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Lang Code Len | Reason String Language Code (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +/** + * Private data of a pb_reason_string_msg_t object. + * + */ +struct private_pb_reason_string_msg_t { + /** + * Public pb_reason_string_msg_t interface. + */ + pb_reason_string_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Reason string + */ + chunk_t reason_string; + + /** + * Language code + */ + chunk_t language_code; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_reason_string_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_reason_string_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(64); + writer->write_data32(writer, this->reason_string); + writer->write_data8 (writer, this->language_code); + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_reason_string_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + if (!reader->read_data32(reader, &this->reason_string)) + { + DBG1(DBG_TNC, "could not parse reason string"); + reader->destroy(reader); + *offset = 0; + return FAILED; + }; + this->reason_string = chunk_clone(this->reason_string); + + if (this->reason_string.len && + this->reason_string.ptr[this->reason_string.len-1] == '\0') + { + DBG1(DBG_TNC, "reason string must not be null terminated"); + reader->destroy(reader); + *offset = 3 + this->reason_string.len; + return FAILED; + } + + if (!reader->read_data8(reader, &this->language_code)) + { + DBG1(DBG_TNC, "could not parse language code"); + reader->destroy(reader); + *offset = 4 + this->reason_string.len; + return FAILED; + }; + this->language_code = chunk_clone(this->language_code); + reader->destroy(reader); + + if (this->language_code.len && + this->language_code.ptr[this->language_code.len-1] == '\0') + { + DBG1(DBG_TNC, "language code must not be null terminated"); + *offset = 4 + this->reason_string.len + this->language_code.len; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_reason_string_msg_t *this) +{ + free(this->encoding.ptr); + free(this->reason_string.ptr); + free(this->language_code.ptr); + free(this); +} + +METHOD(pb_reason_string_msg_t, get_reason_string, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->reason_string; +} + +METHOD(pb_reason_string_msg_t, get_language_code, chunk_t, + private_pb_reason_string_msg_t *this) +{ + return this->language_code; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_reason_string_msg_create_from_data(chunk_t data) +{ + private_pb_reason_string_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_reason_string = _get_reason_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_reason_string_msg_create(chunk_t reason_string, + chunk_t language_code) +{ + private_pb_reason_string_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_reason_string = _get_reason_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .reason_string = chunk_clone(reason_string), + .language_code = chunk_clone(language_code), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h new file mode 100644 index 000000000..bb296a90c --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_reason_string_msg.h @@ -0,0 +1,69 @@ +/* + * Copyright (C) 2010 Sansar Choinyambuu + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_reason_string_msg pb_reason_string_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_REASON_STRING_MSG_H_ +#define PB_REASON_STRING_MSG_H_ + +typedef struct pb_reason_string_msg_t pb_reason_string_msg_t; + +#include "pb_tnc_msg.h" + +/** + * Class representing the PB-Reason-String message type. + */ +struct pb_reason_string_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get Reason String + * + * @return Reason string + */ + chunk_t (*get_reason_string)(pb_reason_string_msg_t *this); + + /** + * Get Reason String Language Code + * + * @return Language code + */ + chunk_t (*get_language_code)(pb_reason_string_msg_t *this); +}; + +/** + * Create a PB-Reason-String message from parameters + * + * @param reason_string Reason string + * @param language_code Language code + */ +pb_tnc_msg_t* pb_reason_string_msg_create(chunk_t reason_string, + chunk_t language_code); + +/** + * Create an unprocessed PB-Reason-String message from raw data + * + * @param data PB-Reason-String message data + */ +pb_tnc_msg_t* pb_reason_string_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c new file mode 100644 index 000000000..79381a7b1 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.c @@ -0,0 +1,259 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_remediation_parameters_msg.h" + +#include +#include +#include + +ENUM(pb_tnc_remed_param_type_names, PB_REMEDIATION_URI, PB_REMEDIATION_STRING, + "Remediation-URI", + "Remediation-String" +); + +typedef struct private_pb_remediation_parameters_msg_t private_pb_remediation_parameters_msg_t; + +/** + * PB-Remediation-Parameters message (see section 4.8 of RFC 5793) + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Reserved | Remediation Parameters Vendor ID | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation Parameters Type | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation Parameters (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * + * 0 1 2 3 + * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation String Length | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Remediation String (Variable Length) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + * | Lang Code Len | Remediation String Lang Code (Variable Len) | + * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + */ + +/** + * Private data of a pb_remediation_parameters_msg_t object. + * + */ +struct private_pb_remediation_parameters_msg_t { + /** + * Public pb_remediation_parameters_msg_t interface. + */ + pb_remediation_parameters_msg_t public; + + /** + * PB-TNC message type + */ + pb_tnc_msg_type_t type; + + /** + * Remediation Parameters Vendor ID + */ + u_int32_t vendor_id; + + /** + * Remediation Parameters Type + */ + u_int32_t parameters_type; + + /** + * Remediation Parameters string + */ + chunk_t remediation_string; + + /** + * Language code + */ + chunk_t language_code; + + /** + * Encoded message + */ + chunk_t encoding; +}; + +METHOD(pb_tnc_msg_t, get_type, pb_tnc_msg_type_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->type; +} + +METHOD(pb_tnc_msg_t, get_encoding, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->encoding; +} + +METHOD(pb_tnc_msg_t, build, void, + private_pb_remediation_parameters_msg_t *this) +{ + tls_writer_t *writer; + + /* build message */ + writer = tls_writer_create(64); + writer->write_uint32(writer, this->vendor_id); + writer->write_uint32(writer, this->parameters_type); + writer->write_data32(writer, this->remediation_string); + writer->write_data8 (writer, this->language_code); + + free(this->encoding.ptr); + this->encoding = writer->get_buf(writer); + this->encoding = chunk_clone(this->encoding); + writer->destroy(writer); +} + +METHOD(pb_tnc_msg_t, process, status_t, + private_pb_remediation_parameters_msg_t *this, u_int32_t *offset) +{ + tls_reader_t *reader; + + /* process message */ + reader = tls_reader_create(this->encoding); + reader->read_uint32(reader, &this->vendor_id); + reader->read_uint32(reader, &this->parameters_type); + + if (!reader->read_data32(reader, &this->remediation_string)) + { + DBG1(DBG_TNC, "could not parse remediation string"); + reader->destroy(reader); + *offset = 8; + return FAILED; + }; + this->remediation_string = chunk_clone(this->remediation_string); + + if (this->remediation_string.len && + this->remediation_string.ptr[this->remediation_string.len-1] == '\0') + { + DBG1(DBG_TNC, "remediation string must not be null terminated"); + reader->destroy(reader); + *offset = 11 + this->remediation_string.len; + return FAILED; + } + + if (!reader->read_data8(reader, &this->language_code)) + { + DBG1(DBG_TNC, "could not parse language code"); + reader->destroy(reader); + *offset = 12 + this->remediation_string.len; + return FAILED; + }; + this->language_code = chunk_clone(this->language_code); + reader->destroy(reader); + + if (this->language_code.len && + this->language_code.ptr[this->language_code.len-1] == '\0') + { + DBG1(DBG_TNC, "language code must not be null terminated"); + *offset = 12 + this->remediation_string.len + this->language_code.len; + return FAILED; + } + + return SUCCESS; +} + +METHOD(pb_tnc_msg_t, destroy, void, + private_pb_remediation_parameters_msg_t *this) +{ + free(this->encoding.ptr); + free(this->remediation_string.ptr); + free(this->language_code.ptr); + free(this); +} + +METHOD(pb_remediation_parameters_msg_t, get_vendor_id, u_int32_t, + private_pb_remediation_parameters_msg_t *this, u_int32_t *type) +{ + *type = this->parameters_type; + return this->vendor_id; +} + +METHOD(pb_remediation_parameters_msg_t, get_remediation_string, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->remediation_string; +} + +METHOD(pb_remediation_parameters_msg_t, get_language_code, chunk_t, + private_pb_remediation_parameters_msg_t *this) +{ + return this->language_code; +} + +/** + * See header + */ +pb_tnc_msg_t *pb_remediation_parameters_msg_create_from_data(chunk_t data) +{ + private_pb_remediation_parameters_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_remediation_string = _get_remediation_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .encoding = chunk_clone(data), + ); + + return &this->public.pb_interface; +} + +/** + * See header + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id, + u_int32_t type, + chunk_t remediation_string, + chunk_t language_code) +{ + private_pb_remediation_parameters_msg_t *this; + + INIT(this, + .public = { + .pb_interface = { + .get_type = _get_type, + .get_encoding = _get_encoding, + .build = _build, + .process = _process, + .destroy = _destroy, + }, + .get_vendor_id = _get_vendor_id, + .get_remediation_string = _get_remediation_string, + .get_language_code = _get_language_code, + }, + .type = PB_MSG_REASON_STRING, + .vendor_id = vendor_id, + .parameters_type = type, + .remediation_string = chunk_clone(remediation_string), + .language_code = chunk_clone(language_code), + ); + + return &this->public.pb_interface; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h new file mode 100644 index 000000000..258d495ec --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_remediation_parameters_msg.h @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_remediation_parameters_msg pb_remediation_parameters_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_REMEDIATION_PARAMETERS_MSG_H_ +#define PB_REMEDIATION_PARAMETERS_MSG_H_ + +typedef enum pb_tnc_remed_param_type_t pb_tnc_remed_param_type_t; +typedef struct pb_remediation_parameters_msg_t pb_remediation_parameters_msg_t; + +#include "pb_tnc_msg.h" + +/** + * PB-TNC Remediation Parameter Types as defined in section 4.8.1 of RFC 5793 + */ +enum pb_tnc_remed_param_type_t { + PB_REMEDIATION_URI = 1, + PB_REMEDIATION_STRING = 2, +}; + +/** + * enum name for pb_tnc_remed_param_type_t. + */ +extern enum_name_t *pb_tnc_remed_param_type_names; + +/** + * Class representing the PB-Remediation-Parameters message type. + */ +struct pb_remediation_parameters_msg_t { + + /** + * PB-TNC Message interface + */ + pb_tnc_msg_t pb_interface; + + /** + * Get Remediation Parameters Vendor ID and Type + * + * @param type Remediation Parameters Type + * @return Remediation Parameters Vendor ID + */ + u_int32_t (*get_vendor_id)(pb_remediation_parameters_msg_t *this, + u_int32_t *type); + + /** + * Get Remediation String + * + * @return Remediation String + */ + chunk_t (*get_remediation_string)(pb_remediation_parameters_msg_t *this); + + /** + * Get Reason String Language Code + * + * @return Language Code + */ + chunk_t (*get_language_code)(pb_remediation_parameters_msg_t *this); +}; + +/** + * Create a PB-Remediation-Parameters message from parameters + * + * @param vendor_id Remediation Parameters Vendor ID + * @param type Remediation Parameters Type + * @param remediation_string Remediation String + * @param language_code Language Code + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create(u_int32_t vendor_id, + u_int32_t type, + chunk_t remediation_string, + chunk_t language_code); + +/** + * Create an unprocessed PB-Remediation-Parameters message from raw data + * + * @param data PB-Remediation-Parameters message data + */ +pb_tnc_msg_t* pb_remediation_parameters_msg_create_from_data(chunk_t data); + +#endif /** PB_PA_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c new file mode 100644 index 000000000..3565c2d84 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.c @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_msg.h" +#include "pb_experimental_msg.h" +#include "pb_pa_msg.h" +#include "pb_error_msg.h" +#include "pb_language_preference_msg.h" +#include "pb_assessment_result_msg.h" +#include "pb_access_recommendation_msg.h" +#include "pb_remediation_parameters_msg.h" +#include "pb_reason_string_msg.h" + +#include + +ENUM(pb_tnc_msg_type_names, PB_MSG_EXPERIMENTAL, PB_MSG_REASON_STRING, + "PB-Experimental", + "PB-PA", + "PB-Assessment-Result", + "PB-Access-Recommendation", + "PB-Remediation-Parameters", + "PB-Error", + "PB-Language-Preference", + "PB-Reason-String" +); + +pb_tnc_msg_info_t pb_tnc_msg_infos[] = { + { 12, FALSE, FALSE, TRUE_OR_FALSE }, + { 24, FALSE, FALSE, TRUE }, + { 16, TRUE, TRUE, TRUE }, + { 16, TRUE, TRUE, FALSE }, + { 20, FALSE, TRUE, FALSE }, + { 20, FALSE, FALSE, TRUE }, + { 12, FALSE, FALSE, FALSE }, + { 17, FALSE, TRUE, FALSE }, +}; + +/** + * See header + */ +pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value) +{ + switch (type) + { + case PB_MSG_PA: + return pb_pa_msg_create_from_data(value); + case PB_MSG_ERROR: + return pb_error_msg_create_from_data(value); + case PB_MSG_EXPERIMENTAL: + return pb_experimental_msg_create_from_data(value); + case PB_MSG_LANGUAGE_PREFERENCE: + return pb_language_preference_msg_create_from_data(value); + case PB_MSG_ASSESSMENT_RESULT: + return pb_assessment_result_msg_create_from_data(value); + case PB_MSG_ACCESS_RECOMMENDATION: + return pb_access_recommendation_msg_create_from_data(value); + case PB_MSG_REMEDIATION_PARAMETERS: + return pb_remediation_parameters_msg_create_from_data(value); + case PB_MSG_REASON_STRING: + return pb_reason_string_msg_create_from_data(value); + } + return NULL; +} diff --git a/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h new file mode 100644 index 000000000..e20c8d8ff --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/messages/pb_tnc_msg.h @@ -0,0 +1,128 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_msg pb_tnc_msg + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_MSG_H_ +#define PB_TNC_MSG_H_ + +typedef enum pb_tnc_msg_type_t pb_tnc_msg_type_t; +typedef struct pb_tnc_msg_info_t pb_tnc_msg_info_t; +typedef struct pb_tnc_msg_t pb_tnc_msg_t; + +#include + +#define PB_TNC_VERSION 2 + +/** + * PB-TNC Message Types as defined in section 4.3 of RFC 5793 + */ +enum pb_tnc_msg_type_t { + PB_MSG_EXPERIMENTAL = 0, + PB_MSG_PA = 1, + PB_MSG_ASSESSMENT_RESULT = 2, + PB_MSG_ACCESS_RECOMMENDATION = 3, + PB_MSG_REMEDIATION_PARAMETERS = 4, + PB_MSG_ERROR = 5, + PB_MSG_LANGUAGE_PREFERENCE = 6, + PB_MSG_REASON_STRING = 7, + PB_MSG_ROOF = 7 +}; + +/** + * enum name for pb_tnc_msg_type_t. + */ +extern enum_name_t *pb_tnc_msg_type_names; + +/** + * Information entry describing a PB-TNC Message Type + */ +struct pb_tnc_msg_info_t { + u_int32_t min_size; + bool exact_size; + bool in_result_batch; + bool has_noskip_flag; +}; + +#define TRUE_OR_FALSE 2 + +/** + * Information on PB-TNC Message Types + */ +extern pb_tnc_msg_info_t pb_tnc_msg_infos[]; + +/** + * Generic interface for all PB-TNC message types. + * + * To handle all messages in a generic way, this interface + * must be implemented by each message type. + */ +struct pb_tnc_msg_t { + + /** + * Get the PB-TNC Message Type + * + * @return PB-TNC Message Type + */ + pb_tnc_msg_type_t (*get_type)(pb_tnc_msg_t *this); + + /** + * Get the encoding of the PB-TNC Message Value + * + * @return encoded PB-TNC Message Value + */ + chunk_t (*get_encoding)(pb_tnc_msg_t *this); + + /** + * Build the PB-TNC Message Value + */ + void (*build)(pb_tnc_msg_t *this); + + /** + * Process the PB-TNC Message Value + * + * @param relative offset where an error occurred + * @return return processing status + */ + status_t (*process)(pb_tnc_msg_t *this, u_int32_t *offset); + + /** + * Get a new reference to the message. + * + * @return this, with an increased refcount + */ + pb_tnc_msg_t* (*get_ref)(pb_tnc_msg_t *this); + + /** + * Destroys a pb_tnc_msg_t object. + */ + void (*destroy)(pb_tnc_msg_t *this); +}; + +/** + * Create an unprocessed PB-TNC message + * + * Useful for the parser which wants a generic constructor for all + * pb_tnc_message_t types. + * + * @param type PB-TNC message type + * @param value PB-TNC message value + */ +pb_tnc_msg_t* pb_tnc_msg_create_from_data(pb_tnc_msg_type_t type, chunk_t value); + +#endif /** PB_TNC_MSG_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c new file mode 100644 index 000000000..a46dc0ab9 --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.c @@ -0,0 +1,287 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "pb_tnc_state_machine.h" + +#include + +ENUM(pb_tnc_state_names, PB_STATE_INIT, PB_STATE_END, + "Init", + "Server Working", + "Client Working", + "Decided", + "End" +); + +/** + * PB-TNC State Machine (see section 3.2 of RFC 5793) + * + * Receive CRETRY SRETRY + * or SRETRY +----------------+ + * +--+ | | + * v | v | + * +---------+ CRETRY +---------+ + * CDATA | Server |<---------| Decided | CLOSE + * +----------->| Working |--------->| |-------+ + * | +---------+ RESULT +---------+ | + * | ^ | | v + * | | | +---------------------->======= + * ======== | | CLOSE " End " + * " Init " CDATA| |SDATA ======= + * ======== | | ^ ^ + * | | | v | | + * | | SDATA +---------+ CLOSE | | + * | +-------->| Client |----------------------+ | + * | | Working | | + * | +---------+ | + * | | ^ | + * | +--+ | + * | Receive CRETRY | + * | CLOSE | + * +--------------------------------------------------+ + */ + +typedef struct private_pb_tnc_state_machine_t private_pb_tnc_state_machine_t; + +/** + * Private data of a pb_tnc_state_machine_t object. + * + */ +struct private_pb_tnc_state_machine_t { + /** + * Public pb_pa_message_t interface. + */ + pb_tnc_state_machine_t public; + + /** + * PB-TNC Server if TRUE, PB-TNC Client if FALSE + */ + bool is_server; + + /** + * Current PB-TNC state + */ + pb_tnc_state_t state; +}; + +METHOD(pb_tnc_state_machine_t, get_state, pb_tnc_state_t, + private_pb_tnc_state_machine_t *this) +{ + return this->state; +} + +METHOD(pb_tnc_state_machine_t, receive_batch, bool, + private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type) +{ + pb_tnc_state_t old_state = this->state; + + switch (this->state) + { + case PB_STATE_INIT: + if (this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (!this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_SERVER_WORKING: + if (!this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (!this->is_server && type == PB_BATCH_RESULT) + { + this->state = PB_STATE_DECIDED; + break; + } + if ((this->is_server && type == PB_BATCH_CRETRY) || + (!this->is_server && type == PB_BATCH_SRETRY)) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_CLIENT_WORKING: + if (this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_CRETRY) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_DECIDED: + if ((this->is_server && type == PB_BATCH_CRETRY) || + (!this->is_server && type == PB_BATCH_SRETRY)) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_END: + if (type == PB_BATCH_CLOSE) + { + break; + } + return FALSE; + } + + if (this->state != old_state) + { + DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'", + pb_tnc_state_names, old_state, pb_tnc_state_names, this->state); + } + return TRUE; +} + +METHOD(pb_tnc_state_machine_t, send_batch, bool, + private_pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type) +{ + pb_tnc_state_t old_state = this->state; + + switch (this->state) + { + case PB_STATE_INIT: + if (!this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_SERVER_WORKING: + if (this->is_server && type == PB_BATCH_SDATA) + { + this->state = PB_STATE_CLIENT_WORKING; + break; + } + if (this->is_server && type == PB_BATCH_RESULT) + { + this->state = PB_STATE_DECIDED; + break; + } + if (this->is_server && type == PB_BATCH_SRETRY) + { + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_CLIENT_WORKING: + if (!this->is_server && type == PB_BATCH_CDATA) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_DECIDED: + if ((this->is_server && type == PB_BATCH_SRETRY) || + (!this->is_server && type == PB_BATCH_CRETRY)) + { + this->state = PB_STATE_SERVER_WORKING; + break; + } + if (type == PB_BATCH_CLOSE) + { + this->state = PB_STATE_END; + break; + } + return FALSE; + case PB_STATE_END: + if (type == PB_BATCH_CLOSE) + { + break; + } + return FALSE; + } + + if (this->state != old_state) + { + DBG2(DBG_TNC, "PB-TNC state transition from '%N' to '%N'", + pb_tnc_state_names, old_state, pb_tnc_state_names, this->state); + } + return TRUE; +} + +METHOD(pb_tnc_state_machine_t, destroy, void, + private_pb_tnc_state_machine_t *this) +{ + free(this); +} + +/** + * See header + */ +pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server) +{ + private_pb_tnc_state_machine_t *this; + + INIT(this, + .public = { + .get_state = _get_state, + .receive_batch = _receive_batch, + .send_batch = _send_batch, + .destroy = _destroy, + }, + .is_server = is_server, + .state = PB_STATE_INIT, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h new file mode 100644 index 000000000..8076b6ded --- /dev/null +++ b/src/libcharon/plugins/tnccs_20/state_machine/pb_tnc_state_machine.h @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup pb_tnc_state_machine pb_tnc_state_machine + * @{ @ingroup tnccs_20 + */ + +#ifndef PB_TNC_STATE_MACHINE_H_ +#define PB_TNC_STATE_MACHINE_H_ + +typedef struct pb_tnc_state_machine_t pb_tnc_state_machine_t; +typedef enum pb_tnc_state_t pb_tnc_state_t; + +#include "batch/pb_tnc_batch.h" + +#include + +/** + * PB-TNC States (state machine) as defined in section 3.2 of RFC 5793 + */ +enum pb_tnc_state_t { + PB_STATE_INIT, + PB_STATE_SERVER_WORKING, + PB_STATE_CLIENT_WORKING, + PB_STATE_DECIDED, + PB_STATE_END, +}; + +/** + * enum name for pb_tnc_state_t. + */ +extern enum_name_t *pb_tnc_state_names; + +/** + * Interface for the PB-TNC state machine. + */ +struct pb_tnc_state_machine_t { + + /** + * Get the current PB-TNC STATE + * + * @return current state + */ + pb_tnc_state_t (*get_state)(pb_tnc_state_machine_t *this); + + /** + * Compute state transition due to received PB-TNC Batch + * + * @param type type of received batch + * @result TRUE if a valid transition was found, FALSE otherwise + */ + bool (*receive_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type); + + /** + * Compute state transition due to sent PB-TNC Batch + * + * @param type type of sent batch + * @result TRUE if a valid transition was found, FALSE otherwise + */ + bool (*send_batch)(pb_tnc_state_machine_t *this, pb_tnc_batch_type_t type); + + /** + * Destroys a pb_tnc_state_machine_t object. + */ + void (*destroy)(pb_tnc_state_machine_t *this); +}; + +/** + * Create and initialize a PB-TNC state machine + * + * @param is_server TRUE if PB-TNC server, FALSE if PB-TNC client + */ +pb_tnc_state_machine_t* pb_tnc_state_machine_create(bool is_server); + +#endif /** PB_TNC_STATE_MACHINE_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_20/tnccs_20.c b/src/libcharon/plugins/tnccs_20/tnccs_20.c index 2bd1bc476..d53fd8eb7 100644 --- a/src/libcharon/plugins/tnccs_20/tnccs_20.c +++ b/src/libcharon/plugins/tnccs_20/tnccs_20.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Sansar Choinyanbuu * Copyright (C) 2010 Andreas Steffen * HSR Hochschule fuer Technik Rapperswil * @@ -14,10 +15,23 @@ */ #include "tnccs_20.h" +#include "batch/pb_tnc_batch.h" +#include "messages/pb_tnc_msg.h" +#include "messages/pb_pa_msg.h" +#include "messages/pb_error_msg.h" +#include "messages/pb_assessment_result_msg.h" +#include "messages/pb_access_recommendation_msg.h" +#include "messages/pb_remediation_parameters_msg.h" +#include "messages/pb_reason_string_msg.h" +#include "messages/pb_language_preference_msg.h" +#include "state_machine/pb_tnc_state_machine.h" #include - -static chunk_t tncc_output; +#include +#include +#include +#include +#include typedef struct private_tnccs_20_t private_tnccs_20_t; @@ -35,18 +49,541 @@ struct private_tnccs_20_t { * TNCC if TRUE, TNCS if FALSE */ bool is_server; + + /** + * PB-TNC State Machine + */ + pb_tnc_state_machine_t *state_machine; + + /** + * Connection ID assigned to this TNCCS connection + */ + TNC_ConnectionID connection_id; + + /** + * PB-TNC batch being constructed + */ + pb_tnc_batch_t *batch; + + /** + * Mutex locking the batch in construction + */ + mutex_t *mutex; + + /** + * Flag set while processing + */ + bool fatal_error; + + /** + * Flag set by IMC/IMV RequestHandshakeRetry() function + */ + bool request_handshake_retry; + + /** + * Set of IMV recommendations (TNC Server only) + */ + recommendations_t *recs; }; +METHOD(tnccs_t, send_msg, void, + private_tnccs_20_t* this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + TNC_MessageSubtype msg_sub_type; + TNC_VendorID msg_vendor_id; + pb_tnc_msg_t *pb_tnc_msg; + pb_tnc_batch_type_t batch_type; + + msg_sub_type = msg_type & TNC_SUBTYPE_ANY; + msg_vendor_id = (msg_type >> 8) & TNC_VENDORID_ANY; + + pb_tnc_msg = pb_pa_msg_create(msg_vendor_id, msg_sub_type, imc_id, imv_id, + chunk_create(msg, msg_len)); + + /* adding PA message to SDATA or CDATA batch only */ + batch_type = this->is_server ? PB_BATCH_SDATA : PB_BATCH_CDATA; + this->mutex->lock(this->mutex); + if (!this->batch) + { + this->batch = pb_tnc_batch_create(this->is_server, batch_type); + } + if (this->batch->get_type(this->batch) == batch_type) + { + this->batch->add_msg(this->batch, pb_tnc_msg); + } + else + { + pb_tnc_msg->destroy(pb_tnc_msg); + } + this->mutex->unlock(this->mutex); +} + +/** + * Handle a single PB-TNC message according to its type + */ +static void handle_message(private_tnccs_20_t *this, pb_tnc_msg_t *msg) +{ + switch (msg->get_type(msg)) + { + case PB_MSG_EXPERIMENTAL: + /* nothing to do */ + break; + case PB_MSG_PA: + { + pb_pa_msg_t *pa_msg; + TNC_MessageType msg_type; + u_int32_t vendor_id, subtype; + chunk_t msg_body; + + pa_msg = (pb_pa_msg_t*)msg; + vendor_id = pa_msg->get_vendor_id(pa_msg, &subtype); + msg_type = (vendor_id << 8) | (subtype & 0xff); + msg_body = pa_msg->get_body(pa_msg); + + DBG2(DBG_TNC, "handling PB-PA message type 0x%08x", msg_type); + + if (this->is_server) + { + charon->imvs->receive_message(charon->imvs, + this->connection_id, msg_body.ptr, msg_body.len, msg_type); + } + else + { + charon->imcs->receive_message(charon->imcs, + this->connection_id, msg_body.ptr, msg_body.len,msg_type); + } + break; + } + case PB_MSG_ASSESSMENT_RESULT: + { + pb_assessment_result_msg_t *assess_msg; + u_int32_t result; + + assess_msg = (pb_assessment_result_msg_t*)msg; + result = assess_msg->get_assessment_result(assess_msg); + DBG1(DBG_TNC, "PB-TNC assessment result is '%N'", + TNC_IMV_Evaluation_Result_names, result); + break; + } + case PB_MSG_ACCESS_RECOMMENDATION: + { + pb_access_recommendation_msg_t *rec_msg; + pb_access_recommendation_code_t rec; + TNC_ConnectionState state = TNC_CONNECTION_STATE_ACCESS_NONE; + + rec_msg = (pb_access_recommendation_msg_t*)msg; + rec = rec_msg->get_access_recommendation(rec_msg); + DBG1(DBG_TNC, "PB-TNC access recommendation is '%N'", + pb_access_recommendation_code_names, rec); + switch (rec) + { + case PB_REC_ACCESS_ALLOWED: + state = TNC_CONNECTION_STATE_ACCESS_ALLOWED; + break; + case PB_REC_ACCESS_DENIED: + state = TNC_CONNECTION_STATE_ACCESS_NONE; + break; + case PB_REC_QUARANTINED: + state = TNC_CONNECTION_STATE_ACCESS_ISOLATED; + } + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, state); + break; + } + case PB_MSG_REMEDIATION_PARAMETERS: + { + /* TODO : Remediation parameters message processing */ + break; + } + case PB_MSG_ERROR: + { + pb_error_msg_t *err_msg; + bool fatal; + u_int32_t vendor_id; + u_int16_t error_code; + + err_msg = (pb_error_msg_t*)msg; + fatal = err_msg->get_fatal_flag(err_msg); + vendor_id = err_msg->get_vendor_id(err_msg); + error_code = err_msg->get_error_code(err_msg); + + if (fatal) + { + this->fatal_error = TRUE; + } + + if (vendor_id == IETF_VENDOR_ID) + { + switch (error_code) + { + case PB_ERROR_INVALID_PARAMETER: + case PB_ERROR_UNSUPPORTED_MANDATORY_MSG: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' " + "(offset %u bytes)", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_offset(err_msg)); + break; + case PB_ERROR_VERSION_NOT_SUPPORTED: + DBG1(DBG_TNC, "received %s PB-TNC error '%N' " + "caused by bad version 0x%02x", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code, + err_msg->get_bad_version(err_msg)); + break; + case PB_ERROR_UNEXPECTED_BATCH_TYPE: + case PB_ERROR_LOCAL_ERROR: + default: + DBG1(DBG_TNC, "received %s PB-TNC error '%N'", + fatal ? "fatal" : "non-fatal", + pb_tnc_error_code_names, error_code); + break; + } + } + else + { + DBG1(DBG_TNC, "received %s PB-TNC error (%u) " + "with Vendor ID 0x%06x", + fatal ? "fatal" : "non-fatal", + error_code, vendor_id); + } + break; + } + case PB_MSG_LANGUAGE_PREFERENCE: + { + pb_language_preference_msg_t *lang_msg; + chunk_t lang; + + lang_msg = (pb_language_preference_msg_t*)msg; + lang = lang_msg->get_language_preference(lang_msg); + + DBG2(DBG_TNC, "setting language preference to '%.*s'", + lang.len, lang.ptr); + this->recs->set_preferred_language(this->recs, lang); + break; + } + case PB_MSG_REASON_STRING: + { + pb_reason_string_msg_t *reason_msg; + chunk_t reason_string, language_code; + + reason_msg = (pb_reason_string_msg_t*)msg; + reason_string = reason_msg->get_reason_string(reason_msg); + language_code = reason_msg->get_language_code(reason_msg); + DBG2(DBG_TNC, "reason string is '%.*s", reason_string.len, + reason_string.ptr); + DBG2(DBG_TNC, "language code is '%.*s", language_code.len, + language_code.ptr); + break; + } + default: + break; + } +} + +/** + * Build a CRETRY or SRETRY batch + */ +static void build_retry_batch(private_tnccs_20_t *this) +{ + if (this->batch) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch->get_type(this->batch)); + this->batch->destroy(this->batch); + } + this->batch = pb_tnc_batch_create(this->is_server, + this->is_server ? PB_BATCH_SRETRY : PB_BATCH_CRETRY); +} + METHOD(tls_t, process, status_t, private_tnccs_20_t *this, void *buf, size_t buflen) { + chunk_t data; + pb_tnc_batch_t *batch; + pb_tnc_msg_t *msg; + enumerator_t *enumerator; + status_t status; + + if (this->is_server && !this->connection_id) + { + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, &this->recs); + if (!this->connection_id) + { + return FAILED; + } + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + } + + data = chunk_create(buf, buflen); + DBG1(DBG_TNC, "received TNCCS batch (%u bytes) for Connection ID %u", + data.len, this->connection_id); + DBG3(DBG_TNC, "%B", &data); + batch = pb_tnc_batch_create_from_data(this->is_server, data); + status = batch->process(batch, this->state_machine); + + if (status != FAILED) + { + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + pb_tnc_batch_type_t batch_type; + bool empty = TRUE; + + batch_type = batch->get_type(batch); + + if (batch_type == PB_BATCH_CRETRY) + { + /* Send an SRETRY batch in response */ + this->mutex->lock(this->mutex); + build_retry_batch(this); + this->mutex->unlock(this->mutex); + } + else if (batch_type == PB_BATCH_SRETRY) + { + /* Restart the measurements */ + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); + } + + enumerator = batch->create_msg_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + handle_message(this, msg); + empty = FALSE; + } + enumerator->destroy(enumerator); + + /* received an empty CLOSE batch from PB-TNC client */ + if (this->is_server && batch_type == PB_BATCH_CLOSE && empty) + { + batch->destroy(batch); + if (this->fatal_error) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, " + "terminating connection"); + return FAILED; + } + else + { + return SUCCESS; + } + } + + if (this->is_server) + { + charon->imvs->batch_ending(charon->imvs, this->connection_id); + } + else + { + charon->imcs->batch_ending(charon->imcs, this->connection_id); + } + } + + switch (status) + { + case FAILED: + this->fatal_error = TRUE; + this->mutex->lock(this->mutex); + if (this->batch) + { + DBG1(DBG_TNC, "cancelling PB-TNC %N batch", + pb_tnc_batch_type_names, this->batch->get_type(this->batch)); + this->batch->destroy(this->batch); + } + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + this->mutex->unlock(this->mutex); + /* fall through to add error messages to outbound batch */ + case VERIFY_ERROR: + enumerator = batch->create_error_enumerator(batch); + while (enumerator->enumerate(enumerator, &msg)) + { + this->mutex->lock(this->mutex); + this->batch->add_msg(this->batch, msg->get_ref(msg)); + this->mutex->unlock(this->mutex); + } + enumerator->destroy(enumerator); + break; + case SUCCESS: + default: + break; + } + batch->destroy(batch); + return NEED_MORE; } +/** + * Build a RESULT batch if a final recommendation is available + */ +static void check_and_build_recommendation(private_tnccs_20_t *this) +{ + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + TNC_IMVID id; + chunk_t reason, language; + enumerator_t *enumerator; + pb_tnc_msg_t *msg; + + if (!this->recs->have_recommendation(this->recs, &rec, &eval)) + { + charon->imvs->solicit_recommendation(charon->imvs, this->connection_id); + } + if (this->recs->have_recommendation(this->recs, &rec, &eval)) + { + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_RESULT); + + msg = pb_assessment_result_msg_create(eval); + this->batch->add_msg(this->batch, msg); + + /** + * IMV Action Recommendation and PB Access Recommendation codes + * are shifted by one. + */ + msg = pb_access_recommendation_msg_create(rec + 1); + this->batch->add_msg(this->batch, msg); + + enumerator = this->recs->create_reason_enumerator(this->recs); + while (enumerator->enumerate(enumerator, &id, &reason, &language)) + { + msg = pb_reason_string_msg_create(reason, language); + this->batch->add_msg(this->batch, msg); + } + enumerator->destroy(enumerator); + } +} + METHOD(tls_t, build, status_t, private_tnccs_20_t *this, void *buf, size_t *buflen, size_t *msglen) { - return ALREADY_DONE; + status_t status; + + /* Initialize the connection */ + if (!this->is_server && !this->connection_id) + { + pb_tnc_msg_t *msg; + char *pref_lang; + + this->connection_id = charon->tnccs->create_connection(charon->tnccs, + (tnccs_t*)this, _send_msg, + &this->request_handshake_retry, NULL); + if (!this->connection_id) + { + return FAILED; + } + + /* Create PB-TNC Language Preference message */ + pref_lang = charon->imcs->get_preferred_language(charon->imcs); + msg = pb_language_preference_msg_create(chunk_create(pref_lang, + strlen(pref_lang))); + this->mutex->lock(this->mutex); + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CDATA); + this->batch->add_msg(this->batch, msg); + this->mutex->unlock(this->mutex); + + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_CREATE); + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_HANDSHAKE); + charon->imcs->begin_handshake(charon->imcs, this->connection_id); + } + + if (this->is_server && this->fatal_error && + this->state_machine->get_state(this->state_machine) == PB_STATE_END) + { + DBG1(DBG_TNC, "a fatal PB-TNC error occurred, terminating connection"); + return FAILED; + } + + /* Do not allow any asynchronous IMCs or IMVs to add additional messages */ + this->mutex->lock(this->mutex); + + if (this->request_handshake_retry) + { + build_retry_batch(this); + + /* Reset the flag for the next handshake retry request */ + this->request_handshake_retry = FALSE; + } + + if (!this->batch) + { + pb_tnc_state_t state; + + state = this->state_machine->get_state(this->state_machine); + if (this->is_server) + { + if (state == PB_STATE_SERVER_WORKING) + { + check_and_build_recommendation(this); + } + } + else + { + /** + * if the DECIDED state has been reached and no CRETRY is under way + * or if a CLOSE batch with error messages has been received, + * a PB-TNC client replies with an empty CLOSE batch. + */ + if (state == PB_STATE_DECIDED || state == PB_STATE_END) + { + this->batch = pb_tnc_batch_create(this->is_server, PB_BATCH_CLOSE); + } + } + } + + if (this->batch) + { + pb_tnc_batch_type_t batch_type; + chunk_t data; + + batch_type = this->batch->get_type(this->batch); + + if (this->state_machine->send_batch(this->state_machine, batch_type)) + { + this->batch->build(this->batch); + data = this->batch->get_encoding(this->batch); + DBG1(DBG_TNC, "sending PB-TNC %N batch (%d bytes) for Connection ID %u", + pb_tnc_batch_type_names, batch_type, data.len, + this->connection_id); + DBG3(DBG_TNC, "%B", &data); + *msglen = data.len; + + if (data.len > *buflen) + { + DBG1(DBG_TNC, "fragmentation of PB-TNC batch not supported yet"); + } + else + { + *buflen = data.len; + } + memcpy(buf, data.ptr, *buflen); + status = ALREADY_DONE; + } + else + { + DBG1(DBG_TNC, "cancelling unexpected PB-TNC batch type: %N", + pb_tnc_batch_type_names, batch_type); + status = INVALID_STATE; + } + + this->batch->destroy(this->batch); + this->batch = NULL; + } + else + { + DBG1(DBG_TNC, "no PB-TNC batch to send"); + status = INVALID_STATE; + } + this->mutex->unlock(this->mutex); + + return status; } METHOD(tls_t, is_server, bool, @@ -64,7 +601,21 @@ METHOD(tls_t, get_purpose, tls_purpose_t, METHOD(tls_t, is_complete, bool, private_tnccs_20_t *this) { - return FALSE; + TNC_IMV_Action_Recommendation rec; + TNC_IMV_Evaluation_Result eval; + + if (this->recs && this->recs->have_recommendation(this->recs, &rec, &eval)) + { + DBG2(DBG_TNC, "Final recommendation is '%N' and evaluation is '%N'", + TNC_IMV_Action_Recommendation_names, rec, + TNC_IMV_Evaluation_Result_names, eval); + + return charon->imvs->enforce_recommendation(charon->imvs, rec); + } + else + { + return FALSE; + } } METHOD(tls_t, get_eap_msk, chunk_t, @@ -76,6 +627,20 @@ METHOD(tls_t, get_eap_msk, chunk_t, METHOD(tls_t, destroy, void, private_tnccs_20_t *this) { + if (this->is_server) + { + charon->imvs->notify_connection_change(charon->imvs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); + } + else + { + charon->imcs->notify_connection_change(charon->imcs, + this->connection_id, TNC_CONNECTION_STATE_DELETE); + } + charon->tnccs->remove_connection(charon->tnccs, this->connection_id); + this->state_machine->destroy(this->state_machine); + this->mutex->destroy(this->mutex); + DESTROY_IF(this->batch); free(this); } @@ -97,6 +662,8 @@ tls_t *tnccs_20_create(bool is_server) .destroy = _destroy, }, .is_server = is_server, + .state_machine = pb_tnc_state_machine_create(is_server), + .mutex = mutex_create(MUTEX_TYPE_DEFAULT), ); return &this->public; diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.am b/src/libcharon/plugins/tnccs_dynamic/Makefile.am new file mode 100644 index 000000000..9a81d065f --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.am @@ -0,0 +1,17 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +else +plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +endif + +libstrongswan_tnccs_dynamic_la_SOURCES = \ + tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c + +libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version diff --git a/src/libcharon/plugins/tnccs_dynamic/Makefile.in b/src/libcharon/plugins/tnccs_dynamic/Makefile.in new file mode 100644 index 000000000..722da2830 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libcharon/plugins/tnccs_dynamic +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_DEPENDENCIES = \ +@MONOLITHIC_FALSE@ $(top_builddir)/src/libtls/libtls.la +am_libstrongswan_tnccs_dynamic_la_OBJECTS = tnccs_dynamic_plugin.lo \ + tnccs_dynamic.lo +libstrongswan_tnccs_dynamic_la_OBJECTS = \ + $(am_libstrongswan_tnccs_dynamic_la_OBJECTS) +libstrongswan_tnccs_dynamic_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_tnccs_dynamic_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_tnccs_dynamic_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_tnccs_dynamic_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES) +DIST_SOURCES = $(libstrongswan_tnccs_dynamic_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/libcharon -I$(top_srcdir)/src/libtls + +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-tnccs-dynamic.la +@MONOLITHIC_FALSE@libstrongswan_tnccs_dynamic_la_LIBADD = $(top_builddir)/src/libtls/libtls.la +libstrongswan_tnccs_dynamic_la_SOURCES = \ + tnccs_dynamic_plugin.h tnccs_dynamic_plugin.c tnccs_dynamic.h tnccs_dynamic.c + +libstrongswan_tnccs_dynamic_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libcharon/plugins/tnccs_dynamic/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-tnccs-dynamic.la: $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_DEPENDENCIES) + $(libstrongswan_tnccs_dynamic_la_LINK) $(am_libstrongswan_tnccs_dynamic_la_rpath) $(libstrongswan_tnccs_dynamic_la_OBJECTS) $(libstrongswan_tnccs_dynamic_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tnccs_dynamic_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c new file mode 100644 index 000000000..b7985fa51 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.c @@ -0,0 +1,146 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_dynamic.h" + +#include +#include + +typedef struct private_tnccs_dynamic_t private_tnccs_dynamic_t; + +/** + * Private data of a tnccs_dynamic_t object. + */ +struct private_tnccs_dynamic_t { + + /** + * Public tls_t interface. + */ + tls_t public; + + /** + * Detected TNC IF-TNCCS stack + */ + tls_t *tls; +}; + +/** + * Determine the version of the IF-TNCCS protocol used by analyzing the first + * byte of the TNCCS batch received from a TNC Client according to the rules + * defined by section 3.5 "Interoperability with older IF-TNCCS versions" of + * the TCG TNC IF-TNCCS TLV Bindings Version 2.0 standard. + */ +tnccs_type_t determine_tnccs_protocol(char version) +{ + switch (version) + { + case '\t': + case '\n': + case '\r': + case ' ': + case '<': + return TNCCS_1_1; + case 0x00: + return TNCCS_SOH; + case 0x02: + return TNCCS_2_0; + default: + return TNCCS_UNKNOWN; + } +} + +METHOD(tls_t, process, status_t, + private_tnccs_dynamic_t *this, void *buf, size_t buflen) +{ + tnccs_type_t type; + + if (!this->tls) + { + if (buflen == 0) + { + return FAILED; + } + type = determine_tnccs_protocol(*(char*)buf); + DBG1(DBG_TNC, "%N protocol detected dynamically", + tnccs_type_names, type); + this->tls = (tls_t*)charon->tnccs->create_instance(charon->tnccs, + type, TRUE); + if (!this->tls) + { + DBG1(DBG_TNC, "N% protocol not supported", tnccs_type_names, type); + return FAILED; + } + } + return this->tls->process(this->tls, buf, buflen); +} + +METHOD(tls_t, build, status_t, + private_tnccs_dynamic_t *this, void *buf, size_t *buflen, size_t *msglen) +{ + return this->tls->build(this->tls, buf, buflen, msglen); +} + +METHOD(tls_t, is_server, bool, + private_tnccs_dynamic_t *this) +{ + return TRUE; +} + +METHOD(tls_t, get_purpose, tls_purpose_t, + private_tnccs_dynamic_t *this) +{ + return TLS_PURPOSE_EAP_TNC; +} + +METHOD(tls_t, is_complete, bool, + private_tnccs_dynamic_t *this) +{ + return this->tls ? this->tls->is_complete(this->tls) : FALSE; +} + +METHOD(tls_t, get_eap_msk, chunk_t, + private_tnccs_dynamic_t *this) +{ + return chunk_empty; +} + +METHOD(tls_t, destroy, void, + private_tnccs_dynamic_t *this) +{ + DESTROY_IF(this->tls); + free(this); +} + +/** + * See header + */ +tls_t *tnccs_dynamic_create(bool is_server) +{ + private_tnccs_dynamic_t *this; + + INIT(this, + .public = { + .process = _process, + .build = _build, + .is_server = _is_server, + .get_purpose = _get_purpose, + .is_complete = _is_complete, + .get_eap_msk = _get_eap_msk, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h new file mode 100644 index 000000000..42410b17f --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_dynamic_h tnccs_dynamic + * @{ @ingroup tnccs_dynamic + */ + +#ifndef TNCCS_DYNAMIC_H_ +#define TNCCS_DYNAMIC_H_ + +#include + +#include + +/** + * Create an instance of a dynamic TNC IF-TNCCS protocol handler. + * + * @param is_server TRUE to act as TNC Server, FALSE for TNC Client + * @return dynamic TNC IF-TNCCS protocol stack + */ +tls_t *tnccs_dynamic_create(bool is_server); + +#endif /** TNCCS_DYNAMIC_H_ @}*/ diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c new file mode 100644 index 000000000..dbbf222e0 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.c @@ -0,0 +1,47 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_dynamic_plugin.h" +#include "tnccs_dynamic.h" + +#include + +METHOD(plugin_t, destroy, void, + tnccs_dynamic_plugin_t *this) +{ + charon->tnccs->remove_method(charon->tnccs, + (tnccs_constructor_t)tnccs_dynamic_create); + free(this); +} + +/* + * see header file + */ +plugin_t *tnccs_dynamic_plugin_create() +{ + tnccs_dynamic_plugin_t *this; + + INIT(this, + .plugin = { + .destroy = _destroy, + }, + ); + + charon->tnccs->add_method(charon->tnccs, TNCCS_DYNAMIC, + (tnccs_constructor_t)tnccs_dynamic_create); + + return &this->plugin; +} + diff --git a/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h new file mode 100644 index 000000000..b518e1278 --- /dev/null +++ b/src/libcharon/plugins/tnccs_dynamic/tnccs_dynamic_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_dynamic tnccs_dynamic + * @ingroup cplugins + * + * @defgroup tnccs_dynamic_plugin tnccs_dynamic_plugin + * @{ @ingroup tnccs_dynamic + */ + +#ifndef TNCCS_DYNAMIC_PLUGIN_H_ +#define TNCCS_DYNAMIC_PLUGIN_H_ + +#include + +typedef struct tnccs_dynamic_plugin_t tnccs_dynamic_plugin_t; + +/** + * EAP-TNC plugin + */ +struct tnccs_dynamic_plugin_t { + + /** + * implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** TNCCS_DYNAMIC_PLUGIN_H_ @}*/ diff --git a/src/libcharon/plugins/uci/Makefile.in b/src/libcharon/plugins/uci/Makefile.in index 9cb5f794a..f7162d800 100644 --- a/src/libcharon/plugins/uci/Makefile.in +++ b/src/libcharon/plugins/uci/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/uci/uci_config.c b/src/libcharon/plugins/uci/uci_config.c index ddddae782..4e43388ec 100644 --- a/src/libcharon/plugins/uci/uci_config.c +++ b/src/libcharon/plugins/uci/uci_config.c @@ -196,8 +196,8 @@ static bool peer_enumerator_enumerate(peer_enumerator_t *this, peer_cfg_t **cfg) this->peer_cfg->add_auth_cfg(this->peer_cfg, auth, FALSE); child_cfg = child_cfg_create(name, &lifetime, NULL, TRUE, MODE_TUNNEL, - ACTION_NONE, ACTION_NONE, FALSE, 0, 0, - NULL, NULL); + ACTION_NONE, ACTION_NONE, ACTION_NONE, + FALSE, 0, 0, NULL, NULL, 0); child_cfg->add_proposal(child_cfg, create_proposal(esp_proposal, PROTO_ESP)); child_cfg->add_traffic_selector(child_cfg, TRUE, create_ts(local_net)); child_cfg->add_traffic_selector(child_cfg, FALSE, create_ts(remote_net)); diff --git a/src/libcharon/plugins/unit_tester/Makefile.in b/src/libcharon/plugins/unit_tester/Makefile.in index 47fff7e1d..5fa749e56 100644 --- a/src/libcharon/plugins/unit_tester/Makefile.in +++ b/src/libcharon/plugins/unit_tester/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/plugins/updown/Makefile.in b/src/libcharon/plugins/updown/Makefile.in index e93955d71..5dd2dc843 100644 --- a/src/libcharon/plugins/updown/Makefile.in +++ b/src/libcharon/plugins/updown/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libcharon/processing/jobs/acquire_job.c b/src/libcharon/processing/jobs/acquire_job.c index 45ace9312..3544dd332 100644 --- a/src/libcharon/processing/jobs/acquire_job.c +++ b/src/libcharon/processing/jobs/acquire_job.c @@ -45,20 +45,16 @@ struct private_acquire_job_t { traffic_selector_t *dst_ts; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_acquire_job_t *this) +METHOD(job_t, destroy, void, + private_acquire_job_t *this) { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_acquire_job_t *this) +METHOD(job_t, execute, void, + private_acquire_job_t *this) { charon->traps->acquire(charon->traps, this->reqid, this->src_ts, this->dst_ts); @@ -72,14 +68,19 @@ acquire_job_t *acquire_job_create(u_int32_t reqid, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) { - private_acquire_job_t *this = malloc_thing(private_acquire_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_acquire_job_t *this; - this->reqid = reqid; - this->src_ts = src_ts; - this->dst_ts = dst_ts; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .src_ts = src_ts, + .dst_ts = dst_ts, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_child_sa_job.c b/src/libcharon/processing/jobs/delete_child_sa_job.c index ca55721f2..29122cd03 100644 --- a/src/libcharon/processing/jobs/delete_child_sa_job.c +++ b/src/libcharon/processing/jobs/delete_child_sa_job.c @@ -46,18 +46,14 @@ struct private_delete_child_sa_job_t { u_int32_t spi; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_delete_child_sa_job_t *this) +METHOD(job_t, destroy, void, + private_delete_child_sa_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_delete_child_sa_job_t *this) +METHOD(job_t, execute, void, + private_delete_child_sa_job_t *this) { ike_sa_t *ike_sa; @@ -84,16 +80,19 @@ delete_child_sa_job_t *delete_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { - private_delete_child_sa_job_t *this = malloc_thing(private_delete_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; + private_delete_child_sa_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .protocol = protocol, + .spi = spi, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/delete_ike_sa_job.c b/src/libcharon/processing/jobs/delete_ike_sa_job.c index dffd08ba3..da3ecf06f 100644 --- a/src/libcharon/processing/jobs/delete_ike_sa_job.c +++ b/src/libcharon/processing/jobs/delete_ike_sa_job.c @@ -41,19 +41,15 @@ struct private_delete_ike_sa_job_t { }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_delete_ike_sa_job_t *this) +METHOD(job_t, destroy, void, + private_delete_ike_sa_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_delete_ike_sa_job_t *this) +METHOD(job_t, execute, void, + private_delete_ike_sa_job_t *this) { ike_sa_t *ike_sa; @@ -102,15 +98,18 @@ static void execute(private_delete_ike_sa_job_t *this) delete_ike_sa_job_t *delete_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool delete_if_established) { - private_delete_ike_sa_job_t *this = malloc_thing(private_delete_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t *)) destroy;; + private_delete_ike_sa_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->delete_if_established = delete_if_established; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .delete_if_established = delete_if_established, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/migrate_job.c b/src/libcharon/processing/jobs/migrate_job.c index 05f47340c..5e7c7ae88 100644 --- a/src/libcharon/processing/jobs/migrate_job.c +++ b/src/libcharon/processing/jobs/migrate_job.c @@ -57,10 +57,8 @@ struct private_migrate_job_t { host_t *remote; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_migrate_job_t *this) +METHOD(job_t, destroy, void, + private_migrate_job_t *this) { DESTROY_IF(this->src_ts); DESTROY_IF(this->dst_ts); @@ -69,10 +67,8 @@ static void destroy(private_migrate_job_t *this) free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_migrate_job_t *this) +METHOD(job_t, execute, void, + private_migrate_job_t *this) { ike_sa_t *ike_sa = NULL; @@ -133,18 +129,21 @@ migrate_job_t *migrate_job_create(u_int32_t reqid, policy_dir_t dir, host_t *local, host_t *remote) { - private_migrate_job_t *this = malloc_thing(private_migrate_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; - - /* private variables */ - this->reqid = reqid; - this->src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts; - this->dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts; - this->local = local; - this->remote = remote; + private_migrate_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .src_ts = (dir == POLICY_OUT) ? src_ts : dst_ts, + .dst_ts = (dir == POLICY_OUT) ? dst_ts : src_ts, + .local = local, + .remote = remote, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/process_message_job.c b/src/libcharon/processing/jobs/process_message_job.c index a47d48e38..b6de4fc0f 100644 --- a/src/libcharon/processing/jobs/process_message_job.c +++ b/src/libcharon/processing/jobs/process_message_job.c @@ -35,19 +35,15 @@ struct private_process_message_job_t { message_t *message; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_process_message_job_t *this) +METHOD(job_t, destroy, void, + private_process_message_job_t *this) { this->message->destroy(this->message); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_process_message_job_t *this) +METHOD(job_t, execute, void, + private_process_message_job_t *this) { ike_sa_t *ike_sa; @@ -93,14 +89,17 @@ static void execute(private_process_message_job_t *this) */ process_message_job_t *process_message_job_create(message_t *message) { - private_process_message_job_t *this = malloc_thing(private_process_message_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void(*)(job_t*))destroy; + private_process_message_job_t *this; - /* private variables */ - this->message = message; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .message = message, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/rekey_child_sa_job.c b/src/libcharon/processing/jobs/rekey_child_sa_job.c index b797d181e..2bcee2ddf 100644 --- a/src/libcharon/processing/jobs/rekey_child_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_child_sa_job.c @@ -45,18 +45,14 @@ struct private_rekey_child_sa_job_t { u_int32_t spi; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_child_sa_job_t *this) +METHOD(job_t, destroy, void, + private_rekey_child_sa_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_rekey_child_sa_job_t *this) +METHOD(job_t, execute, void, + private_rekey_child_sa_job_t *this) { ike_sa_t *ike_sa; @@ -82,16 +78,19 @@ rekey_child_sa_job_t *rekey_child_sa_job_create(u_int32_t reqid, protocol_id_t protocol, u_int32_t spi) { - private_rekey_child_sa_job_t *this = malloc_thing(private_rekey_child_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_rekey_child_sa_job_t *this; - /* private variables */ - this->reqid = reqid; - this->protocol = protocol; - this->spi = spi; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .protocol = protocol, + .spi = spi, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/rekey_ike_sa_job.c b/src/libcharon/processing/jobs/rekey_ike_sa_job.c index 5ec0b1b88..dc86ba9b3 100644 --- a/src/libcharon/processing/jobs/rekey_ike_sa_job.c +++ b/src/libcharon/processing/jobs/rekey_ike_sa_job.c @@ -39,19 +39,15 @@ struct private_rekey_ike_sa_job_t { bool reauth; }; -/** - * Implementation of job_t.destroy. - */ -static void destroy(private_rekey_ike_sa_job_t *this) +METHOD(job_t, destroy, void, + private_rekey_ike_sa_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_rekey_ike_sa_job_t *this) +METHOD(job_t, execute, void, + private_rekey_ike_sa_job_t *this) { ike_sa_t *ike_sa; status_t status = SUCCESS; @@ -90,15 +86,18 @@ static void execute(private_rekey_ike_sa_job_t *this) */ rekey_ike_sa_job_t *rekey_ike_sa_job_create(ike_sa_id_t *ike_sa_id, bool reauth) { - private_rekey_ike_sa_job_t *this = malloc_thing(private_rekey_ike_sa_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*)(job_t*)) destroy; + private_rekey_ike_sa_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); - this->reauth = reauth; + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + .reauth = reauth, + ); return &(this->public); } diff --git a/src/libcharon/processing/jobs/retransmit_job.c b/src/libcharon/processing/jobs/retransmit_job.c index fc787f208..1c78abd27 100644 --- a/src/libcharon/processing/jobs/retransmit_job.c +++ b/src/libcharon/processing/jobs/retransmit_job.c @@ -40,19 +40,15 @@ struct private_retransmit_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_retransmit_job_t *this) +METHOD(job_t, destroy, void, + private_retransmit_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_retransmit_job_t *this) +METHOD(job_t, execute, void, + private_retransmit_job_t *this) { ike_sa_t *ike_sa; @@ -79,15 +75,18 @@ static void execute(private_retransmit_job_t *this) */ retransmit_job_t *retransmit_job_create(u_int32_t message_id,ike_sa_id_t *ike_sa_id) { - private_retransmit_job_t *this = malloc_thing(private_retransmit_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_retransmit_job_t *this; - /* private variables */ - this->message_id = message_id; - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .message_id = message_id, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/roam_job.c b/src/libcharon/processing/jobs/roam_job.c index adc884a8a..74ef8bd6d 100644 --- a/src/libcharon/processing/jobs/roam_job.c +++ b/src/libcharon/processing/jobs/roam_job.c @@ -38,18 +38,14 @@ struct private_roam_job_t { bool address; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_roam_job_t *this) +METHOD(job_t, destroy, void, + private_roam_job_t *this) { free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_roam_job_t *this) +METHOD(job_t, execute, void, + private_roam_job_t *this) { ike_sa_t *ike_sa; linked_list_t *list; @@ -94,12 +90,17 @@ static void execute(private_roam_job_t *this) */ roam_job_t *roam_job_create(bool address) { - private_roam_job_t *this = malloc_thing(private_roam_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - this->address = address; + private_roam_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .address = address, + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/send_dpd_job.c b/src/libcharon/processing/jobs/send_dpd_job.c index 1c2da52b8..47b525363 100644 --- a/src/libcharon/processing/jobs/send_dpd_job.c +++ b/src/libcharon/processing/jobs/send_dpd_job.c @@ -38,19 +38,15 @@ struct private_send_dpd_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_dpd_job_t *this) +METHOD(job_t, destroy, void, + private_send_dpd_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_send_dpd_job_t *this) +METHOD(job_t, execute, void, + private_send_dpd_job_t *this) { ike_sa_t *ike_sa; @@ -75,14 +71,17 @@ static void execute(private_send_dpd_job_t *this) */ send_dpd_job_t *send_dpd_job_create(ike_sa_id_t *ike_sa_id) { - private_send_dpd_job_t *this = malloc_thing(private_send_dpd_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_send_dpd_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/send_keepalive_job.c b/src/libcharon/processing/jobs/send_keepalive_job.c index 3d02cea2e..8d98aad7e 100644 --- a/src/libcharon/processing/jobs/send_keepalive_job.c +++ b/src/libcharon/processing/jobs/send_keepalive_job.c @@ -38,19 +38,15 @@ struct private_send_keepalive_job_t { ike_sa_id_t *ike_sa_id; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_send_keepalive_job_t *this) +METHOD(job_t, destroy, void, + private_send_keepalive_job_t *this) { this->ike_sa_id->destroy(this->ike_sa_id); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_send_keepalive_job_t *this) +METHOD(job_t, execute, void, + private_send_keepalive_job_t *this) { ike_sa_t *ike_sa; @@ -69,14 +65,17 @@ static void execute(private_send_keepalive_job_t *this) */ send_keepalive_job_t *send_keepalive_job_create(ike_sa_id_t *ike_sa_id) { - private_send_keepalive_job_t *this = malloc_thing(private_send_keepalive_job_t); - - /* interface functions */ - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; + private_send_keepalive_job_t *this; - /* private variables */ - this->ike_sa_id = ike_sa_id->clone(ike_sa_id); + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .ike_sa_id = ike_sa_id->clone(ike_sa_id), + ); return &this->public; } diff --git a/src/libcharon/processing/jobs/start_action_job.c b/src/libcharon/processing/jobs/start_action_job.c new file mode 100644 index 000000000..5dda18be2 --- /dev/null +++ b/src/libcharon/processing/jobs/start_action_job.c @@ -0,0 +1,101 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "start_action_job.h" + +#include + + +typedef struct private_start_action_job_t private_start_action_job_t; + +/** + * Private data of an start_action_job_t object. + */ +struct private_start_action_job_t { + /** + * Public start_action_job_t interface. + */ + start_action_job_t public; +}; + +METHOD(job_t, destroy, void, + private_start_action_job_t *this) +{ + free(this); +} + +METHOD(job_t, execute, void, + private_start_action_job_t *this) +{ + enumerator_t *enumerator, *children; + peer_cfg_t *peer_cfg; + child_cfg_t *child_cfg; + char *name; + + enumerator = charon->backends->create_peer_cfg_enumerator(charon->backends, + NULL, NULL, NULL, NULL); + while (enumerator->enumerate(enumerator, &peer_cfg)) + { + if (peer_cfg->get_ike_version(peer_cfg) != 2) + { + continue; + } + + children = peer_cfg->create_child_cfg_enumerator(peer_cfg); + while (children->enumerate(children, &child_cfg)) + { + name = child_cfg->get_name(child_cfg); + + switch (child_cfg->get_start_action(child_cfg)) + { + case ACTION_RESTART: + DBG1(DBG_JOB, "start action: initiate '%s'", name); + charon->controller->initiate(charon->controller, + peer_cfg->get_ref(peer_cfg), + child_cfg->get_ref(child_cfg), + NULL, NULL); + break; + case ACTION_ROUTE: + DBG1(DBG_JOB, "start action: route '%s'", name); + charon->traps->install(charon->traps, peer_cfg, child_cfg); + break; + case ACTION_NONE: + break; + } + } + children->destroy(children); + } + enumerator->destroy(enumerator); + destroy(this); +} + +/* + * Described in header + */ +start_action_job_t *start_action_job_create(void) +{ + private_start_action_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + ) + return &this->public; +} + diff --git a/src/libcharon/processing/jobs/start_action_job.h b/src/libcharon/processing/jobs/start_action_job.h new file mode 100644 index 000000000..ffc167c05 --- /dev/null +++ b/src/libcharon/processing/jobs/start_action_job.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2011 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup start_action_job start_action_job + * @{ @ingroup cjobs + */ + +#ifndef START_ACTION_JOB_H_ +#define START_ACTION_JOB_H_ + +typedef struct start_action_job_t start_action_job_t; + +#include +#include + +/** + * Class representing a start_action Job. + * + * This job handles all child configurations stored in an [SQL database] + * backend according to their start_action field (start, route, none). + */ +struct start_action_job_t { + /** + * The job_t interface. + */ + job_t job_interface; +}; + +/** + * Creates a job of type start_action. + * + * @return start_action_job_t object + */ +start_action_job_t *start_action_job_create(void); + +#endif /** START_ACTION_JOB_H_ @}*/ diff --git a/src/libcharon/processing/jobs/update_sa_job.c b/src/libcharon/processing/jobs/update_sa_job.c index 17dce2548..3b4e9949f 100644 --- a/src/libcharon/processing/jobs/update_sa_job.c +++ b/src/libcharon/processing/jobs/update_sa_job.c @@ -43,19 +43,15 @@ struct private_update_sa_job_t { host_t *new; }; -/** - * Implements job_t.destroy. - */ -static void destroy(private_update_sa_job_t *this) +METHOD(job_t, destroy, void, + private_update_sa_job_t *this) { this->new->destroy(this->new); free(this); } -/** - * Implementation of job_t.execute. - */ -static void execute(private_update_sa_job_t *this) +METHOD(job_t, execute, void, + private_update_sa_job_t *this) { ike_sa_t *ike_sa; @@ -71,7 +67,7 @@ static void execute(private_update_sa_job_t *this) if (ike_sa->has_condition(ike_sa, COND_NAT_THERE) && !ike_sa->has_condition(ike_sa, COND_NAT_HERE)) { - ike_sa->update_hosts(ike_sa, NULL, this->new); + ike_sa->update_hosts(ike_sa, NULL, this->new, FALSE); } charon->ike_sa_manager->checkin(charon->ike_sa_manager, ike_sa); } @@ -83,13 +79,18 @@ static void execute(private_update_sa_job_t *this) */ update_sa_job_t *update_sa_job_create(u_int32_t reqid, host_t *new) { - private_update_sa_job_t *this = malloc_thing(private_update_sa_job_t); - - this->public.job_interface.execute = (void (*) (job_t *)) execute; - this->public.job_interface.destroy = (void (*) (job_t *)) destroy; - - this->reqid = reqid; - this->new = new; + private_update_sa_job_t *this; + + INIT(this, + .public = { + .job_interface = { + .execute = _execute, + .destroy = _destroy, + }, + }, + .reqid = reqid, + .new = new, + ); return &this->public; } diff --git a/src/libcharon/sa/authenticators/authenticator.c b/src/libcharon/sa/authenticators/authenticator.c index cd340e53e..83f5fbaad 100644 --- a/src/libcharon/sa/authenticators/authenticator.c +++ b/src/libcharon/sa/authenticators/authenticator.c @@ -39,7 +39,8 @@ ENUM_END(auth_method_names, AUTH_ECDSA_521); */ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { switch ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS)) { @@ -47,13 +48,14 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, /* defaults to PUBKEY */ case AUTH_CLASS_PUBKEY: return (authenticator_t*)pubkey_authenticator_create_builder(ike_sa, - received_nonce, sent_init); + received_nonce, sent_init, reserved); case AUTH_CLASS_PSK: return (authenticator_t*)psk_authenticator_create_builder(ike_sa, - received_nonce, sent_init); + received_nonce, sent_init, reserved); case AUTH_CLASS_EAP: return (authenticator_t*)eap_authenticator_create_builder(ike_sa, - received_nonce, sent_nonce, received_init, sent_init); + received_nonce, sent_nonce, + received_init, sent_init, reserved); default: return NULL; } @@ -65,7 +67,8 @@ authenticator_t *authenticator_create_builder(ike_sa_t *ike_sa, auth_cfg_t *cfg, authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { auth_payload_t *auth_payload; @@ -73,7 +76,8 @@ authenticator_t *authenticator_create_verifier( if (auth_payload == NULL) { return (authenticator_t*)eap_authenticator_create_verifier(ike_sa, - received_nonce, sent_nonce, received_init, sent_init); + received_nonce, sent_nonce, + received_init, sent_init, reserved); } switch (auth_payload->get_auth_method(auth_payload)) { @@ -82,10 +86,10 @@ authenticator_t *authenticator_create_verifier( case AUTH_ECDSA_384: case AUTH_ECDSA_521: return (authenticator_t*)pubkey_authenticator_create_verifier(ike_sa, - sent_nonce, received_init); + sent_nonce, received_init, reserved); case AUTH_PSK: return (authenticator_t*)psk_authenticator_create_verifier(ike_sa, - sent_nonce, received_init); + sent_nonce, received_init, reserved); default: return NULL; } diff --git a/src/libcharon/sa/authenticators/authenticator.h b/src/libcharon/sa/authenticators/authenticator.h index 89178b5cf..d27e006a3 100644 --- a/src/libcharon/sa/authenticators/authenticator.h +++ b/src/libcharon/sa/authenticators/authenticator.h @@ -130,12 +130,14 @@ struct authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of the ID payload * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_builder( ike_sa_t *ike_sa, auth_cfg_t *cfg, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify signatures. @@ -146,11 +148,13 @@ authenticator_t *authenticator_create_builder( * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of the ID payload * @return authenticator, NULL if not supported */ authenticator_t *authenticator_create_verifier( ike_sa_t *ike_sa, message_t *message, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); #endif /** AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/eap_authenticator.c b/src/libcharon/sa/authenticators/eap_authenticator.c index 8b22fd1d7..dea02755d 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.c +++ b/src/libcharon/sa/authenticators/eap_authenticator.c @@ -57,6 +57,11 @@ struct private_eap_authenticator_t { */ chunk_t sent_init; + /** + * Reserved bytes of ID payload + */ + char reserved[3]; + /** * Current EAP method processing */ @@ -422,7 +427,7 @@ static bool verify_auth(private_eap_authenticator_t *this, message_t *message, other_id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); auth_data = keymat->get_psk_sig(keymat, TRUE, init, nonce, - this->msk, other_id); + this->msk, other_id, this->reserved); recv_auth_data = auth_payload->get_data(auth_payload); if (!auth_data.len || !chunk_equals(auth_data, recv_auth_data)) { @@ -458,7 +463,8 @@ static void build_auth(private_eap_authenticator_t *this, message_t *message, DBG1(DBG_IKE, "authentication of '%Y' (myself) with %N", my_id, auth_class_names, AUTH_CLASS_EAP); - auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, this->msk, my_id); + auth_data = keymat->get_psk_sig(keymat, FALSE, init, nonce, + this->msk, my_id, this->reserved); auth_payload = auth_payload_create(); auth_payload->set_auth_method(auth_payload, AUTH_PSK); auth_payload->set_data(auth_payload, auth_data); @@ -642,7 +648,8 @@ METHOD(authenticator_t, destroy, void, */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { private_eap_authenticator_t *this; @@ -661,6 +668,7 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -670,7 +678,8 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init) + chunk_t received_init, chunk_t sent_init, + char reserved[3]) { private_eap_authenticator_t *this; @@ -689,6 +698,7 @@ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, .sent_init = sent_init, .sent_nonce = sent_nonce, ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/eap_authenticator.h b/src/libcharon/sa/authenticators/eap_authenticator.h index 41eb6a8c9..726411a18 100644 --- a/src/libcharon/sa/authenticators/eap_authenticator.h +++ b/src/libcharon/sa/authenticators/eap_authenticator.h @@ -75,11 +75,13 @@ struct eap_authenticator_t { * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to authenticate EAP clients. @@ -89,10 +91,12 @@ eap_authenticator_t *eap_authenticator_create_builder(ike_sa_t *ike_sa, * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return EAP authenticator */ eap_authenticator_t *eap_authenticator_create_verifier(ike_sa_t *ike_sa, chunk_t received_nonce, chunk_t sent_nonce, - chunk_t received_init, chunk_t sent_init); + chunk_t received_init, chunk_t sent_init, + char reserved[3]); #endif /** EAP_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/psk_authenticator.c b/src/libcharon/sa/authenticators/psk_authenticator.c index e69f30dcf..21fc0f9b8 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.c +++ b/src/libcharon/sa/authenticators/psk_authenticator.c @@ -45,12 +45,15 @@ struct private_psk_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; + + /** + * Reserved bytes of ID payload + */ + char reserved[3]; }; -/* - * Implementation of authenticator_t.build for builder - */ -static status_t build(private_psk_authenticator_t *this, message_t *message) +METHOD(authenticator_t, build, status_t, + private_psk_authenticator_t *this, message_t *message) { identification_t *my_id, *other_id; auth_payload_t *auth_payload; @@ -70,7 +73,7 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) return NOT_FOUND; } auth_data = keymat->get_psk_sig(keymat, FALSE, this->ike_sa_init, - this->nonce, key->get_key(key), my_id); + this->nonce, key->get_key(key), my_id, this->reserved); key->destroy(key); DBG2(DBG_IKE, "successfully created shared key MAC"); auth_payload = auth_payload_create(); @@ -82,10 +85,8 @@ static status_t build(private_psk_authenticator_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of authenticator_t.process for verifier - */ -static status_t process(private_psk_authenticator_t *this, message_t *message) +METHOD(authenticator_t, process, status_t, + private_psk_authenticator_t *this, message_t *message) { chunk_t auth_data, recv_auth_data; identification_t *my_id, *other_id; @@ -113,7 +114,7 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) keys_found++; auth_data = keymat->get_psk_sig(keymat, TRUE, this->ike_sa_init, - this->nonce, key->get_key(key), other_id); + this->nonce, key->get_key(key), other_id, this->reserved); if (auth_data.len && chunk_equals(auth_data, recv_auth_data)) { DBG1(DBG_IKE, "authentication of '%Y' with %N successful", @@ -141,19 +142,8 @@ static status_t process(private_psk_authenticator_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of authenticator_t.process for builder - * Implementation of authenticator_t.build for verifier - */ -static status_t return_failed() -{ - return FAILED; -} - -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy(private_psk_authenticator_t *this) +METHOD(authenticator_t, destroy, void, + private_psk_authenticator_t *this) { free(this); } @@ -162,18 +152,25 @@ static void destroy(private_psk_authenticator_t *this) * Described in header. */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init) + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]) { - private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = sent_init; - this->nonce = received_nonce; + private_psk_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = _build, + .process = (void*)return_failed, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = sent_init, + .nonce = received_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -182,18 +179,25 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init) + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]) { - private_psk_authenticator_t *this = malloc_thing(private_psk_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *messageh))return_failed; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = received_init; - this->nonce = sent_nonce; + private_psk_authenticator_t *this; + + INIT(this, + .public = { + .authenticator = { + .build = (void*)return_failed, + .process = _process, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = received_init, + .nonce = sent_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/psk_authenticator.h b/src/libcharon/sa/authenticators/psk_authenticator.h index 0fab11095..8cf1a0f98 100644 --- a/src/libcharon/sa/authenticators/psk_authenticator.h +++ b/src/libcharon/sa/authenticators/psk_authenticator.h @@ -42,10 +42,12 @@ struct psk_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify PSK signatures. @@ -53,9 +55,11 @@ psk_authenticator_t *psk_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return PSK authenticator */ psk_authenticator_t *psk_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init); + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]); #endif /** PSK_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.c b/src/libcharon/sa/authenticators/pubkey_authenticator.c index 54b4338bb..247891670 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.c @@ -46,12 +46,15 @@ struct private_pubkey_authenticator_t { * IKE_SA_INIT message data to include in AUTH calculation */ chunk_t ike_sa_init; + + /** + * Reserved bytes of ID payload + */ + char reserved[3]; }; -/** - * Implementation of authenticator_t.build for builder - */ -static status_t build(private_pubkey_authenticator_t *this, message_t *message) +METHOD(authenticator_t, build, status_t, + private_pubkey_authenticator_t *this, message_t *message) { chunk_t octets, auth_data; status_t status = FAILED; @@ -109,7 +112,7 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) } keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, FALSE, this->ike_sa_init, - this->nonce, id); + this->nonce, id, this->reserved); if (private->sign(private, scheme, octets, &auth_data)) { auth_payload = auth_payload_create(); @@ -128,10 +131,8 @@ static status_t build(private_pubkey_authenticator_t *this, message_t *message) return status; } -/** - * Implementation of authenticator_t.process for verifier - */ -static status_t process(private_pubkey_authenticator_t *this, message_t *message) +METHOD(authenticator_t, process, status_t, + private_pubkey_authenticator_t *this, message_t *message) { public_key_t *public; auth_method_t auth_method; @@ -175,7 +176,7 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message id = this->ike_sa->get_other_id(this->ike_sa); keymat = this->ike_sa->get_keymat(this->ike_sa); octets = keymat->get_auth_octets(keymat, TRUE, this->ike_sa_init, - this->nonce, id); + this->nonce, id, this->reserved); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, key_type, id, auth); @@ -206,19 +207,8 @@ static status_t process(private_pubkey_authenticator_t *this, message_t *message return status; } -/** - * Implementation of authenticator_t.process for builder - * Implementation of authenticator_t.build for verifier - */ -static status_t return_failed() -{ - return FAILED; -} - -/** - * Implementation of authenticator_t.destroy. - */ -static void destroy(private_pubkey_authenticator_t *this) +METHOD(authenticator_t, destroy, void, + private_pubkey_authenticator_t *this) { free(this); } @@ -227,18 +217,25 @@ static void destroy(private_pubkey_authenticator_t *this) * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init) + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]) { - private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); + private_pubkey_authenticator_t *this; - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))build; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; - - this->ike_sa = ike_sa; - this->ike_sa_init = sent_init; - this->nonce = received_nonce; + INIT(this, + .public = { + .authenticator = { + .build = _build, + .process = (void*)return_failed, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = sent_init, + .nonce = received_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } @@ -247,18 +244,25 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * Described in header. */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init) + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]) { - private_pubkey_authenticator_t *this = malloc_thing(private_pubkey_authenticator_t); - - this->public.authenticator.build = (status_t(*)(authenticator_t*, message_t *message))return_failed; - this->public.authenticator.process = (status_t(*)(authenticator_t*, message_t *message))process; - this->public.authenticator.is_mutual = (bool(*)(authenticator_t*))return_false; - this->public.authenticator.destroy = (void(*)(authenticator_t*))destroy; + private_pubkey_authenticator_t *this; - this->ike_sa = ike_sa; - this->ike_sa_init = received_init; - this->nonce = sent_nonce; + INIT(this, + .public = { + .authenticator = { + .build = (void*)return_failed, + .process = _process, + .is_mutual = (void*)return_false, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .ike_sa_init = received_init, + .nonce = sent_nonce, + ); + memcpy(this->reserved, reserved, sizeof(this->reserved)); return &this->public; } diff --git a/src/libcharon/sa/authenticators/pubkey_authenticator.h b/src/libcharon/sa/authenticators/pubkey_authenticator.h index be369cb89..4c3937ecc 100644 --- a/src/libcharon/sa/authenticators/pubkey_authenticator.h +++ b/src/libcharon/sa/authenticators/pubkey_authenticator.h @@ -43,10 +43,12 @@ struct pubkey_authenticator_t { * @param ike_sa associated ike_sa * @param received_nonce nonce received in IKE_SA_INIT * @param sent_init sent IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, - chunk_t received_nonce, chunk_t sent_init); + chunk_t received_nonce, chunk_t sent_init, + char reserved[3]); /** * Create an authenticator to verify public key signatures. @@ -54,9 +56,11 @@ pubkey_authenticator_t *pubkey_authenticator_create_builder(ike_sa_t *ike_sa, * @param ike_sa associated ike_sa * @param sent_nonce nonce sent in IKE_SA_INIT * @param received_init received IKE_SA_INIT message data + * @param reserved reserved bytes of ID payload * @return public key authenticator */ pubkey_authenticator_t *pubkey_authenticator_create_verifier(ike_sa_t *ike_sa, - chunk_t sent_nonce, chunk_t received_init); + chunk_t sent_nonce, chunk_t received_init, + char reserved[3]); #endif /** PUBKEY_AUTHENTICATOR_H_ @}*/ diff --git a/src/libcharon/sa/child_sa.c b/src/libcharon/sa/child_sa.c index b6ef31da0..495929965 100644 --- a/src/libcharon/sa/child_sa.c +++ b/src/libcharon/sa/child_sa.c @@ -559,13 +559,14 @@ METHOD(child_sa_t, alloc_cpi, u_int16_t, METHOD(child_sa_t, install, status_t, private_child_sa_t *this, chunk_t encr, chunk_t integ, u_int32_t spi, - u_int16_t cpi, bool inbound, linked_list_t *my_ts, + u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts, linked_list_t *other_ts) { u_int16_t enc_alg = ENCR_UNDEFINED, int_alg = AUTH_UNDEFINED, size; traffic_selector_t *src_ts = NULL, *dst_ts = NULL; time_t now; lifetime_cfg_t *lifetime; + u_int32_t tfc = 0; host_t *src, *dst; status_t status; bool update = FALSE; @@ -590,6 +591,11 @@ METHOD(child_sa_t, install, status_t, dst = this->other_addr; this->other_spi = spi; this->other_cpi = cpi; + + if (tfcv3) + { + tfc = this->config->get_tfc(this->config); + } } DBG2(DBG_CHD, "adding %s %N SA", inbound ? "inbound" : "outbound", @@ -620,7 +626,7 @@ METHOD(child_sa_t, install, status_t, lifetime->time.rekey = 0; } - if (this->mode == MODE_BEET) + if (this->mode == MODE_BEET || this->mode == MODE_TRANSPORT) { /* BEET requires the bound address from the traffic selectors. * TODO: We add just the first traffic selector for now, as the @@ -639,7 +645,7 @@ METHOD(child_sa_t, install, status_t, status = hydra->kernel_interface->add_sa(hydra->kernel_interface, src, dst, spi, proto_ike2ip(this->protocol), this->reqid, - inbound ? this->mark_in : this->mark_out, + inbound ? this->mark_in : this->mark_out, tfc, lifetime, enc_alg, encr, int_alg, integ, this->mode, this->ipcomp, cpi, this->encap, update, src_ts, dst_ts); diff --git a/src/libcharon/sa/child_sa.h b/src/libcharon/sa/child_sa.h index 95bc297b0..f17ef01ac 100644 --- a/src/libcharon/sa/child_sa.h +++ b/src/libcharon/sa/child_sa.h @@ -313,12 +313,13 @@ struct child_sa_t { * @param spi SPI to use, allocated for inbound * @param cpi CPI to use, allocated for outbound * @param inbound TRUE to install an inbound SA, FALSE for outbound + * @param tfcv3 TRUE if peer supports ESPv3 TFC * @param my_ts negotiated local traffic selector list * @param other_ts negotiated remote traffic selector list * @return SUCCESS or FAILED */ status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ, - u_int32_t spi, u_int16_t cpi, bool inbound, + u_int32_t spi, u_int16_t cpi, bool inbound, bool tfcv3, linked_list_t *my_ts, linked_list_t *other_ts); /** * Install the policies using some traffic selectors. diff --git a/src/libcharon/sa/connect_manager.c b/src/libcharon/sa/connect_manager.c index 1fb286863..972cc98ad 100644 --- a/src/libcharon/sa/connect_manager.c +++ b/src/libcharon/sa/connect_manager.c @@ -1194,7 +1194,10 @@ static job_requeue_t initiate_mediated(initiate_data_t *data) DBG1(DBG_IKE, "establishing mediated connection failed"); charon->ike_sa_manager->checkin_and_destroy(charon->ike_sa_manager, sa); } - charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); + else + { + charon->ike_sa_manager->checkin(charon->ike_sa_manager, sa); + } } iterator->destroy(iterator); } diff --git a/src/libcharon/sa/ike_sa.c b/src/libcharon/sa/ike_sa.c index a4e4028ab..9b6f9d06d 100644 --- a/src/libcharon/sa/ike_sa.c +++ b/src/libcharon/sa/ike_sa.c @@ -50,6 +50,7 @@ #include #include #include +#include #ifdef ME #include @@ -559,13 +560,6 @@ METHOD(ike_sa_t, send_dpd, status_t, time_t diff, delay; delay = this->peer_cfg->get_dpd(this->peer_cfg); - - if (delay == 0) - { - /* DPD disabled */ - return SUCCESS; - } - if (this->task_manager->busy(this->task_manager)) { /* an exchange is in the air, no need to start a DPD check */ @@ -578,7 +572,7 @@ METHOD(ike_sa_t, send_dpd, status_t, last_in = get_use_time(this, TRUE); now = time_monotonic(NULL); diff = now - last_in; - if (diff >= delay) + if (!delay || diff >= delay) { /* to long ago, initiate dead peer detection */ task_t *task; @@ -604,8 +598,11 @@ METHOD(ike_sa_t, send_dpd, status_t, } } /* recheck in "interval" seconds */ - job = (job_t*)send_dpd_job_create(this->ike_sa_id); - lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); + if (delay) + { + job = (job_t*)send_dpd_job_create(this->ike_sa_id); + lib->scheduler->schedule_job(lib->scheduler, job, delay - diff); + } return SUCCESS; } @@ -680,7 +677,10 @@ METHOD(ike_sa_t, set_state, void, } /* start DPD checks */ - send_dpd(this); + if (this->peer_cfg->get_dpd(this->peer_cfg)) + { + send_dpd(this); + } } break; } @@ -825,7 +825,7 @@ METHOD(ike_sa_t, float_ports, void, } METHOD(ike_sa_t, update_hosts, void, - private_ike_sa_t *this, host_t *me, host_t *other) + private_ike_sa_t *this, host_t *me, host_t *other, bool force) { bool update = FALSE; @@ -858,7 +858,7 @@ METHOD(ike_sa_t, update_hosts, void, if (!other->equals(other, this->other_host)) { /* update others adress if we are NOT NATed */ - if (!has_condition(this, COND_NAT_HERE)) + if (force || !has_condition(this, COND_NAT_HERE)) { set_other_host(this, other->clone(other)); update = TRUE; @@ -891,8 +891,14 @@ METHOD(ike_sa_t, update_hosts, void, METHOD(ike_sa_t, generate_message, status_t, private_ike_sa_t *this, message_t *message, packet_t **packet) { + if (message->is_encoded(message)) + { /* already done */ + *packet = message->get_packet(message); + return SUCCESS; + } this->stats[STAT_OUTBOUND] = time_monotonic(NULL); message->set_ike_sa_id(message, this->ike_sa_id); + charon->bus->message(charon->bus, message, FALSE); return message->generate(message, this->keymat->get_aead(this->keymat, FALSE), packet); } @@ -901,7 +907,7 @@ METHOD(ike_sa_t, generate_message, status_t, * send a notify back to the sender */ static void send_notify_response(private_ike_sa_t *this, message_t *request, - notify_type_t type) + notify_type_t type, chunk_t data) { message_t *response; packet_t *packet; @@ -910,7 +916,7 @@ static void send_notify_response(private_ike_sa_t *this, message_t *request, response->set_exchange_type(response, request->get_exchange_type(request)); response->set_request(response, FALSE); response->set_message_id(response, request->get_message_id(request)); - response->add_notify(response, FALSE, type, chunk_empty); + response->add_notify(response, FALSE, type, data); if (this->my_host->is_anyaddr(this->my_host)) { this->my_host->destroy(this->my_host); @@ -1175,6 +1181,7 @@ METHOD(ike_sa_t, process_message, status_t, { status_t status; bool is_request; + u_int8_t type = 0; if (this->state == IKE_PASSIVE) { /* do not handle messages in passive state */ @@ -1185,9 +1192,29 @@ METHOD(ike_sa_t, process_message, status_t, status = message->parse_body(message, this->keymat->get_aead(this->keymat, TRUE)); + if (status == SUCCESS) + { /* check for unsupported critical payloads */ + enumerator_t *enumerator; + unknown_payload_t *unknown; + payload_t *payload; + + enumerator = message->create_payload_enumerator(message); + while (enumerator->enumerate(enumerator, &payload)) + { + unknown = (unknown_payload_t*)payload; + type = payload->get_type(payload); + if (!payload_is_known(type) && + unknown->is_critical(unknown)) + { + DBG1(DBG_ENC, "payload type %N is not supported, " + "but its critical!", payload_type_names, type); + status = NOT_SUPPORTED; + } + } + enumerator->destroy(enumerator); + } if (status != SUCCESS) { - if (is_request) { switch (status) @@ -1196,21 +1223,28 @@ METHOD(ike_sa_t, process_message, status_t, DBG1(DBG_IKE, "critical unknown payloads found"); if (is_request) { - send_notify_response(this, message, UNSUPPORTED_CRITICAL_PAYLOAD); + send_notify_response(this, message, + UNSUPPORTED_CRITICAL_PAYLOAD, + chunk_from_thing(type)); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case PARSE_ERROR: DBG1(DBG_IKE, "message parsing failed"); if (is_request) { - send_notify_response(this, message, INVALID_SYNTAX); + send_notify_response(this, message, + INVALID_SYNTAX, chunk_empty); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case VERIFY_ERROR: DBG1(DBG_IKE, "message verification failed"); if (is_request) { - send_notify_response(this, message, INVALID_SYNTAX); + send_notify_response(this, message, + INVALID_SYNTAX, chunk_empty); + this->task_manager->incr_mid(this->task_manager, FALSE); } break; case FAILED: @@ -1219,10 +1253,6 @@ METHOD(ike_sa_t, process_message, status_t, break; case INVALID_STATE: DBG1(DBG_IKE, "found encrypted message, but no keys available"); - if (is_request) - { - send_notify_response(this, message, INVALID_SYNTAX); - } default: break; } @@ -1252,7 +1282,8 @@ METHOD(ike_sa_t, process_message, status_t, /* no config found for these hosts, destroy */ DBG1(DBG_IKE, "no IKE config found for %H...%H, sending %N", me, other, notify_type_names, NO_PROPOSAL_CHOSEN); - send_notify_response(this, message, NO_PROPOSAL_CHOSEN); + send_notify_response(this, message, + NO_PROPOSAL_CHOSEN, chunk_empty); return DESTROY_ME; } /* add a timeout if peer does not establish it completely */ diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h index c0007e27d..988100bcc 100644 --- a/src/libcharon/sa/ike_sa.h +++ b/src/libcharon/sa/ike_sa.h @@ -343,8 +343,9 @@ struct ike_sa_t { * * @param me new local host address, or NULL * @param other new remote host address, or NULL + * @param force force update */ - void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other); + void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force); /** * Get the own identification. diff --git a/src/libcharon/sa/ike_sa_manager.c b/src/libcharon/sa/ike_sa_manager.c index fa94bb86d..d695c7f7c 100644 --- a/src/libcharon/sa/ike_sa_manager.c +++ b/src/libcharon/sa/ike_sa_manager.c @@ -1,6 +1,7 @@ /* + * Copyright (C) 2005-2011 Martin Willi + * Copyright (C) 2011 revosec AG * Copyright (C) 2008 Tobias Brunner - * Copyright (C) 2005-2008 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * @@ -85,7 +86,9 @@ struct entry_t { chunk_t init_hash; /** - * remote host address, required for DoS detection + * remote host address, required for DoS detection and duplicate + * checking (host with same my_id and other_id is *not* considered + * a duplicate if the address family differs) */ host_t *other; @@ -241,6 +244,9 @@ struct connected_peers_t { /** remote identity */ identification_t *other_id; + /** ip address family of peer */ + int family; + /** list of ike_sa_id_t objects of IKE_SAs between the two identities */ linked_list_t *sas; }; @@ -257,10 +263,12 @@ static void connected_peers_destroy(connected_peers_t *this) * Function that matches connected_peers_t objects by the given ids. */ static bool connected_peers_match(connected_peers_t *connected_peers, - identification_t *my_id, identification_t *other_id) + identification_t *my_id, identification_t *other_id, + uintptr_t family) { return my_id->equals(my_id, connected_peers->my_id) && - other_id->equals(other_id, connected_peers->other_id); + other_id->equals(other_id, connected_peers->other_id) && + family == connected_peers->family; } typedef struct segment_t segment_t; @@ -396,7 +404,7 @@ static void lock_all_segments(private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->lock(this->segments[i].mutex); } @@ -409,7 +417,7 @@ static void unlock_all_segments(private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->unlock(this->segments[i].mutex); } @@ -453,10 +461,8 @@ struct private_enumerator_t { enumerator_t *current; }; -/** - * Implementation of private_enumerator_t.enumerator.enumerate. - */ -static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segment) +METHOD(enumerator_t, enumerate, bool, + private_enumerator_t *this, entry_t **entry, u_int *segment) { if (this->entry) { @@ -502,10 +508,8 @@ static bool enumerate(private_enumerator_t *this, entry_t **entry, u_int *segmen return FALSE; } -/** - * Implementation of private_enumerator_t.enumerator.destroy. - */ -static void enumerator_destroy(private_enumerator_t *this) +METHOD(enumerator_t, enumerator_destroy, void, + private_enumerator_t *this) { if (this->entry) { @@ -524,16 +528,15 @@ static void enumerator_destroy(private_enumerator_t *this) */ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) { - private_enumerator_t *enumerator = malloc_thing(private_enumerator_t); - - enumerator->enumerator.enumerate = (void*)enumerate; - enumerator->enumerator.destroy = (void*)enumerator_destroy; - enumerator->manager = this; - enumerator->segment = 0; - enumerator->entry = NULL; - enumerator->row = 0; - enumerator->current = NULL; - + private_enumerator_t *enumerator; + + INIT(enumerator, + .enumerator = { + .enumerate = (void*)_enumerate, + .destroy = _enumerator_destroy, + }, + .manager = this, + ); return &enumerator->enumerator; } @@ -544,11 +547,14 @@ static enumerator_t* create_table_enumerator(private_ike_sa_manager_t *this) static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; + + row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + segment = row & this->segment_mask; lock_single_segment(this, segment); - if ((list = this->ike_sa_table[row]) == NULL) + list = this->ike_sa_table[row]; + if (!list) { list = this->ike_sa_table[row] = linked_list_create(); } @@ -564,14 +570,17 @@ static u_int put_entry(private_ike_sa_manager_t *this, entry_t *entry) static void remove_entry(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - u_int row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; - if ((list = this->ike_sa_table[row]) != NULL) + row = ike_sa_id_hash(entry->ike_sa_id) & this->table_mask; + segment = row & this->segment_mask; + list = this->ike_sa_table[row]; + if (list) { entry_t *current; + enumerator_t *enumerator; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { if (current == entry) @@ -609,11 +618,14 @@ static status_t get_entry_by_match_function(private_ike_sa_manager_t *this, { entry_t *current; linked_list_t *list; - u_int row = ike_sa_id_hash(ike_sa_id) & this->table_mask; - u_int seg = row & this->segment_mask; + u_int row, seg; + + row = ike_sa_id_hash(ike_sa_id) & this->table_mask; + seg = row & this->segment_mask; lock_single_segment(this, seg); - if ((list = this->ike_sa_table[row]) != NULL) + list = this->ike_sa_table[row]; + if (list) { if (list->find_first(list, match, (void**)¤t, p1, p2) == SUCCESS) { @@ -697,19 +709,20 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) { half_open_t *half_open = NULL; linked_list_t *list; - chunk_t addr = entry->other->get_address(entry->other); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t addr; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->half_open_segments[segment].lock; + addr = entry->other->get_address(entry->other); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment].lock; lock->write_lock(lock); - if ((list = this->half_open_table[row]) == NULL) - { - list = this->half_open_table[row] = linked_list_create(); - } - else + list = this->half_open_table[row]; + if (list) { half_open_t *current; + if (list->find_first(list, (linked_list_match_t)half_open_match, (void**)¤t, &addr) == SUCCESS) { @@ -718,12 +731,17 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) this->half_open_segments[segment].count++; } } + else + { + list = this->half_open_table[row] = linked_list_create(); + } if (!half_open) { - half_open = malloc_thing(half_open_t); - half_open->other = chunk_clone(addr); - half_open->count = 1; + INIT(half_open, + .other = chunk_clone(addr), + .count = 1, + ); list->insert_last(list, half_open); this->half_open_segments[segment].count++; } @@ -736,16 +754,22 @@ static void put_half_open(private_ike_sa_manager_t *this, entry_t *entry) static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) { linked_list_t *list; - chunk_t addr = entry->other->get_address(entry->other); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t addr; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->half_open_segments[segment].lock; + addr = entry->other->get_address(entry->other); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment].lock; lock->write_lock(lock); - if ((list = this->half_open_table[row]) != NULL) + list = this->half_open_table[row]; + if (list) { half_open_t *current; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator_t *enumerator; + + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { if (half_open_match(current, &addr)) @@ -769,24 +793,26 @@ static void remove_half_open(private_ike_sa_manager_t *this, entry_t *entry) */ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { - linked_list_t *list; connected_peers_t *connected_peers = NULL; - chunk_t my_id = entry->my_id->get_encoding(entry->my_id), - other_id = entry->other_id->get_encoding(entry->other_id); - u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; - u_int segment = row & this->segment_mask; + chunk_t my_id, other_id; + linked_list_t *list; + u_int row, segment; + rwlock_t *lock; - rwlock_t *lock = this->connected_peers_segments[segment].lock; + my_id = entry->my_id->get_encoding(entry->my_id); + other_id = entry->other_id->get_encoding(entry->other_id); + row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + segment = row & this->segment_mask; + lock = this->connected_peers_segments[segment].lock; lock->write_lock(lock); - if ((list = this->connected_peers_table[row]) == NULL) - { - list = this->connected_peers_table[row] = linked_list_create(); - } - else + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; + if (list->find_first(list, (linked_list_match_t)connected_peers_match, - (void**)¤t, entry->my_id, entry->other_id) == SUCCESS) + (void**)¤t, entry->my_id, entry->other_id, + (uintptr_t)entry->other->get_family(entry->other)) == SUCCESS) { connected_peers = current; if (connected_peers->sas->find_first(connected_peers->sas, @@ -798,13 +824,19 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) } } } + else + { + list = this->connected_peers_table[row] = linked_list_create(); + } if (!connected_peers) { - connected_peers = malloc_thing(connected_peers_t); - connected_peers->my_id = entry->my_id->clone(entry->my_id); - connected_peers->other_id = entry->other_id->clone(entry->other_id); - connected_peers->sas = linked_list_create(); + INIT(connected_peers, + .my_id = entry->my_id->clone(entry->my_id), + .other_id = entry->other_id->clone(entry->other_id), + .family = entry->other->get_family(entry->other), + .sas = linked_list_create(), + ); list->insert_last(list, connected_peers); } connected_peers->sas->insert_last(connected_peers->sas, @@ -818,24 +850,34 @@ static void put_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) */ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entry) { + chunk_t my_id, other_id; linked_list_t *list; - chunk_t my_id = entry->my_id->get_encoding(entry->my_id), - other_id = entry->other_id->get_encoding(entry->other_id); - u_int row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; - u_int segment = row & this->segment_mask; + u_int row, segment; + rwlock_t *lock; + + my_id = entry->my_id->get_encoding(entry->my_id); + other_id = entry->other_id->get_encoding(entry->other_id); + row = chunk_hash_inc(other_id, chunk_hash(my_id)) & this->table_mask; + segment = row & this->segment_mask; - rwlock_t *lock = this->connected_peers_segments[segment].lock; + lock = this->connected_peers_segments[segment].lock; lock->write_lock(lock); - if ((list = this->connected_peers_table[row]) != NULL) + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; - enumerator_t *enumerator = list->create_enumerator(list); + enumerator_t *enumerator; + + enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, ¤t)) { - if (connected_peers_match(current, entry->my_id, entry->other_id)) + if (connected_peers_match(current, entry->my_id, entry->other_id, + (uintptr_t)entry->other->get_family(entry->other))) { ike_sa_id_t *ike_sa_id; - enumerator_t *inner = current->sas->create_enumerator(current->sas); + enumerator_t *inner; + + inner = current->sas->create_enumerator(current->sas); while (inner->enumerate(inner, &ike_sa_id)) { if (ike_sa_id->equals(ike_sa_id, entry->ike_sa_id)) @@ -861,20 +903,21 @@ static void remove_connected_peers(private_ike_sa_manager_t *this, entry_t *entr } /** - * Implementation of private_ike_sa_manager_t.get_next_spi. + * Get a random SPI for new IKE_SAs */ -static u_int64_t get_next_spi(private_ike_sa_manager_t *this) +static u_int64_t get_spi(private_ike_sa_manager_t *this) { - u_int64_t spi; + u_int64_t spi = 0; - this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi); + if (this->rng) + { + this->rng->get_bytes(this->rng, sizeof(spi), (u_int8_t*)&spi); + } return spi; } -/** - * Implementation of of ike_sa_manager.checkout. - */ -static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) +METHOD(ike_sa_manager_t, checkout, ike_sa_t*, + private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id) { ike_sa_t *ike_sa = NULL; entry_t *entry; @@ -897,62 +940,46 @@ static ike_sa_t* checkout(private_ike_sa_manager_t *this, ike_sa_id_t *ike_sa_id return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_new. - */ -static ike_sa_t *checkout_new(private_ike_sa_manager_t* this, bool initiator) +METHOD(ike_sa_manager_t, checkout_new, ike_sa_t*, + private_ike_sa_manager_t* this, bool initiator) { ike_sa_id_t *ike_sa_id; ike_sa_t *ike_sa; - entry_t *entry; - u_int segment; if (initiator) { - ike_sa_id = ike_sa_id_create(get_next_spi(this), 0, TRUE); + ike_sa_id = ike_sa_id_create(get_spi(this), 0, TRUE); } else { - ike_sa_id = ike_sa_id_create(0, get_next_spi(this), FALSE); + ike_sa_id = ike_sa_id_create(0, get_spi(this), FALSE); } ike_sa = ike_sa_create(ike_sa_id); + ike_sa_id->destroy(ike_sa_id); DBG2(DBG_MGR, "created IKE_SA %s[%u]", ike_sa->get_name(ike_sa), ike_sa->get_unique_id(ike_sa)); - if (!initiator) - { - ike_sa_id->destroy(ike_sa_id); - return ike_sa; - } - - entry = entry_create(); - entry->ike_sa_id = ike_sa_id; - entry->ike_sa = ike_sa; - segment = put_entry(this, entry); - entry->checked_out = TRUE; - unlock_single_segment(this, segment); - return entry->ike_sa; + return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_message. - */ -static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, - message_t *message) +METHOD(ike_sa_manager_t, checkout_by_message, ike_sa_t*, + private_ike_sa_manager_t* this, message_t *message) { u_int segment; entry_t *entry; ike_sa_t *ike_sa = NULL; - ike_sa_id_t *id = message->get_ike_sa_id(message); + ike_sa_id_t *id; + id = message->get_ike_sa_id(message); id = id->clone(id); id->switch_initiator(id); DBG2(DBG_MGR, "checkout IKE_SA by message"); if (message->get_request(message) && - message->get_exchange_type(message) == IKE_SA_INIT) + message->get_exchange_type(message) == IKE_SA_INIT && + this->hasher) { /* IKE_SA_INIT request. Check for an IKE_SA with such a message hash. */ chunk_t data, hash; @@ -988,7 +1015,7 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, message->get_exchange_type(message) == IKE_SA_INIT) { /* no IKE_SA found, create a new one */ - id->set_responder_spi(id, get_next_spi(this)); + id->set_responder_spi(id, get_spi(this)); entry = entry_create(); entry->ike_sa = ike_sa_create(id); entry->ike_sa_id = id->clone(id); @@ -1048,11 +1075,8 @@ static ike_sa_t* checkout_by_message(private_ike_sa_manager_t* this, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_config. - */ -static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, - peer_cfg_t *peer_cfg) +METHOD(ike_sa_manager_t, checkout_by_config, ike_sa_t*, + private_ike_sa_manager_t *this, peer_cfg_t *peer_cfg) { enumerator_t *enumerator; entry_t *entry; @@ -1107,11 +1131,8 @@ static ike_sa_t* checkout_by_config(private_ike_sa_manager_t *this, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_id. - */ -static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, - bool child) +METHOD(ike_sa_manager_t, checkout_by_id, ike_sa_t*, + private_ike_sa_manager_t *this, u_int32_t id, bool child) { enumerator_t *enumerator; iterator_t *children; @@ -1164,11 +1185,8 @@ static ike_sa_t* checkout_by_id(private_ike_sa_manager_t *this, u_int32_t id, return ike_sa; } -/** - * Implementation of of ike_sa_manager.checkout_by_name. - */ -static ike_sa_t* checkout_by_name(private_ike_sa_manager_t *this, char *name, - bool child) +METHOD(ike_sa_manager_t, checkout_by_name, ike_sa_t*, + private_ike_sa_manager_t *this, char *name, bool child) { enumerator_t *enumerator; iterator_t *children; @@ -1233,20 +1251,15 @@ static bool enumerator_filter(private_ike_sa_manager_t *this, return FALSE; } -/** - * Implementation of ike_sa_manager_t.create_enumerator. - */ -static enumerator_t *create_enumerator(private_ike_sa_manager_t* this) +METHOD(ike_sa_manager_t, create_enumerator, enumerator_t*, + private_ike_sa_manager_t* this) { - return enumerator_create_filter( - create_table_enumerator(this), - (void*)enumerator_filter, this, NULL); + return enumerator_create_filter(create_table_enumerator(this), + (void*)enumerator_filter, this, NULL); } -/** - * Implementation of ike_sa_manager_t.checkin. - */ -static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, checkin, void, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { /* to check the SA back in, we look for the pointer of the ike_sa * in all entries. @@ -1311,13 +1324,16 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) segment = put_entry(this, entry); } - /* apply identities for duplicate test (only as responder) */ - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && + /* apply identities for duplicate test */ + if (ike_sa->get_state(ike_sa) == IKE_ESTABLISHED && entry->my_id == NULL && entry->other_id == NULL) { entry->my_id = my_id->clone(my_id); entry->other_id = other_id->clone(other_id); + if (!entry->other) + { + entry->other = other->clone(other); + } put_connected_peers(this, entry); } @@ -1326,10 +1342,8 @@ static void checkin(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) charon->bus->set_sa(charon->bus, NULL); } -/** - * Implementation of ike_sa_manager_t.checkin_and_destroy. - */ -static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, checkin_and_destroy, void, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { /* deletion is a bit complex, we must ensure that no thread is waiting for * this SA. @@ -1366,8 +1380,7 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa { remove_half_open(this, entry); } - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - entry->my_id && entry->other_id) + if (entry->my_id && entry->other_id) { remove_connected_peers(this, entry); } @@ -1384,11 +1397,8 @@ static void checkin_and_destroy(private_ike_sa_manager_t *this, ike_sa_t *ike_sa charon->bus->set_sa(charon->bus, NULL); } - -/** - * Implementation of ike_sa_manager_t.check_uniqueness. - */ -static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) +METHOD(ike_sa_manager_t, check_uniqueness, bool, + private_ike_sa_manager_t *this, ike_sa_t *ike_sa, bool force_replace) { bool cancel = FALSE; peer_cfg_t *peer_cfg; @@ -1402,7 +1412,7 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) peer_cfg = ike_sa->get_peer_cfg(ike_sa); policy = peer_cfg->get_unique_policy(peer_cfg); - if (policy == UNIQUE_NO) + if (policy == UNIQUE_NO && !force_replace) { return FALSE; } @@ -1416,12 +1426,16 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) lock = this->connected_peers_segments[segment & this->segment_mask].lock; lock->read_lock(lock); - if ((list = this->connected_peers_table[row]) != NULL) + list = this->connected_peers_table[row]; + if (list) { connected_peers_t *current; + host_t *other_host; + other_host = ike_sa->get_other_host(ike_sa); if (list->find_first(list, (linked_list_match_t)connected_peers_match, - (void**)¤t, me, other) == SUCCESS) + (void**)¤t, me, other, + (uintptr_t)other_host->get_family(other_host)) == SUCCESS) { /* clone the list, so we can release the lock */ duplicate_ids = current->sas->clone_offset(current->sas, @@ -1446,6 +1460,13 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) { continue; } + if (force_replace) + { + DBG1(DBG_IKE, "destroying duplicate IKE_SA for peer '%Y', " + "received INITIAL_CONTACT", other); + checkin_and_destroy(this, duplicate); + continue; + } peer_cfg = duplicate->get_peer_cfg(duplicate); if (peer_cfg && peer_cfg->equals(peer_cfg, ike_sa->get_peer_cfg(ike_sa))) { @@ -1490,21 +1511,49 @@ static bool check_uniqueness(private_ike_sa_manager_t *this, ike_sa_t *ike_sa) return cancel; } -/** - * Implementation of ike_sa_manager_t.get_half_open_count. - */ -static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip) +METHOD(ike_sa_manager_t, has_contact, bool, + private_ike_sa_manager_t *this, identification_t *me, + identification_t *other, int family) +{ + linked_list_t *list; + u_int row, segment; + rwlock_t *lock; + bool found = FALSE; + + row = chunk_hash_inc(other->get_encoding(other), + chunk_hash(me->get_encoding(me))) & this->table_mask; + segment = row & this->segment_mask; + lock = this->connected_peers_segments[segment & this->segment_mask].lock; + lock->read_lock(lock); + list = this->connected_peers_table[row]; + if (list) + { + if (list->find_first(list, (linked_list_match_t)connected_peers_match, + NULL, me, other, family) == SUCCESS) + { + found = TRUE; + } + } + lock->unlock(lock); + + return found; +} + +METHOD(ike_sa_manager_t, get_half_open_count, int, + private_ike_sa_manager_t *this, host_t *ip) { + linked_list_t *list; + u_int segment, row; + rwlock_t *lock; + chunk_t addr; int count = 0; if (ip) { - linked_list_t *list; - chunk_t addr = ip->get_address(ip); - u_int row = chunk_hash(addr) & this->table_mask; - u_int segment = row & this->segment_mask; - - rwlock_t *lock = this->half_open_segments[segment & this->segment_mask].lock; + addr = ip->get_address(ip); + row = chunk_hash(addr) & this->table_mask; + segment = row & this->segment_mask; + lock = this->half_open_segments[segment & this->segment_mask].lock; lock->read_lock(lock); if ((list = this->half_open_table[row]) != NULL) { @@ -1520,25 +1569,19 @@ static int get_half_open_count(private_ike_sa_manager_t *this, host_t *ip) } else { - u_int segment; - - for (segment = 0; segment < this->segment_count; ++segment) + for (segment = 0; segment < this->segment_count; segment++) { - rwlock_t *lock; lock = this->half_open_segments[segment & this->segment_mask].lock; lock->read_lock(lock); count += this->half_open_segments[segment].count; lock->unlock(lock); } } - return count; } -/** - * Implementation of ike_sa_manager_t.flush. - */ -static void flush(private_ike_sa_manager_t *this) +METHOD(ike_sa_manager_t, flush, void, + private_ike_sa_manager_t *this) { /* destroy all list entries */ enumerator_t *enumerator; @@ -1602,8 +1645,7 @@ static void flush(private_ike_sa_manager_t *this) { remove_half_open(this, entry); } - if (!entry->ike_sa_id->is_initiator(entry->ike_sa_id) && - entry->my_id && entry->other_id) + if (entry->my_id && entry->other_id) { remove_connected_peers(this, entry); } @@ -1615,37 +1657,26 @@ static void flush(private_ike_sa_manager_t *this) unlock_all_segments(this); this->rng->destroy(this->rng); + this->rng = NULL; this->hasher->destroy(this->hasher); + this->hasher = NULL; } -/** - * Implementation of ike_sa_manager_t.destroy. - */ -static void destroy(private_ike_sa_manager_t *this) +METHOD(ike_sa_manager_t, destroy, void, + private_ike_sa_manager_t *this) { u_int i; - for (i = 0; i < this->table_size; ++i) + for (i = 0; i < this->table_size; i++) { - linked_list_t *list; - - if ((list = this->ike_sa_table[i]) != NULL) - { - list->destroy(list); - } - if ((list = this->half_open_table[i]) != NULL) - { - list->destroy(list); - } - if ((list = this->connected_peers_table[i]) != NULL) - { - list->destroy(list); - } + DESTROY_IF(this->ike_sa_table[i]); + DESTROY_IF(this->half_open_table[i]); + DESTROY_IF(this->connected_peers_table[i]); } free(this->ike_sa_table); free(this->half_open_table); free(this->connected_peers_table); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex->destroy(this->segments[i].mutex); this->half_open_segments[i].lock->destroy(this->half_open_segments[i].lock); @@ -1681,25 +1712,28 @@ static u_int get_nearest_powerof2(u_int n) */ ike_sa_manager_t *ike_sa_manager_create() { + private_ike_sa_manager_t *this; u_int i; - private_ike_sa_manager_t *this = malloc_thing(private_ike_sa_manager_t); - - /* assign public functions */ - this->public.flush = (void(*)(ike_sa_manager_t*))flush; - this->public.destroy = (void(*)(ike_sa_manager_t*))destroy; - this->public.checkout = (ike_sa_t*(*)(ike_sa_manager_t*, ike_sa_id_t*))checkout; - this->public.checkout_new = (ike_sa_t*(*)(ike_sa_manager_t*,bool))checkout_new; - this->public.checkout_by_message = (ike_sa_t*(*)(ike_sa_manager_t*,message_t*))checkout_by_message; - this->public.checkout_by_config = (ike_sa_t*(*)(ike_sa_manager_t*,peer_cfg_t*))checkout_by_config; - this->public.checkout_by_id = (ike_sa_t*(*)(ike_sa_manager_t*,u_int32_t,bool))checkout_by_id; - this->public.checkout_by_name = (ike_sa_t*(*)(ike_sa_manager_t*,char*,bool))checkout_by_name; - this->public.check_uniqueness = (bool(*)(ike_sa_manager_t*, ike_sa_t *ike_sa))check_uniqueness; - this->public.create_enumerator = (enumerator_t*(*)(ike_sa_manager_t*))create_enumerator; - this->public.checkin = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin; - this->public.checkin_and_destroy = (void(*)(ike_sa_manager_t*,ike_sa_t*))checkin_and_destroy; - this->public.get_half_open_count = (int(*)(ike_sa_manager_t*,host_t*))get_half_open_count; - - /* initialize private variables */ + + INIT(this, + .public = { + .checkout = _checkout, + .checkout_new = _checkout_new, + .checkout_by_message = _checkout_by_message, + .checkout_by_config = _checkout_by_config, + .checkout_by_id = _checkout_by_id, + .checkout_by_name = _checkout_by_name, + .check_uniqueness = _check_uniqueness, + .has_contact = _has_contact, + .create_enumerator = _create_enumerator, + .checkin = _checkin, + .checkin_and_destroy = _checkin_and_destroy, + .get_half_open_count = _get_half_open_count, + .flush = _flush, + .destroy = _destroy, + }, + ); + this->hasher = lib->crypto->create_hasher(lib->crypto, HASH_PREFERRED); if (this->hasher == NULL) { @@ -1715,6 +1749,7 @@ ike_sa_manager_t *ike_sa_manager_create() free(this); return NULL; } + this->table_size = get_nearest_powerof2(lib->settings->get_int(lib->settings, "charon.ikesa_table_size", DEFAULT_HASHTABLE_SIZE)); this->table_size = max(1, min(this->table_size, MAX_HASHTABLE_SIZE)); @@ -1724,11 +1759,10 @@ ike_sa_manager_t *ike_sa_manager_create() "charon.ikesa_table_segments", DEFAULT_SEGMENT_COUNT)); this->segment_count = max(1, min(this->segment_count, this->table_size)); this->segment_mask = this->segment_count - 1; - this->ike_sa_table = calloc(this->table_size, sizeof(linked_list_t*)); this->segments = (segment_t*)calloc(this->segment_count, sizeof(segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->segments[i].mutex = mutex_create(MUTEX_TYPE_RECURSIVE); this->segments[i].count = 0; @@ -1737,7 +1771,7 @@ ike_sa_manager_t *ike_sa_manager_create() /* we use the same table parameters for the table to track half-open SAs */ this->half_open_table = calloc(this->table_size, sizeof(linked_list_t*)); this->half_open_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->half_open_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->half_open_segments[i].count = 0; @@ -1746,7 +1780,7 @@ ike_sa_manager_t *ike_sa_manager_create() /* also for the hash table used for duplicate tests */ this->connected_peers_table = calloc(this->table_size, sizeof(linked_list_t*)); this->connected_peers_segments = calloc(this->segment_count, sizeof(shareable_segment_t)); - for (i = 0; i < this->segment_count; ++i) + for (i = 0; i < this->segment_count; i++) { this->connected_peers_segments[i].lock = rwlock_create(RWLOCK_TYPE_DEFAULT); this->connected_peers_segments[i].count = 0; diff --git a/src/libcharon/sa/ike_sa_manager.h b/src/libcharon/sa/ike_sa_manager.h index f4eabf808..ec157ab3a 100644 --- a/src/libcharon/sa/ike_sa_manager.h +++ b/src/libcharon/sa/ike_sa_manager.h @@ -52,9 +52,6 @@ struct ike_sa_manager_t { /** * Create and check out a new IKE_SA. * - * @note If initiator equals FALSE, the returned IKE_SA is not registered - * in the manager. - * * @param initiator TRUE for initiator, FALSE otherwise * @returns created and checked out IKE_SA */ @@ -109,10 +106,23 @@ struct ike_sa_manager_t { * deadlocks occur otherwise. * * @param ike_sa ike_sa to check + * @param force_replace replace existing SAs, regardless of unique policy * @return TRUE, if the given IKE_SA has duplicates and * should be deleted */ - bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa); + bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa, + bool force_replace); + + /** + * Check if we already have a connected IKE_SA between two identities. + * + * @param me own identity + * @param other remote identity + * @param family address family to include in uniqueness check + * @return TRUE if we have a connected IKE_SA + */ + bool (*has_contact)(ike_sa_manager_t *this, identification_t *me, + identification_t *other, int family); /** * Check out an IKE_SA a unique ID. diff --git a/src/libcharon/sa/keymat.c b/src/libcharon/sa/keymat.c index 878ad124f..33ece24b2 100644 --- a/src/libcharon/sa/keymat.c +++ b/src/libcharon/sa/keymat.c @@ -214,7 +214,7 @@ static bool derive_ike_traditional(private_keymat_t *this, u_int16_t enc_alg, { DBG1(DBG_IKE, "%N %N (key size %d) not supported!", transform_type_names, ENCRYPTION_ALGORITHM, - encryption_algorithm_names, enc_alg, key_size); + encryption_algorithm_names, enc_alg, enc_size); signer_i->destroy(signer_i); signer_r->destroy(signer_r); return FALSE; @@ -540,7 +540,7 @@ METHOD(keymat_t, get_aead, aead_t*, METHOD(keymat_t, get_auth_octets, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id) + chunk_t nonce, identification_t *id, char reserved[3]) { chunk_t chunk, idx, octets; chunk_t skp; @@ -548,8 +548,8 @@ METHOD(keymat_t, get_auth_octets, chunk_t, skp = verify ? this->skp_verify : this->skp_build; chunk = chunk_alloca(4); - memset(chunk.ptr, 0, chunk.len); chunk.ptr[0] = id->get_type(id); + memcpy(chunk.ptr + 1, reserved, 3); idx = chunk_cata("cc", chunk, id->get_encoding(id)); DBG3(DBG_IKE, "IDx' %B", &idx); @@ -570,7 +570,7 @@ METHOD(keymat_t, get_auth_octets, chunk_t, METHOD(keymat_t, get_psk_sig, chunk_t, private_keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id) + chunk_t nonce, chunk_t secret, identification_t *id, char reserved[3]) { chunk_t key_pad, key, sig, octets; @@ -578,7 +578,7 @@ METHOD(keymat_t, get_psk_sig, chunk_t, { /* EAP uses SK_p if no MSK has been established */ secret = verify ? this->skp_verify : this->skp_build; } - octets = get_auth_octets(this, verify, ike_sa_init, nonce, id); + octets = get_auth_octets(this, verify, ike_sa_init, nonce, id, reserved); /* AUTH = prf(prf(Shared Secret,"Key Pad for IKEv2"), ) */ key_pad = chunk_create(IKEV2_KEY_PAD, IKEV2_KEY_PAD_LENGTH); this->prf->set_key(this->prf, secret); diff --git a/src/libcharon/sa/keymat.h b/src/libcharon/sa/keymat.h index 4f01aa411..11e0fa79a 100644 --- a/src/libcharon/sa/keymat.h +++ b/src/libcharon/sa/keymat.h @@ -117,10 +117,12 @@ struct keymat_t { * @param ike_sa_init encoded ike_sa_init message * @param nonce nonce value * @param id identity + * @param reserved reserved bytes of id_payload * @return authentication octets */ chunk_t (*get_auth_octets)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, identification_t *id); + chunk_t nonce, identification_t *id, + char reserved[3]); /** * Build the shared secret signature used for PSK and EAP authentication. * @@ -133,10 +135,12 @@ struct keymat_t { * @param nonce nonce value * @param secret optional secret to include into signature * @param id identity + * @param reserved reserved bytes of id_payload * @return signature octets */ chunk_t (*get_psk_sig)(keymat_t *this, bool verify, chunk_t ike_sa_init, - chunk_t nonce, chunk_t secret, identification_t *id); + chunk_t nonce, chunk_t secret, + identification_t *id, char reserved[3]); /** * Destroy a keymat_t. */ diff --git a/src/libcharon/sa/task_manager.c b/src/libcharon/sa/task_manager.c index 18703ce36..9467d1586 100644 --- a/src/libcharon/sa/task_manager.c +++ b/src/libcharon/sa/task_manager.c @@ -465,7 +465,6 @@ METHOD(task_manager_t, initiate, status_t, /* update exchange type if a task changed it */ this->initiating.type = message->get_exchange_type(message); - charon->bus->message(charon->bus, message, FALSE); status = this->ike_sa->generate_message(this->ike_sa, message, &this->initiating.packet); if (status != SUCCESS) @@ -654,7 +653,6 @@ static status_t build_response(private_task_manager_t *this, message_t *request) /* message complete, send it */ DESTROY_IF(this->responding.packet); this->responding.packet = NULL; - charon->bus->message(charon->bus, message, FALSE); status = this->ike_sa->generate_message(this->ike_sa, message, &this->responding.packet); message->destroy(message); @@ -882,8 +880,12 @@ static status_t process_request(private_task_manager_t *this, METHOD(task_manager_t, process_message, status_t, private_task_manager_t *this, message_t *msg) { - u_int32_t mid = msg->get_message_id(msg); - host_t *me = msg->get_destination(msg), *other = msg->get_source(msg); + host_t *me, *other; + u_int32_t mid; + + mid = msg->get_message_id(msg); + me = msg->get_destination(msg); + other = msg->get_source(msg); if (msg->get_request(msg)) { @@ -895,10 +897,14 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ - this->ike_sa->update_hosts(this->ike_sa, me, other); + this->ike_sa->update_hosts(this->ike_sa, me, other, mid == 1); } } charon->bus->message(charon->bus, msg, TRUE); + if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) + { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ + return SUCCESS; + } if (process_request(this, msg) != SUCCESS) { flush(this); @@ -909,15 +915,15 @@ METHOD(task_manager_t, process_message, status_t, else if ((mid == this->responding.mid - 1) && this->responding.packet) { packet_t *clone; - host_t *me, *other; + host_t *host; DBG1(DBG_IKE, "received retransmit of request with ID %d, " "retransmitting response", mid); clone = this->responding.packet->clone(this->responding.packet); - me = msg->get_destination(msg); - other = msg->get_source(msg); - clone->set_source(clone, me->clone(me)); - clone->set_destination(clone, other->clone(other)); + host = msg->get_destination(msg); + clone->set_source(clone, host->clone(host)); + host = msg->get_source(msg); + clone->set_destination(clone, host->clone(host)); charon->sender->send(charon->sender, clone); } else @@ -936,10 +942,14 @@ METHOD(task_manager_t, process_message, status_t, { /* only do host updates based on verified messages */ if (!this->ike_sa->supports_extension(this->ike_sa, EXT_MOBIKE)) { /* with MOBIKE, we do no implicit updates */ - this->ike_sa->update_hosts(this->ike_sa, me, other); + this->ike_sa->update_hosts(this->ike_sa, me, other, FALSE); } } charon->bus->message(charon->bus, msg, TRUE); + if (msg->get_exchange_type(msg) == EXCHANGE_TYPE_UNDEFINED) + { /* ignore messages altered to EXCHANGE_TYPE_UNDEFINED */ + return SUCCESS; + } if (process_response(this, msg) != SUCCESS) { flush(this); @@ -1002,6 +1012,19 @@ METHOD(task_manager_t, busy, bool, return (this->active_tasks->get_count(this->active_tasks) > 0); } +METHOD(task_manager_t, incr_mid, void, + private_task_manager_t *this, bool initiate) +{ + if (initiate) + { + this->initiating.mid++; + } + else + { + this->responding.mid++; + } +} + METHOD(task_manager_t, reset, void, private_task_manager_t *this, u_int32_t initiate, u_int32_t respond) { @@ -1085,6 +1108,7 @@ task_manager_t *task_manager_create(ike_sa_t *ike_sa) .queue_task = _queue_task, .initiate = _initiate, .retransmit = _retransmit, + .incr_mid = _incr_mid, .reset = _reset, .adopt_tasks = _adopt_tasks, .busy = _busy, diff --git a/src/libcharon/sa/task_manager.h b/src/libcharon/sa/task_manager.h index 14fccd5f9..5bc6c80c4 100644 --- a/src/libcharon/sa/task_manager.h +++ b/src/libcharon/sa/task_manager.h @@ -148,6 +148,16 @@ struct task_manager_t { */ void (*adopt_tasks) (task_manager_t *this, task_manager_t *other); + /** + * Increment a message ID counter, in- or outbound. + * + * If a message is processed outside of the manager, this call increments + * the message ID counters of the task manager. + * + * @param inititate TRUE to increment the initiating ID + */ + void (*incr_mid)(task_manager_t *this, bool initiate); + /** * Reset message ID counters of the task manager. * diff --git a/src/libcharon/sa/tasks/child_create.c b/src/libcharon/sa/tasks/child_create.c index 57beedba9..fc02a334b 100644 --- a/src/libcharon/sa/tasks/child_create.c +++ b/src/libcharon/sa/tasks/child_create.c @@ -116,6 +116,11 @@ struct private_child_create_t { */ ipsec_mode_t mode; + /** + * peer accepts TFC padding for this SA + */ + bool tfcv3; + /** * IPComp transform to use */ @@ -455,17 +460,21 @@ static status_t select_and_install(private_child_create_t *this, { if (this->initiator) { - status_i = this->child_sa->install(this->child_sa, encr_r, integ_r, - this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); - status_o = this->child_sa->install(this->child_sa, encr_i, integ_i, - this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); + status_i = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); } else { - status_i = this->child_sa->install(this->child_sa, encr_i, integ_i, - this->my_spi, this->my_cpi, TRUE, my_ts, other_ts); - status_o = this->child_sa->install(this->child_sa, encr_r, integ_r, - this->other_spi, this->other_cpi, FALSE, my_ts, other_ts); + status_i = this->child_sa->install(this->child_sa, + encr_i, integ_i, this->my_spi, this->my_cpi, + TRUE, this->tfcv3, my_ts, other_ts); + status_o = this->child_sa->install(this->child_sa, + encr_r, integ_r, this->other_spi, this->other_cpi, + FALSE, this->tfcv3, my_ts, other_ts); } } chunk_clear(&integ_i); @@ -631,7 +640,13 @@ static void handle_notify(private_child_create_t *this, notify_payload_t *notify ipcomp_transform_names, ipcomp); break; } + break; } + case ESP_TFC_PADDING_NOT_SUPPORTED: + DBG1(DBG_IKE, "received %N, not using ESPv3 TFC padding", + notify_type_names, notify->get_notify_type(notify)); + this->tfcv3 = FALSE; + break; default: break; } @@ -691,10 +706,8 @@ static void process_payloads(private_child_create_t *this, message_t *message) enumerator->destroy(enumerator); } -/** - * Implementation of task_t.build for initiator - */ -static status_t build_i(private_child_create_t *this, message_t *message) +METHOD(task_t, build_i, status_t, + private_child_create_t *this, message_t *message) { host_t *me, *other, *vip; peer_cfg_t *peer_cfg; @@ -831,10 +844,8 @@ static status_t build_i(private_child_create_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_child_create_t *this, message_t *message) +METHOD(task_t, process_r, status_t, + private_child_create_t *this, message_t *message) { switch (message->get_exchange_type(message)) { @@ -877,10 +888,8 @@ static void handle_child_sa_failure(private_child_create_t *this, } } -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_child_create_t *this, message_t *message) +METHOD(task_t, build_r, status_t, + private_child_create_t *this, message_t *message) { peer_cfg_t *peer_cfg; payload_t *payload; @@ -958,7 +967,7 @@ static status_t build_r(private_child_create_t *this, message_t *message) case INTERNAL_ADDRESS_FAILURE: case FAILED_CP_REQUIRED: { - DBG1(DBG_IKE,"configuration payload negotation " + DBG1(DBG_IKE,"configuration payload negotiation " "failed, no CHILD_SA built"); enumerator->destroy(enumerator); handle_child_sa_failure(this, message); @@ -1029,10 +1038,8 @@ static status_t build_r(private_child_create_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_child_create_t *this, message_t *message) +METHOD(task_t, process_i, status_t, + private_child_create_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; @@ -1103,7 +1110,21 @@ static status_t process_i(private_child_create_t *this, message_t *message) return NEED_MORE; } default: + { + if (message->get_exchange_type(message) == CREATE_CHILD_SA) + { /* handle notifies if not handled in IKE_AUTH */ + if (type <= 16383) + { + DBG1(DBG_IKE, "received %N notify error", + notify_type_names, type); + enumerator->destroy(enumerator); + return SUCCESS; + } + DBG2(DBG_IKE, "received %N notify", + notify_type_names, type); + } break; + } } } } @@ -1155,34 +1176,20 @@ static status_t process_i(private_child_create_t *this, message_t *message) return SUCCESS; } -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_child_create_t *this) -{ - return CHILD_CREATE; -} - -/** - * Implementation of child_create_t.use_reqid - */ -static void use_reqid(private_child_create_t *this, u_int32_t reqid) +METHOD(child_create_t, use_reqid, void, + private_child_create_t *this, u_int32_t reqid) { this->reqid = reqid; } -/** - * Implementation of child_create_t.get_child - */ -static child_sa_t* get_child(private_child_create_t *this) +METHOD(child_create_t, get_child, child_sa_t*, + private_child_create_t *this) { return this->child_sa; } -/** - * Implementation of child_create_t.get_lower_nonce - */ -static chunk_t get_lower_nonce(private_child_create_t *this) +METHOD(child_create_t, get_lower_nonce, chunk_t, + private_child_create_t *this) { if (memcmp(this->my_nonce.ptr, this->other_nonce.ptr, min(this->my_nonce.len, this->other_nonce.len)) < 0) @@ -1195,10 +1202,14 @@ static chunk_t get_lower_nonce(private_child_create_t *this) } } -/** - * Implementation of task_t.migrate - */ -static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) +METHOD(task_t, get_type, task_type_t, + private_child_create_t *this) +{ + return CHILD_CREATE; +} + +METHOD(task_t, migrate, void, + private_child_create_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1234,10 +1245,8 @@ static void migrate(private_child_create_t *this, ike_sa_t *ike_sa) this->established = FALSE; } -/** - * Implementation of task_t.destroy - */ -static void destroy(private_child_create_t *this) +METHOD(task_t, destroy, void, + private_child_create_t *this) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1273,52 +1282,45 @@ child_create_t *child_create_create(ike_sa_t *ike_sa, child_cfg_t *config, bool rekey, traffic_selector_t *tsi, traffic_selector_t *tsr) { - private_child_create_t *this = malloc_thing(private_child_create_t); - - this->public.get_child = (child_sa_t*(*)(child_create_t*))get_child; - this->public.get_lower_nonce = (chunk_t(*)(child_create_t*))get_lower_nonce; - this->public.use_reqid = (void(*)(child_create_t*,u_int32_t))use_reqid; - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; + private_child_create_t *this; + + INIT(this, + .public = { + .get_child = _get_child, + .get_lower_nonce = _get_lower_nonce, + .use_reqid = _use_reqid, + .task = { + .get_type = _get_type, + .migrate = _migrate, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .config = config, + .packet_tsi = tsi ? tsi->clone(tsi) : NULL, + .packet_tsr = tsr ? tsr->clone(tsr) : NULL, + .dh_group = MODP_NONE, + .keymat = ike_sa->get_keymat(ike_sa), + .mode = MODE_TUNNEL, + .tfcv3 = TRUE, + .ipcomp = IPCOMP_NONE, + .ipcomp_received = IPCOMP_NONE, + .rekey = rekey, + ); + if (config) { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; + this->public.task.build = _build_i; + this->public.task.process = _process_i; this->initiator = TRUE; config->get_ref(config); } else { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->public.task.build = _build_r; + this->public.task.process = _process_r; this->initiator = FALSE; } - this->ike_sa = ike_sa; - this->config = config; - this->my_nonce = chunk_empty; - this->other_nonce = chunk_empty; - this->proposals = NULL; - this->proposal = NULL; - this->tsi = NULL; - this->tsr = NULL; - this->packet_tsi = tsi ? tsi->clone(tsi) : NULL; - this->packet_tsr = tsr ? tsr->clone(tsr) : NULL; - this->dh = NULL; - this->dh_group = MODP_NONE; - this->keymat = ike_sa->get_keymat(ike_sa); - this->child_sa = NULL; - this->mode = MODE_TUNNEL; - this->ipcomp = IPCOMP_NONE; - this->ipcomp_received = IPCOMP_NONE; - this->my_spi = 0; - this->other_spi = 0; - this->my_cpi = 0; - this->other_cpi = 0; - this->reqid = 0; - this->established = FALSE; - this->rekey = rekey; - return &this->public; } diff --git a/src/libcharon/sa/tasks/child_rekey.c b/src/libcharon/sa/tasks/child_rekey.c index fdaaea4b8..e74ca4eef 100644 --- a/src/libcharon/sa/tasks/child_rekey.c +++ b/src/libcharon/sa/tasks/child_rekey.c @@ -241,12 +241,11 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) + min(this_nonce.len, other_nonce.len)) > 0) { child_sa_t *child_sa; - DBG1(DBG_IKE, "CHILD_SA rekey collision won, " - "deleting rekeyed child"); + DBG1(DBG_IKE, "CHILD_SA rekey collision won, deleting old child"); to_delete = this->child_sa; /* don't touch child other created, it has already been deleted */ if (!this->other_child_destroyed) @@ -259,7 +258,7 @@ static child_sa_t *handle_collision(private_child_rekey_t *this) else { DBG1(DBG_IKE, "CHILD_SA rekey collision lost, " - "deleting redundant child"); + "deleting rekeyed child"); to_delete = this->child_create->get_child(this->child_create); } } diff --git a/src/libcharon/sa/tasks/ike_auth.c b/src/libcharon/sa/tasks/ike_auth.c index b440ec811..0756c7d60 100644 --- a/src/libcharon/sa/tasks/ike_auth.c +++ b/src/libcharon/sa/tasks/ike_auth.c @@ -67,6 +67,11 @@ struct private_ike_auth_t { */ packet_t *other_packet; + /** + * Reserved bytes of ID payload + */ + char reserved[3]; + /** * currently active authenticator, to authenticate us */ @@ -101,6 +106,11 @@ struct private_ike_auth_t { * should we send a AUTHENTICATION_FAILED notify? */ bool authentication_failed; + + /** + * received an INITIAL_CONTACT? + */ + bool initial_contact; }; /** @@ -159,6 +169,24 @@ static status_t collect_other_init_data(private_ike_auth_t *this, return NEED_MORE; } +/** + * Get and store reserved bytes of id_payload, required for AUTH payload + */ +static void get_reserved_id_bytes(private_ike_auth_t *this, id_payload_t *id) +{ + u_int8_t *byte; + int i; + + for (i = 0; i < countof(this->reserved); i++) + { + byte = payload_get_field(&id->payload_interface, RESERVED_BYTE, i); + if (byte) + { + this->reserved[i] = *byte; + } + } +} + /** * Get the next authentication configuration */ @@ -329,10 +357,8 @@ static bool update_cfg_candidates(private_ike_auth_t *this, bool strict) return this->peer_cfg != NULL; } -/** - * Implementation of task_t.build for initiator - */ -static status_t build_i(private_ike_auth_t *this, message_t *message) +METHOD(task_t, build_i, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg; @@ -367,7 +393,7 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) /* check if an authenticator is in progress */ if (this->my_auth == NULL) { - identification_t *id; + identification_t *idi, *idr = NULL; id_payload_t *id_payload; /* clean up authentication config from a previous round */ @@ -378,33 +404,48 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) cfg = get_auth_cfg(this, FALSE); if (cfg) { - id = cfg->get(cfg, AUTH_RULE_IDENTITY); - if (id && !id->contains_wildcards(id)) + idr = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (idr && !idr->contains_wildcards(idr)) { - this->ike_sa->set_other_id(this->ike_sa, id->clone(id)); + this->ike_sa->set_other_id(this->ike_sa, idr->clone(idr)); id_payload = id_payload_create_from_identification( - ID_RESPONDER, id); + ID_RESPONDER, idr); message->add_payload(message, (payload_t*)id_payload); } } /* add IDi */ cfg = this->ike_sa->get_auth_cfg(this->ike_sa, TRUE); cfg->merge(cfg, get_auth_cfg(this, TRUE), TRUE); - id = cfg->get(cfg, AUTH_RULE_IDENTITY); - if (!id) + idi = cfg->get(cfg, AUTH_RULE_IDENTITY); + if (!idi) { DBG1(DBG_CFG, "configuration misses IDi"); return FAILED; } - this->ike_sa->set_my_id(this->ike_sa, id->clone(id)); - id_payload = id_payload_create_from_identification(ID_INITIATOR, id); + this->ike_sa->set_my_id(this->ike_sa, idi->clone(idi)); + id_payload = id_payload_create_from_identification(ID_INITIATOR, idi); + get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); + if (idr && message->get_message_id(message) == 1 && + this->peer_cfg->get_unique_policy(this->peer_cfg) != UNIQUE_NO) + { + host_t *host; + + host = this->ike_sa->get_other_host(this->ike_sa); + if (!charon->ike_sa_manager->has_contact(charon->ike_sa_manager, + idi, idr, host->get_family(host))) + { + message->add_notify(message, FALSE, INITIAL_CONTACT, chunk_empty); + } + } + /* build authentication data */ this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->my_auth) { return FAILED; @@ -441,10 +482,8 @@ static status_t build_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for responder - */ -static status_t process_r(private_ike_auth_t *this, message_t *message) +METHOD(task_t, process_r, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg, *cand; id_payload_t *id_payload; @@ -498,6 +537,7 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); + get_reserved_id_bytes(this, id_payload); this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -548,7 +588,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->other_auth) { this->authentication_failed = TRUE; @@ -572,10 +613,13 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } - /* store authentication information */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + /* If authenticated (with non-EAP) and received INITIAL_CONTACT, + * delete any existing IKE_SAs with that peer. */ + if (message->get_message_id(message) == 1 && + message->get_notify(message, INITIAL_CONTACT)) + { + this->initial_contact = TRUE; + } /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) @@ -585,6 +629,11 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } + /* store authentication information */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); + if (!update_cfg_candidates(this, FALSE)) { this->authentication_failed = TRUE; @@ -603,10 +652,8 @@ static status_t process_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.build for responder - */ -static status_t build_r(private_ike_auth_t *this, message_t *message) +METHOD(task_t, build_r, status_t, + private_ike_auth_t *this, message_t *message) { auth_cfg_t *cfg; @@ -662,8 +709,16 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) } id_payload = id_payload_create_from_identification(ID_RESPONDER, id); + get_reserved_id_bytes(this, id_payload); message->add_payload(message, (payload_t*)id_payload); + if (this->initial_contact) + { + charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, + this->ike_sa, TRUE); + this->initial_contact = FALSE; + } + if ((uintptr_t)cfg->get(cfg, AUTH_RULE_AUTH_CLASS) == AUTH_CLASS_EAP) { /* EAP-only authentication */ if (!this->ike_sa->supports_extension(this->ike_sa, @@ -682,7 +737,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) this->my_auth = authenticator_create_builder(this->ike_sa, cfg, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->my_auth) { message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -744,7 +800,7 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) if (!this->do_another_auth && !this->expect_another_auth) { if (charon->ike_sa_manager->check_uniqueness(charon->ike_sa_manager, - this->ike_sa)) + this->ike_sa, FALSE)) { DBG1(DBG_IKE, "cancelling IKE_SA setup due uniqueness policy"); message->add_notify(message, TRUE, AUTHENTICATION_FAILED, @@ -772,10 +828,8 @@ static status_t build_r(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.process for initiator - */ -static status_t process_i(private_ike_auth_t *this, message_t *message) +METHOD(task_t, process_i, status_t, + private_ike_auth_t *this, message_t *message) { enumerator_t *enumerator; payload_t *payload; @@ -857,6 +911,7 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return FAILED; } id = id_payload->get_identification(id_payload); + get_reserved_id_bytes(this, id_payload); this->ike_sa->set_other_id(this->ike_sa, id); cfg = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); cfg->add(cfg, AUTH_RULE_IDENTITY, id->clone(id)); @@ -867,7 +922,8 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth = authenticator_create_verifier(this->ike_sa, message, this->other_nonce, this->my_nonce, this->other_packet->get_data(this->other_packet), - this->my_packet->get_data(this->my_packet)); + this->my_packet->get_data(this->my_packet), + this->reserved); if (!this->other_auth) { return FAILED; @@ -893,17 +949,17 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) this->other_auth->destroy(this->other_auth); this->other_auth = NULL; } - /* store authentication information, reset authenticator */ - cfg = auth_cfg_create(); - cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); - this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); - /* another auth round done, invoke authorize hook */ if (!charon->bus->authorize(charon->bus, FALSE)) { DBG1(DBG_IKE, "authorization forbids IKE_SA, cancelling"); return FAILED; } + + /* store authentication information, reset authenticator */ + cfg = auth_cfg_create(); + cfg->merge(cfg, this->ike_sa->get_auth_cfg(this->ike_sa, FALSE), FALSE); + this->ike_sa->add_auth_cfg(this->ike_sa, FALSE, cfg); } if (this->my_auth) @@ -964,18 +1020,14 @@ static status_t process_i(private_ike_auth_t *this, message_t *message) return NEED_MORE; } -/** - * Implementation of task_t.get_type - */ -static task_type_t get_type(private_ike_auth_t *this) +METHOD(task_t, get_type, task_type_t, + private_ike_auth_t *this) { return IKE_AUTHENTICATE; } -/** - * Implementation of task_t.migrate - */ -static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) +METHOD(task_t, migrate, void, + private_ike_auth_t *this, ike_sa_t *ike_sa) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -998,10 +1050,8 @@ static void migrate(private_ike_auth_t *this, ike_sa_t *ike_sa) this->candidates = linked_list_create(); } -/** - * Implementation of task_t.destroy - */ -static void destroy(private_ike_auth_t *this) +METHOD(task_t, destroy, void, + private_ike_auth_t *this) { chunk_free(&this->my_nonce); chunk_free(&this->other_nonce); @@ -1019,37 +1069,29 @@ static void destroy(private_ike_auth_t *this) */ ike_auth_t *ike_auth_create(ike_sa_t *ike_sa, bool initiator) { - private_ike_auth_t *this = malloc_thing(private_ike_auth_t); - - this->public.task.get_type = (task_type_t(*)(task_t*))get_type; - this->public.task.migrate = (void(*)(task_t*,ike_sa_t*))migrate; - this->public.task.destroy = (void(*)(task_t*))destroy; - + private_ike_auth_t *this; + + INIT(this, + .public = { + .task = { + .get_type = _get_type, + .migrate = _migrate, + .build = _build_r, + .process = _process_r, + .destroy = _destroy, + }, + }, + .ike_sa = ike_sa, + .initiator = initiator, + .candidates = linked_list_create(), + .do_another_auth = TRUE, + .expect_another_auth = TRUE, + ); if (initiator) { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_i; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_i; - } - else - { - this->public.task.build = (status_t(*)(task_t*,message_t*))build_r; - this->public.task.process = (status_t(*)(task_t*,message_t*))process_r; + this->public.task.build = _build_i; + this->public.task.process = _process_i; } - - this->ike_sa = ike_sa; - this->initiator = initiator; - this->my_nonce = chunk_empty; - this->other_nonce = chunk_empty; - this->my_packet = NULL; - this->other_packet = NULL; - this->peer_cfg = NULL; - this->candidates = linked_list_create(); - this->my_auth = NULL; - this->other_auth = NULL; - this->do_another_auth = TRUE; - this->expect_another_auth = TRUE; - this->authentication_failed = FALSE; - return &this->public; } diff --git a/src/libcharon/sa/tasks/ike_cert_pre.c b/src/libcharon/sa/tasks/ike_cert_pre.c index 1c0c54727..a59b8dcce 100644 --- a/src/libcharon/sa/tasks/ike_cert_pre.c +++ b/src/libcharon/sa/tasks/ike_cert_pre.c @@ -76,6 +76,7 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) { certreq_payload_t *certreq = (certreq_payload_t*)payload; enumerator_t *enumerator; + u_int unknown = 0; chunk_t keyid; this->ike_sa->set_condition(this->ike_sa, COND_CERTREQ_SEEN, TRUE); @@ -103,12 +104,18 @@ static void process_certreqs(private_ike_cert_pre_t *this, message_t *message) } else { - DBG1(DBG_IKE, "received cert request for unknown ca " + DBG2(DBG_IKE, "received cert request for unknown ca " "with keyid %Y", id); + unknown++; } id->destroy(id); } enumerator->destroy(enumerator); + if (unknown) + { + DBG1(DBG_IKE, "received %u cert requests for an unknown ca", + unknown); + } break; } case NOTIFY: @@ -253,11 +260,19 @@ static void process_certs(private_ike_cert_pre_t *this, message_t *message) } break; } + case ENC_CRL: + cert = cert_payload->get_cert(cert_payload); + if (cert) + { + DBG1(DBG_IKE, "received CRL \"%Y\"", + cert->get_subject(cert)); + auth->add(auth, AUTH_HELPER_REVOCATION_CERT, cert); + } + break; case ENC_PKCS7_WRAPPED_X509: case ENC_PGP: case ENC_DNS_SIGNED_KEY: case ENC_KERBEROS_TOKEN: - case ENC_CRL: case ENC_ARL: case ENC_SPKI: case ENC_X509_ATTRIBUTE: diff --git a/src/libcharon/sa/tasks/ike_rekey.c b/src/libcharon/sa/tasks/ike_rekey.c index 1a6c140c4..44c55036e 100644 --- a/src/libcharon/sa/tasks/ike_rekey.c +++ b/src/libcharon/sa/tasks/ike_rekey.c @@ -255,19 +255,20 @@ static status_t process_i(private_ike_rekey_t *this, message_t *message) /* if we have the lower nonce, delete rekeyed SA. If not, delete * the redundant. */ if (memcmp(this_nonce.ptr, other_nonce.ptr, - min(this_nonce.len, other_nonce.len)) < 0) + min(this_nonce.len, other_nonce.len)) > 0) { /* peer should delete this SA. Add a timeout just in case. */ job_t *job = (job_t*)delete_ike_sa_job_create( other->new_sa->get_id(other->new_sa), TRUE); lib->scheduler->schedule_job(lib->scheduler, job, 10); - DBG1(DBG_IKE, "IKE_SA rekey collision won, deleting rekeyed IKE_SA"); + DBG1(DBG_IKE, "IKE_SA rekey collision won, waiting for delete"); charon->ike_sa_manager->checkin(charon->ike_sa_manager, other->new_sa); other->new_sa = NULL; } else { - DBG1(DBG_IKE, "IKE_SA rekey collision lost, deleting redundant IKE_SA"); + DBG1(DBG_IKE, "IKE_SA rekey collision lost, " + "deleting redundant IKE_SA"); /* apply host for a proper delete */ host = this->ike_sa->get_my_host(this->ike_sa); this->new_sa->set_my_host(this->new_sa, host->clone(host)); diff --git a/src/libcharon/tnc/imc/imc.h b/src/libcharon/tnc/imc/imc.h new file mode 100644 index 000000000..fe8f25b0f --- /dev/null +++ b/src/libcharon/tnc/imc/imc.h @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc imc + * @ingroup tnc + * + * @defgroup imct imc + * @{ @ingroup imc + */ + +#ifndef IMC_H_ +#define IMC_H_ + +#include +#include + +typedef struct imc_t imc_t; + +/** + * Controls a single Integrity Measurement Collector (IMC) + */ +struct imc_t { + + /** + * The TNC Client calls this function to initialize the IMC and agree on + * the API version number to be used. It also supplies the IMC ID, an IMC + * identifier that the IMC must use when calling TNC Client callback functions. + * + * @param imcID IMC ID assigned by TNCC + * @param minVersion minimum API version supported by TNCC + * @param maxVersion maximum API version supported by TNCC + * @param OutActualVersion mutually supported API version number + * @return TNC result code + */ + TNC_Result (*initialize)(TNC_IMCID imcID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *OutActualVersion); + + /** + * The TNC Client calls this function to inform the IMC that the state of + * the network connection identified by connectionID has changed to newState. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @param newState new network connection state + * @return TNC result code + */ + TNC_Result (*notify_connection_change)(TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); + + /** + * The TNC Client calls this function to indicate that an Integrity Check + * Handshake is beginning and solicit messages from IMCs for the first batch. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*begin_handshake)(TNC_IMCID imcID, + TNC_ConnectionID connectionID); + + /** + * The TNC Client calls this function to deliver a message to the IMC. + * The message is contained in the buffer referenced by message and contains + * the number of octets indicated by messageLength. The type of the message + * is indicated by messageType. + * + * @param imcID IMC ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCC + * @param message reference to buffer containing message + * @param messageLength number of octets in message + * @param messageType message type of message + * @return TNC result code + */ + TNC_Result (*receive_message)(TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); + + /** + * The TNC Client calls this function to notify IMCs that all IMV messages + * received in a batch have been delivered and this is the IMC’s last chance + * to send a message in the batch of IMC messages currently being collected. + * + * @param imcID IMC ID assigned by TNCC + * @param connectionID network connection ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*batch_ending)(TNC_IMCID imcID, + TNC_ConnectionID connectionID); + + /** + * The TNC Client calls this function to close down the IMC when all work is + * complete or the IMC reports TNC_RESULT_FATAL. + * + * @param imcID IMC ID assigned by TNCC + * @return TNC result code + */ + TNC_Result (*terminate)(TNC_IMCID imcID); + + /** + * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST + * define this additional function. The TNC Server MUST call the function + * immediately after calling TNC_IMV_Initialize to provide a pointer to the + * TNCS bind function. The IMV can then use the TNCS bind function to obtain + * pointers to any other TNCS functions. + * + * @param imcID IMC ID assigned by TNCC + * @param bindFunction pointer to TNC_TNCC_BindFunction + * @return TNC result code + */ + TNC_Result (*provide_bind_function)(TNC_IMCID imcID, + TNC_TNCC_BindFunctionPointer bindFunction); + + /** + * Sets the ID of an imc_t object. + * + * @param id IMC ID to be assigned + */ + void (*set_id)(imc_t *this, TNC_IMCID id); + + /** + * Returns the ID of an imc_t object. + * + * @return assigned IMC ID + */ + TNC_IMCID (*get_id)(imc_t *this); + + /** + * Returns the name of an imc_t object. + * + * @return name of IMC + */ + char* (*get_name)(imc_t *this); + + /** + * Sets the supported message types of an imc_t object. + * + * @param supported_types list of messages type supported by IMC + * @param type_count number of supported message types + */ + void (*set_message_types)(imc_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Check if the IMC supports a given message type. + * + * @param message_type message type + * @return TRUE if supported + */ + bool (*type_supported)(imc_t *this, TNC_MessageType message_type); + + /** + * Destroys an imc_t object. + */ + void (*destroy)(imc_t *this); +}; + +#endif /** IMC_H_ @}*/ diff --git a/src/libcharon/tnc/imc/imc_manager.h b/src/libcharon/tnc/imc/imc_manager.h new file mode 100644 index 000000000..634afdbe8 --- /dev/null +++ b/src/libcharon/tnc/imc/imc_manager.h @@ -0,0 +1,116 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imc_manager imc_manager + * @{ @ingroup imc + */ + +#ifndef IMC_MANAGER_H_ +#define IMC_MANAGER_H_ + +#include "imc.h" + +#include + +typedef struct imc_manager_t imc_manager_t; + +/** + * The IMC manager controls all IMC instances. + */ +struct imc_manager_t { + + /** + * Add an IMC instance + * + * @param imc IMC instance + * @return TRUE if initialization successful + */ + bool (*add)(imc_manager_t *this, imc_t *imc); + + /** + * Remove an IMC instance from the list and return it + * + * @param id ID of IMC instance + * @return removed IMC instance + */ + imc_t* (*remove)(imc_manager_t *this, TNC_IMCID id); + + /** + * Return the preferred language for recommendations + * + * @return preferred language string + */ + char* (*get_preferred_language)(imc_manager_t *this); + + /** + * Notify all IMC instances + * + * @param state communicate the state a connection has reached + */ + void (*notify_connection_change)(imc_manager_t *this, + TNC_ConnectionID id, + TNC_ConnectionState state); + + /** + * Begin a handshake between the IMCs and a connection + * + * @param id connection ID + */ + void (*begin_handshake)(imc_manager_t *this, TNC_ConnectionID id); + + /** + * Sets the supported message types reported by a given IMC + * + * @param id ID of reporting IMC + * @param supported_types list of messages type supported by IMC + * @param type_count number of supported message types + * @return TNC result code + */ + TNC_Result (*set_message_types)(imc_manager_t *this, + TNC_IMCID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Delivers a message to interested IMCs. + * + * @param connection_id ID of connection over which message was received + * @param message message + * @param message_len message length + * @param message_type message type + */ + void (*receive_message)(imc_manager_t *this, + TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type); + + /** + * Notify all IMCs that all IMV messages received in a batch have been + * delivered and this is the IMCs last chance to send a message in the + * batch of IMC messages currently being collected. + * + * @param id connection ID + */ + void (*batch_ending)(imc_manager_t *this, TNC_ConnectionID id); + + /** + * Destroy an IMC manager and all its controlled instances. + */ + void (*destroy)(imc_manager_t *this); +}; + +#endif /** IMC_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv.h b/src/libcharon/tnc/imv/imv.h new file mode 100644 index 000000000..26874ab0b --- /dev/null +++ b/src/libcharon/tnc/imv/imv.h @@ -0,0 +1,175 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv imv + * @ingroup tnc + * + * @defgroup imvt imv + * @{ @ingroup imv + */ + +#ifndef IMV_H_ +#define IMV_H_ + +#include +#include + +typedef struct imv_t imv_t; + +/** + * Controls a single Integrity Measurement Verifier (IMV) + */ +struct imv_t { + + /** + * The TNC Server calls this function to initialize the IMV and agree on + * the API version number to be used. It also supplies the IMV ID, an IMV + * identifier that the IMV must use when calling TNC Server callback functions. + * + * @param imvID IMV ID assigned by TNCS + * @param minVersion minimum API version supported + * @param maxVersion maximum API version supported by TNCS + * @param OutActualVersion mutually supported API version number + * @return TNC result code + */ + TNC_Result (*initialize)(TNC_IMVID imvID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *OutActualVersion); + + /** + * The TNC Server calls this function to inform the IMV that the state of + * the network connection identified by connectionID has changed to newState. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @param newState new network connection state + * @return TNC result code + */ + TNC_Result (*notify_connection_change)(TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); + + /** + * The TNC Server calls this function at the end of an Integrity Check + * Handshake (after all IMC-IMV messages have been delivered) to solicit + * recommendations from IMVs that have not yet provided a recommendation. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*solicit_recommendation)(TNC_IMVID imvID, + TNC_ConnectionID connectionID); + + /** + * The TNC Server calls this function to deliver a message to the IMV. + * The message is contained in the buffer referenced by message and contains + * the number of octets indicated by messageLength. The type of the message + * is indicated by messageType. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @param message reference to buffer containing message + * @param messageLength number of octets in message + * @param messageType message type of message + * @return TNC result code + */ + TNC_Result (*receive_message)(TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); + + /** + * The TNC Server calls this function to notify IMVs that all IMC messages + * received in a batch have been delivered and this is the IMV’s last chance + * to send a message in the batch of IMV messages currently being collected. + * + * @param imvID IMV ID assigned by TNCS + * @param connectionID network connection ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*batch_ending)(TNC_IMVID imvID, + TNC_ConnectionID connectionID); + + /** + * The TNC Server calls this function to close down the IMV. + * + * @param imvID IMV ID assigned by TNCS + * @return TNC result code + */ + TNC_Result (*terminate)(TNC_IMVID imvID); + + /** + * IMVs implementing the UNIX/Linux Dynamic Linkage platform binding MUST + * define this additional function. The TNC Server MUST call the function + * immediately after calling TNC_IMV_Initialize to provide a pointer to the + * TNCS bind function. The IMV can then use the TNCS bind function to obtain + * pointers to any other TNCS functions. + * + * @param imvID IMV ID assigned by TNCS + * @param bindFunction pointer to TNC_TNCS_BindFunction + * @return TNC result code + */ + TNC_Result (*provide_bind_function)(TNC_IMVID imvID, + TNC_TNCS_BindFunctionPointer bindFunction); + + /** + * Sets the ID of an imv_t object. + * + * @param id IMV ID to be assigned + */ + void (*set_id)(imv_t *this, TNC_IMVID id); + + /** + * Returns the ID of an imv_t object. + * + * @return IMV ID assigned by TNCS + */ + TNC_IMVID (*get_id)(imv_t *this); + + /** + * Returns the name of an imv_t object. + * + * @return name of IMV + */ + char* (*get_name)(imv_t *this); + + /** + * Sets the supported message types of an imv_t object. + * + * @param supported_types list of messages type supported by IMV + * @param type_count number of supported message types + */ + void (*set_message_types)(imv_t *this, TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Check if the IMV supports a given message type. + * + * @param message_type message type + * @return TRUE if supported + */ + bool (*type_supported)(imv_t *this, TNC_MessageType message_type); + + /** + * Destroys an imv_t object. + */ + void (*destroy)(imv_t *this); +}; + +#endif /** IMV_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv_manager.h b/src/libcharon/tnc/imv/imv_manager.h new file mode 100644 index 000000000..b5c581a75 --- /dev/null +++ b/src/libcharon/tnc/imv/imv_manager.h @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_manager imv_manager + * @{ @ingroup imv + */ + +#ifndef IMV_MANAGER_H_ +#define IMV_MANAGER_H_ + +#include "imv.h" +#include "imv_recommendations.h" + +#include + +typedef struct imv_manager_t imv_manager_t; + +/** + * The IMV manager controls all IMV instances. + */ +struct imv_manager_t { + + /** + * Add an IMV instance + * + * @param imv IMV instance + * @return TRUE if initialization successful + */ + bool (*add)(imv_manager_t *this, imv_t *imv); + + /** + * Remove an IMV instance from the list and return it + * + * @param id ID of IMV instance + * @return removed IMC instance + */ + imv_t* (*remove)(imv_manager_t *this, TNC_IMVID id); + + /** + * Get the configured recommendation policy + * + * @return configured recommendation policy + */ + recommendation_policy_t (*get_recommendation_policy)(imv_manager_t *this); + + /** + * Create an empty set of IMV recommendations and evaluations + * + * @return instance of a recommendations_t list + */ + recommendations_t* (*create_recommendations)(imv_manager_t *this); + + /** + * Enforce the TNC recommendation on the IKE_SA by either inserting an + * allow|isolate group membership rule (TRUE) or by blocking access (FALSE) + * + * @param void TNC action recommendation + * @return TRUE for allow|isolate, FALSE for none + */ + bool (*enforce_recommendation)(imv_manager_t *this, + TNC_IMV_Action_Recommendation rec); + + /** + * Notify all IMV instances + * + * @param state communicate the state a connection has reached + */ + void (*notify_connection_change)(imv_manager_t *this, + TNC_ConnectionID id, + TNC_ConnectionState state); + + /** + * Sets the supported message types reported by a given IMV + * + * @param id ID of reporting IMV + * @param supported_types list of messages type supported by IMV + * @param type_count number of supported message types + * @return TNC result code + */ + TNC_Result (*set_message_types)(imv_manager_t *this, + TNC_IMVID id, + TNC_MessageTypeList supported_types, + TNC_UInt32 type_count); + + /** + * Solicit recommendations from IMVs that have not yet provided one + * + * @param id connection ID + */ + void (*solicit_recommendation)(imv_manager_t *this, TNC_ConnectionID id); + + /** + * Delivers a message to interested IMVs. + * + * @param connection_id ID of connection over which message was received + * @param message message + * @param message_len message length + * @param message_type message type + */ + void (*receive_message)(imv_manager_t *this, + TNC_ConnectionID connection_id, + TNC_BufferReference message, + TNC_UInt32 message_len, + TNC_MessageType message_type); + + /** + * Notify all IMVs that all IMC messages received in a batch have been + * delivered and this is the IMVs last chance to send a message in the + * batch of IMV messages currently being collected. + * + * @param id connection ID + */ + void (*batch_ending)(imv_manager_t *this, TNC_ConnectionID id); + + /** + * Destroy an IMV manager and all its controlled instances. + */ + void (*destroy)(imv_manager_t *this); +}; + +#endif /** IMV_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/imv/imv_recommendations.c b/src/libcharon/tnc/imv/imv_recommendations.c new file mode 100644 index 000000000..9daaca16c --- /dev/null +++ b/src/libcharon/tnc/imv/imv_recommendations.c @@ -0,0 +1,24 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "imv_recommendations.h" + +ENUM(recommendation_policy_names, RECOMMENDATION_POLICY_DEFAULT, + RECOMMENDATION_POLICY_ALL, + "default", + "any", + "all" +); + diff --git a/src/libcharon/tnc/imv/imv_recommendations.h b/src/libcharon/tnc/imv/imv_recommendations.h new file mode 100644 index 000000000..3a6e25c9f --- /dev/null +++ b/src/libcharon/tnc/imv/imv_recommendations.h @@ -0,0 +1,117 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup imv_recommendations imv_recommendations + * @{ @ingroup imv + */ + +#ifndef IMV_RECOMMENDATIONS_H_ +#define IMV_RECOMMENDATIONS_H_ + +#include +#include + +typedef enum recommendation_policy_t recommendation_policy_t; + +enum recommendation_policy_t { + RECOMMENDATION_POLICY_DEFAULT, + RECOMMENDATION_POLICY_ANY, + RECOMMENDATION_POLICY_ALL +}; + +extern enum_name_t *recommendation_policy_names; + + +typedef struct recommendations_t recommendations_t; + +/** + * Collection of all IMV action recommendations and evaluation results + */ +struct recommendations_t { + + /** + * Deliver an IMV action recommendation and IMV evaluation result to the TNCS + * + * @param imv_id ID of the IMV providing the recommendation + * @param rec action recommendation + * @param eval evaluation result + * @return return code + */ + TNC_Result (*provide_recommendation)(recommendations_t *this, + TNC_IMVID imv_id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + + /** + * If all IMVs provided a recommendation, derive a consolidated action + * recommendation and evaluation result based on a configured policy + * + * @param rec action recommendation + * @param eval evaluation result + * @return TRUE if all IMVs provided a recommendation + */ + bool (*have_recommendation)(recommendations_t *this, + TNC_IMV_Action_Recommendation *rec, + TNC_IMV_Evaluation_Result *eval); + + /** + * Get the preferred language for remediation messages + * + * @return preferred language + */ + chunk_t (*get_preferred_language)(recommendations_t *this); + + /** + * Set the preferred language for remediation messages + * + * @param pref_lang preferred language + */ + void (*set_preferred_language)(recommendations_t *this, chunk_t pref_lang); + + /** + * Set the reason string + * + * @param id ID of IMV setting the reason string + * @param reason reason string + * @result return code + */ + TNC_Result (*set_reason_string)(recommendations_t *this, TNC_IMVID id, + chunk_t reason); + + /** + * Set the language for reason strings + * + * @param id ID of IMV setting the reason language + * @param reason_lang reason language + * @result return code + */ + TNC_Result (*set_reason_language)(recommendations_t *this, TNC_IMVID id, + chunk_t reason_lang); + + /** + * Enumerates over all IMVs sending a reason string. + * Format: TNC_IMVID *id, chunk_t *reason, chunk_t *reason_language + * + * @return enumerator + */ + enumerator_t* (*create_reason_enumerator)(recommendations_t *this); + /** + * Destroys an imv_t object. + */ + void (*destroy)(recommendations_t *this); +}; + +#endif /** IMV_RECOMMENDATIONS_H_ @}*/ diff --git a/src/libcharon/tnc/tnccs/tnccs.c b/src/libcharon/tnc/tnccs/tnccs.c new file mode 100644 index 000000000..575b850f5 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs.c @@ -0,0 +1,23 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs.h" + +ENUM(tnccs_type_names, TNCCS_UNKNOWN, TNCCS_2_0, + "unknown TNCCS", + "TNCCS 1.1", + "TNCCS SOH", + "TNCCS 2.0", +); diff --git a/src/libcharon/tnc/tnccs/tnccs.h b/src/libcharon/tnc/tnccs/tnccs.h new file mode 100644 index 000000000..c5d6f5ef0 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs.h @@ -0,0 +1,82 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs tnccs + * @ingroup tnc + * + * @defgroup tnccst tnccs + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_H_ +#define TNCCS_H_ + +#include +#include +#include +#include + +#define IETF_VENDOR_ID 0x000000 /* 0 */ +#define MICROSOFT_VENDOR_ID 0x000137 /* 311 */ +#define OSC_VENDOR_ID 0x002358 /* 9048 */ +#define FHH_VENDOR_ID 0x0080ab /* 32939 */ +#define ITA_VENDOR_ID 0x00902a /* 36906 */ +#define RESERVED_VENDOR_ID 0xffffff /* 16777215 */ + +typedef enum tnccs_type_t tnccs_type_t; + +/** + * Type of TNC Client/Server protocol + */ +enum tnccs_type_t { + TNCCS_UNKNOWN, + TNCCS_1_1, + TNCCS_SOH, + TNCCS_2_0, + TNCCS_DYNAMIC +}; + +/** + * enum names for tnccs_type_t. + */ +extern enum_name_t *tnccs_type_names; + +typedef struct tnccs_t tnccs_t; + +/** + * Constructor definition for a pluggable TNCCS protocol implementation. + * + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return implementation of the tnccs_t interface + */ +typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); + +/** + * Callback function adding a message to a TNCCS batch + * + * @param imc_id ID of IMC or TNC_IMCID_ANY + * @param imc_id ID of IMV or TNC_IMVID_ANY + * @param msg message to be added + * @param msg_len message length + * @param msg_type message type + */ +typedef void (*tnccs_send_message_t)(tnccs_t* tncss, TNC_IMCID imc_id, + TNC_IMVID imv_id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type); + +#endif /** TNCCS_H_ @}*/ diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.c b/src/libcharon/tnc/tnccs/tnccs_manager.c new file mode 100644 index 000000000..7e522b870 --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs_manager.c @@ -0,0 +1,477 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tnccs_manager.h" + +#include + +#include +#include +#include +#include + +typedef struct private_tnccs_manager_t private_tnccs_manager_t; +typedef struct tnccs_entry_t tnccs_entry_t; +typedef struct tnccs_connection_entry_t tnccs_connection_entry_t; + +/** + * TNCCS constructor entry + */ +struct tnccs_entry_t { + + /** + * TNCCS protocol type + */ + tnccs_type_t type; + + /** + * constructor function to create instance + */ + tnccs_constructor_t constructor; +}; + +/** + * TNCCS connection entry + */ +struct tnccs_connection_entry_t { + + /** + * TNCCS connection ID + */ + TNC_ConnectionID id; + + /** + * TNCCS instance + */ + tnccs_t *tnccs; + + /** + * TNCCS send message function + */ + tnccs_send_message_t send_message; + + /** + * TNCCS request handshake retry flag + */ + bool *request_handshake_retry; + + /** + * collection of IMV recommendations + */ + recommendations_t *recs; +}; + +/** + * private data of tnccs_manager + */ +struct private_tnccs_manager_t { + + /** + * public functions + */ + tnccs_manager_t public; + + /** + * list of TNCCS protocol entries + */ + linked_list_t *protocols; + + /** + * rwlock to lock the TNCCS protocol entries + */ + rwlock_t *protocol_lock; + + /** + * connection ID counter + */ + TNC_ConnectionID connection_id; + + /** + * list of TNCCS connection entries + */ + linked_list_t *connections; + + /** + * rwlock to lock TNCCS connection entries + */ + rwlock_t *connection_lock; + +}; + +METHOD(tnccs_manager_t, add_method, void, + private_tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor) +{ + tnccs_entry_t *entry; + + entry = malloc_thing(tnccs_entry_t); + entry->type = type; + entry->constructor = constructor; + + this->protocol_lock->write_lock(this->protocol_lock); + this->protocols->insert_last(this->protocols, entry); + this->protocol_lock->unlock(this->protocol_lock); +} + +METHOD(tnccs_manager_t, remove_method, void, + private_tnccs_manager_t *this, tnccs_constructor_t constructor) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + + this->protocol_lock->write_lock(this->protocol_lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (constructor == entry->constructor) + { + this->protocols->remove_at(this->protocols, enumerator); + free(entry); + } + } + enumerator->destroy(enumerator); + this->protocol_lock->unlock(this->protocol_lock); +} + +METHOD(tnccs_manager_t, create_instance, tnccs_t*, + private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) +{ + enumerator_t *enumerator; + tnccs_entry_t *entry; + tnccs_t *protocol = NULL; + + this->protocol_lock->read_lock(this->protocol_lock); + enumerator = this->protocols->create_enumerator(this->protocols); + while (enumerator->enumerate(enumerator, &entry)) + { + if (type == entry->type) + { + protocol = entry->constructor(is_server); + if (protocol) + { + break; + } + } + } + enumerator->destroy(enumerator); + this->protocol_lock->unlock(this->protocol_lock); + + return protocol; +} + +METHOD(tnccs_manager_t, create_connection, TNC_ConnectionID, + private_tnccs_manager_t *this, tnccs_t *tnccs, + tnccs_send_message_t send_message, bool* request_handshake_retry, + recommendations_t **recs) +{ + tnccs_connection_entry_t *entry; + + entry = malloc_thing(tnccs_connection_entry_t); + entry->tnccs = tnccs; + entry->send_message = send_message; + entry->request_handshake_retry = request_handshake_retry; + if (recs) + { + /* we assume a TNC Server needing recommendations from IMVs */ + if (!charon->imvs) + { + DBG1(DBG_TNC, "no IMV manager available!"); + free(entry); + return 0; + } + entry->recs = charon->imvs->create_recommendations(charon->imvs); + *recs = entry->recs; + } + else + { + /* we assume a TNC Client */ + if (!charon->imcs) + { + DBG1(DBG_TNC, "no IMC manager available!"); + free(entry); + return 0; + } + entry->recs = NULL; + } + this->connection_lock->write_lock(this->connection_lock); + entry->id = ++this->connection_id; + this->connections->insert_last(this->connections, entry); + this->connection_lock->unlock(this->connection_lock); + + DBG1(DBG_TNC, "assigned TNCCS Connection ID %u", entry->id); + return entry->id; +} + +METHOD(tnccs_manager_t, remove_connection, void, + private_tnccs_manager_t *this, TNC_ConnectionID id) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + + this->connection_lock->write_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + this->connections->remove_at(this->connections, enumerator); + if (entry->recs) + { + entry->recs->destroy(entry->recs); + } + free(entry); + DBG1(DBG_TNC, "removed TNCCS Connection ID %u", id); + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); +} + +METHOD(tnccs_manager_t, request_handshake_retry, TNC_Result, + private_tnccs_manager_t *this, bool is_imc, TNC_UInt32 imcv_id, + TNC_ConnectionID id, + TNC_RetryReason reason) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + + if (id == TNC_CONNECTIONID_ANY) + { + DBG2(DBG_TNC, "%s %u requests handshake retry for all connections " + "(reason: %u)", is_imc ? "IMC":"IMV", reason); + } + else + { + DBG2(DBG_TNC, "%s %u requests handshake retry for connection ID %u " + "(reason: %u)", is_imc ? "IMC":"IMV", id, reason); + } + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == TNC_CONNECTIONID_ANY || id == entry->id) + { + *entry->request_handshake_retry = TRUE; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + return TNC_RESULT_SUCCESS; +} + +METHOD(tnccs_manager_t, send_message, TNC_Result, + private_tnccs_manager_t *this, TNC_IMCID imc_id, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + tnccs_send_message_t send_message = NULL; + tnccs_t *tnccs = NULL; + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + tnccs = entry->tnccs; + send_message = entry->send_message; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (tnccs && send_message) + { + send_message(tnccs, imc_id, imv_id, msg, msg_len, msg_type); + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_FATAL; +} + +METHOD(tnccs_manager_t, provide_recommendation, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + recs->provide_recommendation(recs, imv_id, rec, eval); + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_FATAL; +} + +METHOD(tnccs_manager_t, get_attribute, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + if (id == TNC_CONNECTIONID_ANY || + attribute_id != TNC_ATTRIBUTEID_PREFERRED_LANGUAGE) + { + return TNC_RESULT_INVALID_PARAMETER; + } + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + chunk_t pref_lang; + + pref_lang = recs->get_preferred_language(recs); + if (pref_lang.len == 0) + { + return TNC_RESULT_INVALID_PARAMETER; + } + *out_value_len = pref_lang.len; + if (buffer && buffer_len <= pref_lang.len) + { + memcpy(buffer, pref_lang.ptr, pref_lang.len); + } + return TNC_RESULT_SUCCESS; + } + return TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(tnccs_manager_t, set_attribute, TNC_Result, + private_tnccs_manager_t *this, TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer) +{ + enumerator_t *enumerator; + tnccs_connection_entry_t *entry; + recommendations_t *recs = NULL; + + if (id == TNC_CONNECTIONID_ANY || + (attribute_id != TNC_ATTRIBUTEID_REASON_STRING && + attribute_id != TNC_ATTRIBUTEID_REASON_LANGUAGE)) + { + return TNC_RESULT_INVALID_PARAMETER; + } + + this->connection_lock->read_lock(this->connection_lock); + enumerator = this->connections->create_enumerator(this->connections); + while (enumerator->enumerate(enumerator, &entry)) + { + if (id == entry->id) + { + recs = entry->recs; + break; + } + } + enumerator->destroy(enumerator); + this->connection_lock->unlock(this->connection_lock); + + if (recs) + { + chunk_t attribute = { buffer, buffer_len }; + + if (attribute_id == TNC_ATTRIBUTEID_REASON_STRING) + { + return recs->set_reason_string(recs, imv_id, attribute); + } + else + { + return recs->set_reason_language(recs, imv_id, attribute); + } + } + return TNC_RESULT_INVALID_PARAMETER; +} + +METHOD(tnccs_manager_t, destroy, void, + private_tnccs_manager_t *this) +{ + this->protocols->destroy_function(this->protocols, free); + this->protocol_lock->destroy(this->protocol_lock); + this->connections->destroy_function(this->connections, free); + this->connection_lock->destroy(this->connection_lock); + free(this); +} + +/* + * See header + */ +tnccs_manager_t *tnccs_manager_create() +{ + private_tnccs_manager_t *this; + + INIT(this, + .public = { + .add_method = _add_method, + .remove_method = _remove_method, + .create_instance = _create_instance, + .create_connection = _create_connection, + .remove_connection = _remove_connection, + .request_handshake_retry = _request_handshake_retry, + .send_message = _send_message, + .provide_recommendation = _provide_recommendation, + .get_attribute = _get_attribute, + .set_attribute = _set_attribute, + .destroy = _destroy, + }, + .protocols = linked_list_create(), + .connections = linked_list_create(), + .protocol_lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + .connection_lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + return &this->public; +} + diff --git a/src/libcharon/tnc/tnccs/tnccs_manager.h b/src/libcharon/tnc/tnccs/tnccs_manager.h new file mode 100644 index 000000000..c02eac03c --- /dev/null +++ b/src/libcharon/tnc/tnccs/tnccs_manager.h @@ -0,0 +1,184 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup tnccs_manager tnccs_manager + * @{ @ingroup tnccs + */ + +#ifndef TNCCS_MANAGER_H_ +#define TNCCS_MANAGER_H_ + +#include "tnccs.h" + +#include + +typedef struct tnccs_manager_t tnccs_manager_t; + +/** + * The TNCCS manager manages all TNCCS implementations and creates instances. + * + * A plugin registers its implemented TNCCS protocol with the manager by + * providing type and a constructor function. The manager then creates + * TNCCS protocol instances via the provided constructor. + */ +struct tnccs_manager_t { + + /** + * Register a TNCCS protocol implementation. + * + * @param type TNCCS protocol type + * @param constructor constructor, returns a TNCCS protocol implementation + */ + void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, + tnccs_constructor_t constructor); + + /** + * Unregister a TNCCS protocol implementation using it's constructor. + * + * @param constructor constructor function to remove, as added in add_method + */ + void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); + + /** + * Create a new TNCCS protocol instance. + * + * @param type type of the TNCCS protocol + * @param is_server TRUE if TNC Server, FALSE if TNC Client + * @return TNCCS protocol instance, NULL if no constructor found + */ + tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, + bool is_server); + + /** + * Create a TNCCS connection and assign a unique connection ID as well a + * callback function for adding a message to a TNCCS batch and create + * an empty set for collecting IMV recommendations + * + * @param tnccs TNCCS connection instance + * @param send_message TNCCS callback function + * @param request_handshake_retry pointer to boolean variable + * @param recs pointer to IMV recommendation set + * @return assigned connection ID + */ + TNC_ConnectionID (*create_connection)(tnccs_manager_t *this, tnccs_t *tnccs, + tnccs_send_message_t send_message, + bool *request_handshake_retry, + recommendations_t **recs); + + /** + * Remove a TNCCS connection using its connection ID. + * + * @param id ID of the connection to be removed + */ + void (*remove_connection)(tnccs_manager_t *this, TNC_ConnectionID id); + + /** + * Request a handshake retry + * + * @param is_imc TRUE if IMC, FALSE if IMV + * @param imcv_id ID of IMC or IMV requesting the retry + * @param id ID of a specific connection or any connection + * @param reason reason for the handshake retry + * @return return code + */ + TNC_Result (*request_handshake_retry)(tnccs_manager_t *this, bool is_imc, + TNC_UInt32 imcv_id, + TNC_ConnectionID id, + TNC_RetryReason reason); + + /** + * Add an IMC/IMV message to the batch of a given connection ID. + * + * @param imc_id ID of IMC or TNC_IMCID_ANY + * @param imv_id ID of IMV or TNC_IMVID_ANY + * @param id ID of target connection + * @param msg message to be added + * @param msg_len message length + * @param msg_type message type + * @return return code + */ + TNC_Result (*send_message)(tnccs_manager_t *this, TNC_IMCID imc_id, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_BufferReference msg, + TNC_UInt32 msg_len, + TNC_MessageType msg_type); + + /** + * Deliver an IMV Action Recommendation and IMV Evaluation Result to the TNCS + * + * @param imv_id ID of the IMV providing the recommendation + * @param id ID of target connection + * @param rec action recommendation + * @param eval evaluation result + * @return return code + */ + TNC_Result (*provide_recommendation)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_IMV_Action_Recommendation rec, + TNC_IMV_Evaluation_Result eval); + + /** + * Get the value of an attribute associated with a connection or with the + * TNCS as a whole. + * + * @param imv_id ID of the IMV requesting the attribute + * @param id ID of target connection + * @param attribute_id ID of the requested attribute + * @param buffer_len length of the buffer in bytes + * @param buffer pointer to the buffer + * @param out_value_len actual length of the returned attribute + * @return return code + */ + TNC_Result (*get_attribute)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer, + TNC_UInt32 *out_value_len); + + /** + * Set the value of an attribute associated with a connection or with the + * TNCS as a whole. + * + * @param imv_id ID of the IMV setting the attribute + * @param id ID of target connection + * @param attribute_id ID of the attribute to be set + * @param buffer_len length of the buffer in bytes + * @param buffer pointer to the buffer + * @return return code + */ + TNC_Result (*set_attribute)(tnccs_manager_t *this, + TNC_IMVID imv_id, + TNC_ConnectionID id, + TNC_AttributeID attribute_id, + TNC_UInt32 buffer_len, + TNC_BufferReference buffer); + + /** + * Destroy a tnccs_manager instance. + */ + void (*destroy)(tnccs_manager_t *this); +}; + +/** + * Create a tnccs_manager instance. + */ +tnccs_manager_t *tnccs_manager_create(); + +#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libcharon/tnc/tncif.h b/src/libcharon/tnc/tncif.h new file mode 100644 index 000000000..99441a9a9 --- /dev/null +++ b/src/libcharon/tnc/tncif.h @@ -0,0 +1,106 @@ +/* tncif.h + * + * Trusted Network Connect IF-IMV API version 1.20 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + * + * Trusted Network Connect IF-IMC/IF-IMV API version 1.00 Revision 3 + * Microsoft Windows DLL Platform Binding C Header + * Common definitions for IF-IMC and IF-IMV + * extracted from tncifimc.h and tncifimv.h + * Feb 12, 2007 + */ + +/** + * @defgroup tnc tnc + * @ingroup libcharon + * + * @defgroup tncif tncif + * @{ @ingroup tnc + */ + +#ifndef TNCIF_H_ +#define TNCIF_H_ + +/* Basic Types */ +typedef unsigned long TNC_UInt32; +typedef unsigned char *TNC_BufferReference; + +/* Derived Types */ +typedef TNC_UInt32 TNC_ConnectionID; +typedef TNC_UInt32 TNC_ConnectionState; +typedef TNC_UInt32 TNC_RetryReason; +typedef TNC_UInt32 TNC_MessageType; +typedef TNC_MessageType *TNC_MessageTypeList; +typedef TNC_UInt32 TNC_VendorID; +typedef TNC_UInt32 TNC_MessageSubtype; +typedef TNC_UInt32 TNC_Version; +typedef TNC_UInt32 TNC_Result; + +/* Result Codes */ +#define TNC_RESULT_SUCCESS 0 +#define TNC_RESULT_NOT_INITIALIZED 1 +#define TNC_RESULT_ALREADY_INITIALIZED 2 +#define TNC_RESULT_NO_COMMON_VERSION 3 +#define TNC_RESULT_CANT_RETRY 4 +#define TNC_RESULT_WONT_RETRY 5 +#define TNC_RESULT_INVALID_PARAMETER 6 +#define TNC_RESULT_CANT_RESPOND 7 +#define TNC_RESULT_ILLEGAL_OPERATION 8 +#define TNC_RESULT_OTHER 9 +#define TNC_RESULT_FATAL 10 + +/* Network Connection ID Values */ +#define TNC_CONNECTIONID_ANY 0xFFFFFFFF +/* Network Connection State Values */ +#define TNC_CONNECTION_STATE_CREATE 0 +#define TNC_CONNECTION_STATE_HANDSHAKE 1 +#define TNC_CONNECTION_STATE_ACCESS_ALLOWED 2 +#define TNC_CONNECTION_STATE_ACCESS_ISOLATED 3 +#define TNC_CONNECTION_STATE_ACCESS_NONE 4 +#define TNC_CONNECTION_STATE_DELETE 5 + +/* Vendor ID Values */ +#define TNC_VENDORID_TCG 0 +#define TNC_VENDORID_ANY ((TNC_VendorID) 0xffffff) +/* Message Subtype Values */ +#define TNC_SUBTYPE_ANY ((TNC_MessageSubtype) 0xff) + +#endif /** TNCIF_H_ @}*/ diff --git a/src/libcharon/tnc/tncifimc.h b/src/libcharon/tnc/tncifimc.h new file mode 100644 index 000000000..c6ddabd45 --- /dev/null +++ b/src/libcharon/tnc/tncifimc.h @@ -0,0 +1,180 @@ +/* tncifimc.h + * + * Trusted Network Connect IF-IMC API version 1.20 Revision 8 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + * + */ + +/** + * @defgroup tncifimc tncifimc + * @{ @ingroup tnc + */ + +#ifndef TNCIFIMC_H_ +#define TNCIFIMC_H_ + +#include "tncif.h" + +/* Derived Types */ + +typedef TNC_UInt32 TNC_IMCID; + +/* Function pointers */ + +typedef TNC_Result (*TNC_IMC_InitializePointer)( + TNC_IMCID imcID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *pOutActualVersion); +typedef TNC_Result (*TNC_IMC_NotifyConnectionChangePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); +typedef TNC_Result (*TNC_IMC_BeginHandshakePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMC_ReceiveMessagePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_IMC_BatchEndingPointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMC_TerminatePointer)( + TNC_IMCID imcID); +typedef TNC_Result (*TNC_TNCC_ReportMessageTypesPointer)( + TNC_IMCID imcID, + TNC_MessageTypeList supportedTypes, + TNC_UInt32 typeCount); +typedef TNC_Result (*TNC_TNCC_SendMessagePointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_TNCC_RequestHandshakeRetryPointer)( + TNC_IMCID imcID, + TNC_ConnectionID connectionID, + TNC_RetryReason reason); +typedef TNC_Result (*TNC_TNCC_BindFunctionPointer)( + TNC_IMCID imcID, + char *functionName, + void **pOutfunctionPointer); +typedef TNC_Result (*TNC_IMC_ProvideBindFunctionPointer)( + TNC_IMCID imcID, + TNC_TNCC_BindFunctionPointer bindFunction); + +#define TNC_IFIMC_VERSION_1 1 + +/* Handshake Retry Reason Values */ + +#define TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE 0 +#define TNC_RETRY_REASON_IMC_SERIOUS_EVENT 1 +#define TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT 2 +#define TNC_RETRY_REASON_IMC_PERIODIC 3 +/* reserved for TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE: 4 */ +/* reserved for TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE: 5 */ +/* reserved for TNC_RETRY_REASON_IMV_SERIOUS_EVENT: 6 */ +/* reserved for TNC_RETRY_REASON_IMV_MINOR_EVENT: 7 */ +/* reserved for TNC_RETRY_REASON_IMV_PERIODIC: 8 */ + +/* IMC Functions */ + +TNC_Result TNC_IMC_Initialize( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_Version minVersion, +/*in*/ TNC_Version maxVersion, +/*out*/ TNC_Version *pOutActualVersion); + +TNC_Result TNC_IMC_NotifyConnectionChange( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_ConnectionState newState); + +TNC_Result TNC_IMC_BeginHandshake( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMC_ReceiveMessage( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference messageBuffer, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_IMC_BatchEnding( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMC_Terminate( +/*in*/ TNC_IMCID imcID); + +TNC_Result TNC_IMC_ProvideBindFunction( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_TNCC_BindFunctionPointer bindFunction); + +/* TNC Client Functions */ + +TNC_Result TNC_TNCC_ReportMessageTypes( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_MessageTypeList supportedTypes, +/*in*/ TNC_UInt32 typeCount); + +TNC_Result TNC_TNCC_SendMessage( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference message, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_TNCC_RequestHandshakeRetry( +/*in*/ TNC_IMCID imcID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_RetryReason reason); + +TNC_Result TNC_TNCC_BindFunction( +/*in*/ TNC_IMCID imcID, +/*in*/ char *functionName, +/*out*/ void **pOutfunctionPointer); + +#endif /** TNCIFIMC_H_ @}*/ diff --git a/src/libcharon/tnc/tncifimv.c b/src/libcharon/tnc/tncifimv.c new file mode 100644 index 000000000..fbfd56566 --- /dev/null +++ b/src/libcharon/tnc/tncifimv.c @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2010 Andreas Steffen + * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "tncifimv.h" + +ENUM(TNC_IMV_Action_Recommendation_names, + TNC_IMV_ACTION_RECOMMENDATION_ALLOW, + TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION, + "allow", + "no access", + "isolate", + "no recommendation" +); + +ENUM(TNC_IMV_Evaluation_Result_names, + TNC_IMV_EVALUATION_RESULT_COMPLIANT, + TNC_IMV_EVALUATION_RESULT_DONT_KNOW, + "compliant", + "non-compliant minor", + "non-compliant major", + "error", + "don't know" +); + diff --git a/src/libcharon/tnc/tncifimv.h b/src/libcharon/tnc/tncifimv.h new file mode 100644 index 000000000..4ec101337 --- /dev/null +++ b/src/libcharon/tnc/tncifimv.h @@ -0,0 +1,248 @@ +/* tncifimv.h + * + * Trusted Network Connect IF-IMV API version 1.20 + * Microsoft Windows DLL Platform Binding C Header + * February 5, 2007 + * + * Copyright(c) 2005-2007, Trusted Computing Group, Inc. All rights + * reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * - Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * - Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * - Neither the name of the Trusted Computing Group nor the names of + * its contributors may be used to endorse or promote products + * derived from this software without specific prior written + * permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER + * CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * Contact the Trusted Computing Group at + * admin@trustedcomputinggroup.org for information on specification + * licensing through membership agreements. + * + * Any marks and brands contained herein are the property of their + * respective owners. + */ + +/** + * @defgroup tncifimv tncifimv + * @{ @ingroup tnc + */ + +#ifndef TNCIFIMV_H_ +#define TNCIFIMV_H_ + +#include "tncif.h" + +#include + +typedef TNC_UInt32 TNC_IMVID; +typedef TNC_UInt32 TNC_IMV_Action_Recommendation; +typedef TNC_UInt32 TNC_IMV_Evaluation_Result; +typedef TNC_UInt32 TNC_AttributeID; + +/* Function pointers */ + +typedef TNC_Result (*TNC_IMV_InitializePointer)( + TNC_IMVID imvID, + TNC_Version minVersion, + TNC_Version maxVersion, + TNC_Version *pOutActualVersion); +typedef TNC_Result (*TNC_IMV_NotifyConnectionChangePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_ConnectionState newState); +typedef TNC_Result (*TNC_IMV_ReceiveMessagePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_IMV_SolicitRecommendationPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMV_BatchEndingPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID); +typedef TNC_Result (*TNC_IMV_TerminatePointer)( + TNC_IMVID imvID); +typedef TNC_Result (*TNC_TNCS_ReportMessageTypesPointer)( + TNC_IMVID imvID, + TNC_MessageTypeList supportedTypes, + TNC_UInt32 typeCount); +typedef TNC_Result (*TNC_TNCS_SendMessagePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_BufferReference message, + TNC_UInt32 messageLength, + TNC_MessageType messageType); +typedef TNC_Result (*TNC_TNCS_RequestHandshakeRetryPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_RetryReason reason); +typedef TNC_Result (*TNC_TNCS_ProvideRecommendationPointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, + TNC_IMV_Action_Recommendation recommendation, + TNC_IMV_Evaluation_Result evaluation); +typedef TNC_Result (*TNC_TNCS_GetAttributePointer)( + TNC_IMVID imvID, +TNC_ConnectionID connectionID, +TNC_AttributeID attributeID, + TNC_UInt32 bufferLength, + TNC_BufferReference buffer, + TNC_UInt32 *pOutValueLength); +typedef TNC_Result (*TNC_TNCS_SetAttributePointer)( + TNC_IMVID imvID, + TNC_ConnectionID connectionID, +TNC_AttributeID attributeID, + TNC_UInt32 bufferLength, + TNC_BufferReference buffer); +typedef TNC_Result (*TNC_TNCS_BindFunctionPointer)( + TNC_IMVID imvID, + char *functionName, + void **pOutfunctionPointer); +typedef TNC_Result (*TNC_IMV_ProvideBindFunctionPointer)( + TNC_IMVID imvID, + TNC_TNCS_BindFunctionPointer bindFunction); + +/* Version Numbers */ + +#define TNC_IFIMV_VERSION_1 1 + +/* Handshake Retry Reason Values */ + +/* reserved for TNC_RETRY_REASON_IMC_REMEDIATION_COMPLETE: 0 */ +/* reserved for TNC_RETRY_REASON_IMC_SERIOUS_EVENT: 1 */ +/* reserved for TNC_RETRY_REASON_IMC_INFORMATIONAL_EVENT: 2 */ +/* reserved for TNC_RETRY_REASON_IMC_PERIODIC: 3 */ +#define TNC_RETRY_REASON_IMV_IMPORTANT_POLICY_CHANGE 4 +#define TNC_RETRY_REASON_IMV_MINOR_POLICY_CHANGE 5 +#define TNC_RETRY_REASON_IMV_SERIOUS_EVENT 6 +#define TNC_RETRY_REASON_IMV_MINOR_EVENT 7 +#define TNC_RETRY_REASON_IMV_PERIODIC 8 + +/* IMV Action Recommendation Values */ + +#define TNC_IMV_ACTION_RECOMMENDATION_ALLOW 0 +#define TNC_IMV_ACTION_RECOMMENDATION_NO_ACCESS 1 +#define TNC_IMV_ACTION_RECOMMENDATION_ISOLATE 2 +#define TNC_IMV_ACTION_RECOMMENDATION_NO_RECOMMENDATION 3 + +extern enum_name_t *TNC_IMV_Action_Recommendation_names; + +/* IMV Evaluation Result Values */ + +#define TNC_IMV_EVALUATION_RESULT_COMPLIANT 0 +#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MINOR 1 +#define TNC_IMV_EVALUATION_RESULT_NONCOMPLIANT_MAJOR 2 +#define TNC_IMV_EVALUATION_RESULT_ERROR 3 +#define TNC_IMV_EVALUATION_RESULT_DONT_KNOW 4 + +extern enum_name_t *TNC_IMV_Evaluation_Result_names; + +/* Message Attribute ID Values */ + +#define TNC_ATTRIBUTEID_PREFERRED_LANGUAGE ((TNC_AttributeID) 0x00000001) +#define TNC_ATTRIBUTEID_REASON_STRING ((TNC_AttributeID) 0x00000002) +#define TNC_ATTRIBUTEID_REASON_LANGUAGE ((TNC_AttributeID) 0x00000003) + +/* IMV Functions */ + +TNC_Result TNC_IMV_Initialize( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_Version minVersion, +/*in*/ TNC_Version maxVersion, +/*in*/ TNC_Version *pOutActualVersion); + +TNC_Result TNC_IMV_NotifyConnectionChange( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_ConnectionState newState); + +TNC_Result TNC_IMV_ReceiveMessage( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference messageBuffer, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_IMV_SolicitRecommendation( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMV_BatchEnding( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID); + +TNC_Result TNC_IMV_Terminate( +/*in*/ TNC_IMVID imvID); + +TNC_Result TNC_IMV_ProvideBindFunction( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_TNCS_BindFunctionPointer bindFunction); + +/* TNC Server Functions */ + +TNC_Result TNC_TNCS_ReportMessageTypes( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_MessageTypeList supportedTypes, +/*in*/ TNC_UInt32 typeCount); + +TNC_Result TNC_TNCS_SendMessage( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_BufferReference message, +/*in*/ TNC_UInt32 messageLength, +/*in*/ TNC_MessageType messageType); + +TNC_Result TNC_TNCS_RequestHandshakeRetry( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_RetryReason reason); + +TNC_Result TNC_TNCS_ProvideRecommendation( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_IMV_Action_Recommendation recommendation, +/*in*/ TNC_IMV_Evaluation_Result evaluation); + +TNC_Result TNC_TNCS_GetAttribute( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_AttributeID attributeID, +/*in*/ TNC_UInt32 bufferLength, +/*out*/ TNC_BufferReference buffer, +/*out*/ TNC_UInt32 *pOutValueLength); + +TNC_Result TNC_TNCS_SetAttribute( +/*in*/ TNC_IMVID imvID, +/*in*/ TNC_ConnectionID connectionID, +/*in*/ TNC_AttributeID attributeID, +/*in*/ TNC_UInt32 bufferLength, +/*in*/ TNC_BufferReference buffer); + +TNC_Result TNC_TNCS_BindFunction( +/*in*/ TNC_IMVID imvID, +/*in*/ char *functionName, +/*in*/ void **pOutfunctionPointer); + +#endif /** TNCIFIMV_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs.c b/src/libcharon/tnccs/tnccs.c deleted file mode 100644 index 2facf02c8..000000000 --- a/src/libcharon/tnccs/tnccs.c +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "tnccs.h" - -ENUM(eap_type_names, TNCCS_1_1, TNCCS_2_0, - "TNCCS 1.1", - "TNCCS SOH", - "TNCCS 2.0", -); diff --git a/src/libcharon/tnccs/tnccs.h b/src/libcharon/tnccs/tnccs.h deleted file mode 100644 index 583512e82..000000000 --- a/src/libcharon/tnccs/tnccs.h +++ /dev/null @@ -1,52 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup tnccs tnccs - * @{ @ingroup libcharon - */ - -#ifndef TNCCS_H_ -#define TNCCS_H_ - -typedef enum tnccs_type_t tnccs_type_t; - -#include - -/** - * Type of TNC Client/Server protocol - */ -enum tnccs_type_t { - TNCCS_1_1, - TNCCS_SOH, - TNCCS_2_0 -}; - -/** - * enum names for tnccs_type_t. - */ -extern enum_name_t *tnccs_type_names; - -typedef struct tnccs_t tnccs_t; - -/** - * Constructor definition for a pluggable TNCCS protocol implementation. - * - * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @return implementation of the tnccs_t interface - */ -typedef tnccs_t* (*tnccs_constructor_t)(bool is_server); - -#endif /** TNC_H_ @}*/ diff --git a/src/libcharon/tnccs/tnccs_manager.c b/src/libcharon/tnccs/tnccs_manager.c deleted file mode 100644 index 0fd6737c0..000000000 --- a/src/libcharon/tnccs/tnccs_manager.c +++ /dev/null @@ -1,148 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "tnccs_manager.h" - -#include -#include - -typedef struct private_tnccs_manager_t private_tnccs_manager_t; -typedef struct tnccs_entry_t tnccs_entry_t; - -/** - * TNCCS constructor entry - */ -struct tnccs_entry_t { - - /** - * TNCCS protocol type - */ - tnccs_type_t type; - - /** - * constructor function to create instance - */ - tnccs_constructor_t constructor; -}; - -/** - * private data of tnccs_manager - */ -struct private_tnccs_manager_t { - - /** - * public functions - */ - tnccs_manager_t public; - - /** - * list of tnccs_entry_t's - */ - linked_list_t *protocols; - - /** - * rwlock to lock methods - */ - rwlock_t *lock; -}; - -METHOD(tnccs_manager_t, add_method, void, - private_tnccs_manager_t *this, tnccs_type_t type, - tnccs_constructor_t constructor) -{ - tnccs_entry_t *entry = malloc_thing(tnccs_entry_t); - - entry->type = type; - entry->constructor = constructor; - - this->lock->write_lock(this->lock); - this->protocols->insert_last(this->protocols, entry); - this->lock->unlock(this->lock); -} - -METHOD(tnccs_manager_t, remove_method, void, - private_tnccs_manager_t *this, tnccs_constructor_t constructor) -{ - enumerator_t *enumerator; - tnccs_entry_t *entry; - - this->lock->write_lock(this->lock); - enumerator = this->protocols->create_enumerator(this->protocols); - while (enumerator->enumerate(enumerator, &entry)) - { - if (constructor == entry->constructor) - { - this->protocols->remove_at(this->protocols, enumerator); - free(entry); - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); -} - -METHOD(tnccs_manager_t, create_instance, tnccs_t*, - private_tnccs_manager_t *this, tnccs_type_t type, bool is_server) -{ - enumerator_t *enumerator; - tnccs_entry_t *entry; - tnccs_t *protocol = NULL; - - this->lock->read_lock(this->lock); - enumerator = this->protocols->create_enumerator(this->protocols); - while (enumerator->enumerate(enumerator, &entry)) - { - if (type == entry->type) - { - protocol = entry->constructor(is_server); - if (protocol) - { - break; - } - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - return protocol; -} - -METHOD(tnccs_manager_t, destroy, void, - private_tnccs_manager_t *this) -{ - this->protocols->destroy_function(this->protocols, free); - this->lock->destroy(this->lock); - free(this); -} - -/* - * See header - */ -tnccs_manager_t *tnccs_manager_create() -{ - private_tnccs_manager_t *this; - - INIT(this, - .public = { - .add_method = _add_method, - .remove_method = _remove_method, - .create_instance = _create_instance, - .destroy = _destroy, - }, - .protocols = linked_list_create(), - .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), - ); - - return &this->public; -} - diff --git a/src/libcharon/tnccs/tnccs_manager.h b/src/libcharon/tnccs/tnccs_manager.h deleted file mode 100644 index 2f4a961a7..000000000 --- a/src/libcharon/tnccs/tnccs_manager.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2010 Andreas Steffen - * HSR Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -/** - * @defgroup tnccs_manager tnccs_manager - * @{ @ingroup tnccs - */ - -#ifndef TNCCS_MANAGER_H_ -#define TNCCS_MANAGER_H_ - -#include "tnccs.h" - -typedef struct tnccs_manager_t tnccs_manager_t; - -/** - * The TNCCS manager manages all TNCCS implementations and creates instances. - * - * A plugin registers its implemented TNCCS protocol with the manager by - * providing type and a constructor function. The manager then creates - * TNCCS protocol instances via the provided constructor. - */ -struct tnccs_manager_t { - - /** - * Register a TNCCS protocol implementation. - * - * @param type TNCCS protocol type - * @param constructor constructor, returns a TNCCS protocol implementation - */ - void (*add_method)(tnccs_manager_t *this, tnccs_type_t type, - tnccs_constructor_t constructor); - - /** - * Unregister a TNCCS protocol implementation using it's constructor. - * - * @param constructor constructor function to remove, as added in add_method - */ - void (*remove_method)(tnccs_manager_t *this, tnccs_constructor_t constructor); - - /** - * Create a new TNCCS protocol instance. - * - * @param type type of the TNCCS protocol - * @param is_server TRUE if TNC Server, FALSE if TNC Client - * @return TNCCS protocol instance, NULL if no constructor found - */ - tnccs_t* (*create_instance)(tnccs_manager_t *this, tnccs_type_t type, - bool is_server); - - /** - * Destroy a tnccs_manager instance. - */ - void (*destroy)(tnccs_manager_t *this); -}; - -/** - * Create a tnccs_manager instance. - */ -tnccs_manager_t *tnccs_manager_create(); - -#endif /** TNCCS_MANAGER_H_ @}*/ diff --git a/src/libfast/Makefile.in b/src/libfast/Makefile.in index 777f1fd10..46f23f4d6 100644 --- a/src/libfast/Makefile.in +++ b/src/libfast/Makefile.in @@ -217,9 +217,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -258,6 +256,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libfast/request.c b/src/libfast/request.c index 16c1ae583..a3db70e82 100644 --- a/src/libfast/request.c +++ b/src/libfast/request.c @@ -120,7 +120,7 @@ static char *getenv_cb(void *null, const char *key) private_request_t *this = (private_request_t*)thread_this->get(thread_this); value = FCGX_GetParam(key, this->req.envp); - return value ? strdup(value) : NULL; + return strdupnull(value); } /** @@ -203,6 +203,14 @@ static char* get_query_data(private_request_t *this, char *name) return hdf_get_valuef(this->hdf, "Query.%s", name); } +/** + * Implementation of request_t.get_env_var. + */ +static char* get_env_var(private_request_t *this, char *name) +{ + return FCGX_GetParam(name, this->req.envp); +} + /** * Implementation of request_t.read_data. */ @@ -415,6 +423,7 @@ request_t *request_create(int fd, bool debug) this->public.add_cookie = (void(*)(request_t*, char *name, char *value))add_cookie; this->public.get_cookie = (char*(*)(request_t*,char*))get_cookie; this->public.get_query_data = (char*(*)(request_t*, char *name))get_query_data; + this->public.get_env_var = (char*(*)(request_t*, char *name))get_env_var; this->public.read_data = (int(*)(request_t*, char*, int))read_data; this->public.session_closed = (bool(*)(request_t*))session_closed; this->public.close_session = (void(*)(request_t*))close_session; diff --git a/src/libfast/request.h b/src/libfast/request.h index 9ca74a91e..c9c1f13e2 100644 --- a/src/libfast/request.h +++ b/src/libfast/request.h @@ -85,6 +85,14 @@ struct request_t { */ char* (*get_query_data)(request_t *this, char *name); + /** + * Get an arbitrary environment variable. + * + * @param name name of the environment variable + * @return value, NULL if not found + */ + char* (*get_env_var)(request_t *this, char *name); + /** * Read raw POST/PUT data from HTTP request. * diff --git a/src/libfreeswan/Makefile.am b/src/libfreeswan/Makefile.am index 5fee39da9..09f5fe2cd 100644 --- a/src/libfreeswan/Makefile.am +++ b/src/libfreeswan/Makefile.am @@ -1,10 +1,10 @@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ - atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ - keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ - pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ - pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ + pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -14,7 +14,7 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto -dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ - keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 diff --git a/src/libfreeswan/Makefile.in b/src/libfreeswan/Makefile.in index 28ba035c6..88ceab557 100644 --- a/src/libfreeswan/Makefile.in +++ b/src/libfreeswan/Makefile.in @@ -58,19 +58,17 @@ libfreeswan_a_AR = $(AR) $(ARFLAGS) libfreeswan_a_LIBADD = am_libfreeswan_a_OBJECTS = addrtoa.$(OBJEXT) addrtot.$(OBJEXT) \ addrtypeof.$(OBJEXT) anyaddr.$(OBJEXT) atoaddr.$(OBJEXT) \ - atoasr.$(OBJEXT) atosa.$(OBJEXT) atosubnet.$(OBJEXT) \ - atoul.$(OBJEXT) copyright.$(OBJEXT) datatot.$(OBJEXT) \ - goodmask.$(OBJEXT) initaddr.$(OBJEXT) initsaid.$(OBJEXT) \ - initsubnet.$(OBJEXT) keyblobtoid.$(OBJEXT) \ + atoasr.$(OBJEXT) atosubnet.$(OBJEXT) atoul.$(OBJEXT) \ + copyright.$(OBJEXT) datatot.$(OBJEXT) goodmask.$(OBJEXT) \ + initaddr.$(OBJEXT) initsaid.$(OBJEXT) initsubnet.$(OBJEXT) \ pfkey_v2_build.$(OBJEXT) pfkey_v2_debug.$(OBJEXT) \ pfkey_v2_ext_bits.$(OBJEXT) pfkey_v2_parse.$(OBJEXT) \ - portof.$(OBJEXT) prng.$(OBJEXT) rangetoa.$(OBJEXT) \ - rangetosubnet.$(OBJEXT) sameaddr.$(OBJEXT) satoa.$(OBJEXT) \ - satot.$(OBJEXT) subnetof.$(OBJEXT) subnettoa.$(OBJEXT) \ - subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) ttoaddr.$(OBJEXT) \ - ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) ttosa.$(OBJEXT) \ - ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) ultoa.$(OBJEXT) \ - ultot.$(OBJEXT) + portof.$(OBJEXT) rangetoa.$(OBJEXT) rangetosubnet.$(OBJEXT) \ + sameaddr.$(OBJEXT) satot.$(OBJEXT) subnetof.$(OBJEXT) \ + subnettoa.$(OBJEXT) subnettot.$(OBJEXT) subnettypeof.$(OBJEXT) \ + ttoaddr.$(OBJEXT) ttodata.$(OBJEXT) ttoprotoport.$(OBJEXT) \ + ttosa.$(OBJEXT) ttosubnet.$(OBJEXT) ttoul.$(OBJEXT) \ + ultoa.$(OBJEXT) ultot.$(OBJEXT) libfreeswan_a_OBJECTS = $(am_libfreeswan_a_OBJECTS) DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp @@ -234,9 +232,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -275,6 +271,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -287,11 +285,11 @@ xml_CFLAGS = @xml_CFLAGS@ xml_LIBS = @xml_LIBS@ noinst_LIBRARIES = libfreeswan.a libfreeswan_a_SOURCES = addrtoa.c addrtot.c addrtypeof.c anyaddr.c atoaddr.c atoasr.c \ - atosa.c atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ + atosubnet.c atoul.c copyright.c datatot.c freeswan.h \ goodmask.c initaddr.c initsaid.c initsubnet.c internal.h ipsec_param.h \ - keyblobtoid.c pfkey_v2_build.c pfkey_v2_debug.c \ - pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c prng.c rangetoa.c \ - pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c satoa.c \ + pfkey_v2_build.c pfkey_v2_debug.c \ + pfkey_v2_ext_bits.c pfkey_v2_parse.c portof.c rangetoa.c \ + pfkey.h pfkeyv2.h rangetosubnet.c sameaddr.c \ satot.c subnetof.c subnettoa.c subnettot.c \ subnettypeof.c ttoaddr.c ttodata.c ttoprotoport.c ttosa.c ttosubnet.c ttoul.c \ ultoa.c ultot.c @@ -301,8 +299,8 @@ INCLUDES = \ -I$(top_srcdir)/src/libhydra \ -I$(top_srcdir)/src/pluto -dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atosa.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ - keyblobtoid.3 portof.3 prng.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ +dist_man3_MANS = anyaddr.3 atoaddr.3 atoasr.3 atoul.3 goodmask.3 initaddr.3 initsubnet.3 \ + portof.3 rangetosubnet.3 sameaddr.3 subnetof.3 \ ttoaddr.3 ttodata.3 ttosa.3 ttoul.3 all: all-am @@ -359,7 +357,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/anyaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoasr.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/atoul.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/copyright.Po@am__quote@ @@ -368,17 +365,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initaddr.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsaid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/initsubnet.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/keyblobtoid.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_build.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_debug.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_ext_bits.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pfkey_v2_parse.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/portof.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/prng.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetoa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/rangetosubnet.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sameaddr.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satoa.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/satot.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnetof.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/subnettoa.Po@am__quote@ diff --git a/src/libfreeswan/atosa.3 b/src/libfreeswan/atosa.3 deleted file mode 100644 index f57fcf1e9..000000000 --- a/src/libfreeswan/atosa.3 +++ /dev/null @@ -1,217 +0,0 @@ -.TH IPSEC_ATOSA 3 "11 June 2001" -.SH NAME -ipsec atosa, satoa \- convert IPsec Security Association IDs to and from ASCII -.SH SYNOPSIS -.B "#include -.sp -.B "const char *atosa(const char *src, size_t srclen," -.ti +1c -.B "struct sa_id *sa); -.br -.B "size_t satoa(struct sa_id sa, int format," -.ti +1c -.B "char *dst, size_t dstlen);" -.sp -.B "struct sa_id {" -.ti +1c -.B "struct in_addr dst;" -.ti +1c -.B "ipsec_spi_t spi;" -.ti +1c -.B "int proto;" -.br -.B "};" -.SH DESCRIPTION -These functions are obsolete; see -.IR ipsec_ttosa (3) -for their replacements. -.PP -.I Atosa -converts an ASCII Security Association (SA) specifier into an -.B sa_id -structure (containing -a destination-host address -in network byte order, -an SPI number in network byte order, and -a protocol code). -.I Satoa -does the reverse conversion, back to an ASCII SA specifier. -.PP -An SA is specified in ASCII with a mail-like syntax, e.g. -.BR esp507@1.2.3.4 . -An SA specifier contains -a protocol prefix (currently -.BR ah , -.BR esp , -or -.BR tun ), -an unsigned integer SPI number, -and an IP address. -The SPI number can be decimal or hexadecimal -(with -.B 0x -prefix), as accepted by -.IR ipsec_atoul (3). -The IP address can be any form accepted by -.IR ipsec_atoaddr (3), -e.g. dotted-decimal address or DNS name. -.PP -As a special case, the SA specifier -.B %passthrough -signifies the special SA used to indicate that packets should be -passed through unaltered. -(At present, this is a synonym for -.BR tun0x0@0.0.0.0 , -but that is subject to change without notice.) -This form is known to both -.I atosa -and -.IR satoa , -so the internal form of -.B %passthrough -is never visible. -.PP -The -.B -header file supplies the -.B sa_id -structure, as well as a data type -.B ipsec_spi_t -which is an unsigned 32-bit integer. -(There is no consistency between kernel and user on what such a type -is called, hence the header hides the differences.) -.PP -The protocol code uses the same numbers that IP does. -For user convenience, given the difficulty in acquiring the exact set of -protocol names used by the kernel, -.B -defines the names -.BR SA_ESP , -.BR SA_AH , -and -.B SA_IPIP -to have the same values as the kernel names -.BR IPPROTO_ESP , -.BR IPPROTO_AH , -and -.BR IPPROTO_IPIP . -.PP -The -.I srclen -parameter of -.I atosa -specifies the length of the ASCII string pointed to by -.IR src ; -it is an error for there to be anything else -(e.g., a terminating NUL) within that length. -As a convenience for cases where an entire NUL-terminated string is -to be converted, -a -.I srclen -value of -.B 0 -is taken to mean -.BR strlen(src) . -.PP -The -.I dstlen -parameter of -.I satoa -specifies the size of the -.I dst -parameter; -under no circumstances are more than -.I dstlen -bytes written to -.IR dst . -A result which will not fit is truncated. -.I Dstlen -can be zero, in which case -.I dst -need not be valid and no result is written, -but the return value is unaffected; -in all other cases, the (possibly truncated) result is NUL-terminated. -The -.I freeswan.h -header file defines a constant, -.BR SATOA_BUF , -which is the size of a buffer just large enough for worst-case results. -.PP -The -.I format -parameter of -.I satoa -specifies what format is to be used for the conversion. -The value -.B 0 -(not the ASCII character -.BR '0' , -but a zero value) -specifies a reasonable default -(currently -lowercase protocol prefix, lowercase hexadecimal SPI, dotted-decimal address). -The value -.B d -causes the SPI to be generated in decimal instead. -.PP -.I Atosa -returns -.B NULL -for success and -a pointer to a string-literal error message for failure; -see DIAGNOSTICS. -.I Satoa -returns -.B 0 -for a failure, and otherwise -always returns the size of buffer which would -be needed to -accommodate the full conversion result, including terminating NUL; -it is the caller's responsibility to check this against the size of -the provided buffer to determine whether truncation has occurred. -.SH SEE ALSO -ipsec_atoul(3), ipsec_atoaddr(3), inet(3) -.SH DIAGNOSTICS -Fatal errors in -.I atosa -are: -empty input; -input too small to be a legal SA specifier; -no -.B @ -in input; -unknown protocol prefix; -conversion error in -.I atoul -or -.IR atoaddr . -.PP -Fatal errors in -.I satoa -are: -unknown format; unknown protocol code. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -.SH BUGS -The -.B tun -protocol code is a FreeS/WANism which may eventually disappear. -.PP -The restriction of ASCII-to-binary error reports to literal strings -(so that callers don't need to worry about freeing them or copying them) -does limit the precision of error reporting. -.PP -The ASCII-to-binary error-reporting convention lends itself -to slightly obscure code, -because many readers will not think of NULL as signifying success. -A good way to make it clearer is to write something like: -.PP -.RS -.nf -.B "const char *error;" -.sp -.B "error = atoaddr( /* ... */ );" -.B "if (error != NULL) {" -.B " /* something went wrong */" -.fi -.RE diff --git a/src/libfreeswan/atosa.c b/src/libfreeswan/atosa.c deleted file mode 100644 index 7339b4c3e..000000000 --- a/src/libfreeswan/atosa.c +++ /dev/null @@ -1,198 +0,0 @@ -/* - * convert from ASCII form of SA ID to binary - * Copyright (C) 1998, 1999 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -static struct satype { - char *prefix; - size_t prelen; /* strlen(prefix) */ - int proto; -} satypes[] = { - { "ah", 2, SA_AH }, - { "esp", 3, SA_ESP }, - { "tun", 3, SA_IPIP }, - { "comp", 4, SA_COMP }, - { NULL, 0, 0, } -}; - -/* - - atosa - convert ASCII "ah507@10.0.0.1" to SA identifier - */ -const char * /* NULL for success, else string literal */ -atosa(src, srclen, sa) -const char *src; -size_t srclen; /* 0 means "apply strlen" */ -struct sa_id *sa; -{ - const char *at; - const char *addr; - const char *spi = NULL; - struct satype *sat; - unsigned long ul; - const char *oops; -# define MINLEN 5 /* ah0@0 is as short as it can get */ - static char ptname[] = PASSTHROUGHNAME; -# define PTNLEN (sizeof(ptname)-1) /* -1 for NUL */ - - if (srclen == 0) - srclen = strlen(src); - if (srclen == 0) - return "empty string"; - if (srclen < MINLEN) - return "string too short to be SA specifier"; - if (srclen == PTNLEN && memcmp(src, ptname, PTNLEN) == 0) { - src = PASSTHROUGHIS; - srclen = strlen(src); - } - - at = memchr(src, '@', srclen); - if (at == NULL) - return "no @ in SA specifier"; - - for (sat = satypes; sat->prefix != NULL; sat++) - if (sat->prelen < srclen && - strncmp(src, sat->prefix, sat->prelen) == 0) { - sa->proto = sat->proto; - spi = src + sat->prelen; - break; /* NOTE BREAK OUT */ - } - if (sat->prefix == NULL) - return "SA specifier lacks valid protocol prefix"; - - if (spi >= at) - return "no SPI in SA specifier"; - oops = atoul(spi, at - spi, 13, &ul); - if (oops != NULL) - return oops; - sa->spi = htonl(ul); - - addr = at + 1; - oops = atoaddr(addr, srclen - (addr - src), &sa->dst); - if (oops != NULL) - return oops; - - return NULL; -} - - - -#ifdef ATOSA_MAIN - -#include -#include -#include -#include - -void regress(void); - -int -main(int argc, char *argv[]) -{ - struct sa_id sa; - char buf[100]; - const char *oops; - size_t n; - - if (argc < 2) { - fprintf(stderr, "Usage: %s {ahnnn@aaa|-r}\n", argv[0]); - exit(2); - } - - if (strcmp(argv[1], "-r") == 0) { - regress(); - fprintf(stderr, "regress() returned?!?\n"); - exit(1); - } - - oops = atosa(argv[1], 0, &sa); - if (oops != NULL) { - fprintf(stderr, "%s: conversion failed: %s\n", argv[0], oops); - exit(1); - } - n = satoa(sa, 0, buf, sizeof(buf)); - if (n > sizeof(buf)) { - fprintf(stderr, "%s: reverse conv of `%d'", argv[0], sa.proto); - fprintf(stderr, "%lu@", (long unsigned int)sa.spi); - fprintf(stderr, "%s", inet_ntoa(sa.dst)); - fprintf(stderr, " failed: need %ld bytes, have only %ld\n", - (long)n, (long)sizeof(buf)); - exit(1); - } - printf("%s\n", buf); - - exit(0); -} - -struct rtab { - char *input; - char *output; /* NULL means error expected */ -} rtab[] = { - {"esp257@1.2.3.0", "esp257@1.2.3.0"}, - {"ah0x20@1.2.3.4", "ah32@1.2.3.4"}, - {"tun011@111.2.3.99", "tun11@111.2.3.99"}, - {"", NULL}, - {"_", NULL}, - {"ah2.2", NULL}, - {"goo2@1.2.3.4", NULL}, - {"esp9@1.2.3.4", "esp9@1.2.3.4"}, - {"espp9@1.2.3.4", NULL}, - {"es9@1.2.3.4", NULL}, - {"ah@1.2.3.4", NULL}, - {"esp7x7@1.2.3.4", NULL}, - {"esp77@1.0x2.3.4", NULL}, - {PASSTHROUGHNAME, PASSTHROUGHNAME}, - {NULL, NULL} -}; - -void -regress(void) -{ - struct rtab *r; - int status = 0; - struct sa_id sa; - char in[100]; - char buf[100]; - const char *oops; - size_t n; - - for (r = rtab; r->input != NULL; r++) { - strcpy(in, r->input); - oops = atosa(in, 0, &sa); - if (oops != NULL && r->output == NULL) - {} /* okay, error expected */ - else if (oops != NULL) { - printf("`%s' atosa failed: %s\n", r->input, oops); - status = 1; - } else if (r->output == NULL) { - printf("`%s' atosa succeeded unexpectedly\n", - r->input); - status = 1; - } else { - n = satoa(sa, 'd', buf, sizeof(buf)); - if (n > sizeof(buf)) { - printf("`%s' satoa failed: need %ld\n", - r->input, (long)n); - status = 1; - } else if (strcmp(r->output, buf) != 0) { - printf("`%s' gave `%s', expected `%s'\n", - r->input, buf, r->output); - status = 1; - } - } - } - exit(status); -} - -#endif /* ATOSA_MAIN */ diff --git a/src/libfreeswan/copyright.c b/src/libfreeswan/copyright.c index 65585b62e..e55e849f7 100644 --- a/src/libfreeswan/copyright.c +++ b/src/libfreeswan/copyright.c @@ -27,13 +27,13 @@ static const char *co[] = { " Christoph Gysin, Andreas Hess, Patric Lichtsteiner, Michael Meier,", " Andreas Schleiss, Ariane Seiler, Mario Strasser, Lukas Suter,", " Roger Wegmann, Simon Zwahlen,", - " Zuercher Hochschule Winterthur (Switzerland).", + " ZHW Zuercher Hochschule Winterthur (Switzerland).", "", - " Philip Boetschi, Tobias Brunner, Adrian Doerig, Andreas Eigenmann,", - " Fabian Hartmann, Noah Heusser, Jan Hutter, Thomas Kallenberg,", - " Daniel Roethlisberger, Joel Stillhart, Martin Willi, Daniel Wydler,", - " Andreas Steffen,", - " Hochschule fuer Technik Rapperswil (Switzerland).", + " Philip Boetschi, Tobias Brunner, Sansar Choinyambuu, Adrian Doerig,", + " Andreas Eigenmann, Fabian Hartmann, Noah Heusser, Jan Hutter,", + " Thomas Kallenberg, Daniel Roethlisberger, Joel Stillhart, Martin Willi,", + " Daniel Wydler, Andreas Steffen,", + " HSR Hochschule fuer Technik Rapperswil (Switzerland).", "", "This program is free software; you can redistribute it and/or modify it", "under the terms of the GNU General Public License as published by the", diff --git a/src/libfreeswan/freeswan.h b/src/libfreeswan/freeswan.h index 342f59987..724165bde 100644 --- a/src/libfreeswan/freeswan.h +++ b/src/libfreeswan/freeswan.h @@ -158,11 +158,6 @@ err_t ttodatav(const char *src, size_t srclen, int base, size_t datatot(const char *src, size_t srclen, int format, char *buf, size_t buflen); -size_t keyblobtoid(const unsigned char *src, size_t srclen, char *dst, - size_t dstlen); -size_t splitkeytoid(const unsigned char *e, size_t elen, const unsigned char *m, - size_t mlen, char *dst, size_t dstlen); -#define KEYID_BUF 10 /* up to 9 text digits plus NUL */ err_t ttoprotoport(char *src, size_t src_len, u_int8_t *proto, u_int16_t *port, bool *has_port_wildcard); @@ -206,12 +201,6 @@ void setportof(int port, ip_address *dst); struct sockaddr *sockaddrof(ip_address *src); size_t sockaddrlenof(const ip_address *src); -/* PRNG */ -void prng_init(struct prng *prng, const unsigned char *key, size_t keylen); -void prng_bytes(struct prng *prng, unsigned char *dst, size_t dstlen); -unsigned long prng_count(struct prng *prng); -void prng_final(struct prng *prng); - /* odds and ends */ const char **ipsec_copyright_notice(void); @@ -294,24 +283,6 @@ rangetoa( ); #define RANGETOA_BUF 34 /* large enough for worst case result */ -/* data types for SA conversion functions */ - -/* SAs */ -const char * /* NULL for success, else string literal */ -atosa( - const char *src, - size_t srclen, /* 0 means strlen(src) */ - struct sa_id *sa -); -size_t /* space needed for full conversion */ -satoa( - struct sa_id sa, - int format, /* character; 0 means default */ - char *dst, - size_t dstlen -); -#define SATOA_BUF (3+ULTOA_BUF+ADDRTOA_BUF) - /* generic data, e.g. keys */ const char * /* NULL for success, else string literal */ atobytes( diff --git a/src/libfreeswan/keyblobtoid.3 b/src/libfreeswan/keyblobtoid.3 deleted file mode 100644 index 8b5bfb0a2..000000000 --- a/src/libfreeswan/keyblobtoid.3 +++ /dev/null @@ -1,102 +0,0 @@ -.TH IPSEC_KEYBLOBTOID 3 "25 March 2002" -.SH NAME -ipsec keyblobtoid, splitkeytoid \- generate key IDs from RSA keys -.SH SYNOPSIS -.B "#include -.sp -.B "size_t keyblobtoid(const unsigned char *blob," -.ti +1c -.B "size_t bloblen, char *dst, size_t dstlen);" -.br -.B "size_t splitkeytoid(const unsigned char *e, size_t elen," -.ti +1c -.B "const unsigned char *m, size_t mlen, char *dst, -.ti +1c -.B "size_t dstlen);" -.SH DESCRIPTION -.I Keyblobtoid -and -.I splitkeytoid -generate -key IDs -from RSA keys, -for use in messages and reporting, -writing the result to -.IR dst . -A -.I key ID -is a short ASCII string identifying a key; -currently it is just the first nine characters of the base64 -encoding of the RFC 2537/3110 ``byte blob'' representation of the key. -(Beware that no finite key ID can be collision-proof: -there is always some small chance of two random keys having the -same ID.) -.PP -.I Keyblobtoid -generates a key ID from a key which is already in the form of an -RFC 2537/3110 binary key -.I blob -(encoded exponent length, exponent, modulus). -.PP -.I Splitkeytoid -generates a key ID from a key given in the form of a separate -(binary) exponent -.I e -and modulus -.IR m . -.PP -The -.I dstlen -parameter of either -specifies the size of the -.I dst -parameter; -under no circumstances are more than -.I dstlen -bytes written to -.IR dst . -A result which will not fit is truncated. -.I Dstlen -can be zero, in which case -.I dst -need not be valid and no result is written, -but the return value is unaffected; -in all other cases, the (possibly truncated) result is NUL-terminated. -The -.I freeswan.h -header file defines a constant -.B KEYID_BUF -which is the size of a buffer large enough for worst-case results. -.PP -Both functions return -.B 0 -for a failure, and otherwise -always return the size of buffer which would -be needed to -accommodate the full conversion result, including terminating NUL; -it is the caller's responsibility to check this against the size of -the provided buffer to determine whether truncation has occurred. -.P -With keys generated by -.IR ipsec_rsasigkey (3), -the first two base64 digits are always the same, -and the third carries only about one bit of information. -It's worse with keys using longer fixed exponents, -e.g. the 24-bit exponent that's common in X.509 certificates. -However, being able to relate key IDs to the full -base64 text form of keys by eye is sufficiently useful that this -waste of space seems justifiable. -The choice of nine digits is a compromise between bulk and -probability of collision. -.SH SEE ALSO -RFC 3110, -\fIRSA/SHA-1 SIGs and RSA KEYs in the Domain Name System (DNS)\fR, -Eastlake, 2001 -(superseding the older but better-known RFC 2537). -.SH DIAGNOSTICS -Fatal errors are: -key too short to supply enough bits to construct a complete key ID -(almost certainly indicating a garbage key); -exponent too long for its length to be representable. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. diff --git a/src/libfreeswan/keyblobtoid.c b/src/libfreeswan/keyblobtoid.c deleted file mode 100644 index 89ab5fced..000000000 --- a/src/libfreeswan/keyblobtoid.c +++ /dev/null @@ -1,146 +0,0 @@ -/* - * generate printable key IDs - * Copyright (C) 2002 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -/* - - keyblobtoid - generate a printable key ID from an RFC 2537/3110 key blob - * Current algorithm is just to use first nine base64 digits. - */ -size_t -keyblobtoid(src, srclen, dst, dstlen) -const unsigned char *src; -size_t srclen; -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - char buf[KEYID_BUF]; - size_t ret; -# define NDIG 9 - - if (srclen < (NDIG*6 + 7)/8) { - strcpy(buf, "?len= ?"); - buf[5] = '0' + srclen; - ret = 0; - } else { - (void) datatot(src, srclen, 64, buf, NDIG+1); - ret = NDIG+1; - } - - if (dstlen > 0) { - if (strlen(buf)+1 > dstlen) - *(buf + dstlen - 1) = '\0'; - strcpy(dst, buf); - } - return ret; -} - -/* - - splitkeytoid - generate a printable key ID from exponent/modulus pair - * Just constructs the beginnings of a key blob and calls keyblobtoid(). - */ -size_t -splitkeytoid(e, elen, m, mlen, dst, dstlen) -const unsigned char *e; -size_t elen; -const unsigned char *m; -size_t mlen; -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - unsigned char buf[KEYID_BUF]; /* ample room */ - unsigned char *bufend = buf + sizeof(buf); - unsigned char *p; - size_t n; - - p = buf; - if (elen <= 255) - *p++ = elen; - else if ((elen &~ 0xffff) == 0) { - *p++ = 0; - *p++ = (elen>>8) & 0xff; - *p++ = elen & 0xff; - } else - return 0; /* unrepresentable exponent length */ - - n = bufend - p; - if (elen < n) - n = elen; - memcpy(p, e, n); - p += n; - - n = bufend - p; - if (n > 0) { - if (mlen < n) - n = mlen; - memcpy(p, m, n); - p += n; - } - - return keyblobtoid(buf, p - buf, dst, dstlen); -} - - - -#ifdef KEYBLOBTOID_MAIN - -#include - -void regress(); - -int -main(argc, argv) -int argc; -char *argv[]; -{ - typedef unsigned char uc; - uc hexblob[] = "\x01\x03\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52"; - uc hexe[] = "\x03"; - uc hexm[] = "\x85\xf2\xd6\x76\x9b\x03\x59\xb6\x21\x52\xef\x85"; - char b64nine[] = "AQOF8tZ2m"; - char b64six[] = "AQOF8t"; - char buf[100]; - size_t n; - char *b = b64nine; - size_t bl = strlen(b) + 1; - int st = 0; - - n = keyblobtoid(hexblob, strlen(hexblob), buf, sizeof(buf)); - if (n != bl) { - fprintf(stderr, "%s: keyblobtoid returned %d not %d\n", - argv[0], n, bl); - st = 1; - } - if (strcmp(buf, b) != 0) { - fprintf(stderr, "%s: keyblobtoid generated `%s' not `%s'\n", - argv[0], buf, b); - st = 1; - } - n = splitkeytoid(hexe, strlen(hexe), hexm, strlen(hexm), buf, - sizeof(buf)); - if (n != bl) { - fprintf(stderr, "%s: splitkeytoid returned %d not %d\n", - argv[0], n, bl); - st = 1; - } - if (strcmp(buf, b) != 0) { - fprintf(stderr, "%s: splitkeytoid generated `%s' not `%s'\n", - argv[0], buf, b); - st = 1; - } - exit(st); -} - -#endif /* KEYBLOBTOID_MAIN */ diff --git a/src/libfreeswan/prng.3 b/src/libfreeswan/prng.3 deleted file mode 100644 index 48c6ceed0..000000000 --- a/src/libfreeswan/prng.3 +++ /dev/null @@ -1,120 +0,0 @@ -.TH IPSEC_PRNG 3 "1 April 2002" -.SH NAME -ipsec prng_init \- initialize IPsec pseudorandom-number generator -.br -ipsec prng_bytes \- get bytes from IPsec pseudorandom-number generator -.br -ipsec prng_final \- close down IPsec pseudorandom-number generator -.SH SYNOPSIS -.B "#include -.sp -.B "void prng_init(struct prng *prng," -.ti +1c -.B "const unsigned char *key, size_t keylen);" -.br -.B "void prng_bytes(struct prng *prng, char *dst," -.ti +1c -.B "size_t dstlen);" -.br -.B "unsigned long prng_count(struct prng *prng);" -.br -.B "void prng_final(struct prng *prng);" -.SH DESCRIPTION -.I Prng_init -initializes a crypto-quality pseudo-random-number generator from a key; -.I prng_bytes -obtains pseudo-random bytes from it; -.I prng_count -reports the number of bytes extracted from it to date; -.I prng_final -closes it down. -It is the user's responsibility to initialize a PRNG before using it, -and not to use it again after it is closed down. -.PP -.I Prng_init -initializes, -or re-initializes, -the specified -.I prng -from the -.IR key , -whose length is given by -.IR keylen . -The user must allocate the -.B "struct prng" -pointed to by -.IR prng . -There is no particular constraint on the length of the key, -although a key longer than 256 bytes is unnecessary because -only the first 256 would be used. -Initialization requires on the order of 3000 integer operations, -independent of key length. -.PP -.I Prng_bytes -obtains -.I dstlen -pseudo-random bytes from the PRNG and puts them in -.IR buf . -This is quite fast, -on the order of 10 integer operations per byte. -.PP -.I Prng_count -reports the number of bytes obtained from the PRNG -since it was (last) initialized. -.PP -.I Prng_final -closes down a PRNG by -zeroing its internal memory, -obliterating all trace of the state used to generate its previous output. -This requires on the order of 250 integer operations. -.PP -The -.B -header file supplies the definition of the -.B prng -structure. -Examination of its innards is discouraged, as they may change. -.PP -The PRNG algorithm -used by these functions is currently identical to that of RC4(TM). -This algorithm is cryptographically strong, -sufficiently unpredictable that even a hostile observer will -have difficulty determining the next byte of output from past history, -provided it is initialized from a reasonably large key composed of -highly random bytes (see -.IR random (4)). -The usual run of software pseudo-random-number generators -(e.g. -.IR random (3)) -are -.I not -cryptographically strong. -.PP -The well-known attacks against RC4(TM), -e.g. as found in 802.11b's WEP encryption system, -apply only if multiple PRNGs are initialized with closely-related keys -(e.g., using a counter appended to a base key). -If such keys are used, the first few hundred pseudo-random bytes -from each PRNG should be discarded, -to give the PRNGs a chance to randomize their innards properly. -No useful attacks are known if the key is well randomized to begin with. -.SH SEE ALSO -random(3), random(4) -.br -Bruce Schneier, -\fIApplied Cryptography\fR, 2nd ed., 1996, ISBN 0-471-11709-9, -pp. 397-8. -.SH HISTORY -Written for the FreeS/WAN project by Henry Spencer. -.SH BUGS -If an attempt is made to obtain more than 4e9 bytes -between initializations, -the PRNG will continue to work but -.IR prng_count 's -output will stick at -.BR 4000000000 . -Fixing this would require a longer integer type and does -not seem worth the trouble, -since you should probably re-initialize before then anyway... -.PP -``RC4'' is a trademark of RSA Data Security, Inc. diff --git a/src/libfreeswan/prng.c b/src/libfreeswan/prng.c deleted file mode 100644 index 347f13f89..000000000 --- a/src/libfreeswan/prng.c +++ /dev/null @@ -1,200 +0,0 @@ -/* - * crypto-class pseudorandom number generator - * currently uses same algorithm as RC4(TM), from Schneier 2nd ed p397 - * Copyright (C) 2002 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -/* - - prng_init - initialize PRNG from a key - */ -void -prng_init(prng, key, keylen) -struct prng *prng; -const unsigned char *key; -size_t keylen; -{ - unsigned char k[256]; - int i, j; - unsigned const char *p; - unsigned const char *keyend = key + keylen; - unsigned char t; - - for (i = 0; i <= 255; i++) - prng->sbox[i] = i; - p = key; - for (i = 0; i <= 255; i++) { - k[i] = *p++; - if (p >= keyend) - p = key; - } - j = 0; - for (i = 0; i <= 255; i++) { - j = (j + prng->sbox[i] + k[i]) & 0xff; - t = prng->sbox[i]; - prng->sbox[i] = prng->sbox[j]; - prng->sbox[j] = t; - k[i] = 0; /* clear out key memory */ - } - prng->i = 0; - prng->j = 0; - prng->count = 0; -} - -/* - - prng_bytes - get some pseudorandom bytes from PRNG - */ -void -prng_bytes(prng, dst, dstlen) -struct prng *prng; -unsigned char *dst; -size_t dstlen; -{ - int i, j, t; - unsigned char *p = dst; - size_t remain = dstlen; -# define MAX 4000000000ul - - while (remain > 0) { - i = (prng->i + 1) & 0xff; - prng->i = i; - j = (prng->j + prng->sbox[i]) & 0xff; - prng->j = j; - t = prng->sbox[i]; - prng->sbox[i] = prng->sbox[j]; - prng->sbox[j] = t; - t = (t + prng->sbox[i]) & 0xff; - *p++ = prng->sbox[t]; - remain--; - } - if (prng->count < MAX - dstlen) - prng->count += dstlen; - else - prng->count = MAX; -} - -/* - - prnt_count - how many bytes have been extracted from PRNG so far? - */ -unsigned long -prng_count(prng) -struct prng *prng; -{ - return prng->count; -} - -/* - - prng_final - clear out PRNG to ensure nothing left in memory - */ -void -prng_final(prng) -struct prng *prng; -{ - int i; - - for (i = 0; i <= 255; i++) - prng->sbox[i] = 0; - prng->i = 0; - prng->j = 0; - prng->count = 0; /* just for good measure */ -} - - - -#ifdef PRNG_MAIN - -#include - -void regress(); - -int -main(argc, argv) -int argc; -char *argv[]; -{ - struct prng pr; - unsigned char buf[100]; - unsigned char *p; - size_t n; - - if (argc < 2) { - fprintf(stderr, "Usage: %s {key|-r}\n", argv[0]); - exit(2); - } - - if (strcmp(argv[1], "-r") == 0) { - regress(); - fprintf(stderr, "regress() returned?!?\n"); - exit(1); - } - - prng_init(&pr, argv[1], strlen(argv[1])); - prng_bytes(&pr, buf, 32); - printf("0x"); - for (p = buf, n = 32; n > 0; p++, n--) - printf("%02x", *p); - printf("\n%lu bytes\n", prng_count(&pr)); - prng_final(&pr); - exit(0); -} - -void -regress() -{ - struct prng pr; - unsigned char buf[100]; - unsigned char *p; - size_t n; - /* somewhat non-random sample key */ - unsigned char key[] = "here we go gathering nuts in May"; - /* first thirty bytes of output from that key */ - unsigned char good[] = "\x3f\x02\x8e\x4a\x2a\xea\x23\x18\x92\x7c" - "\x09\x52\x83\x61\xaa\x26\xce\xbb\x9d\x71" - "\x71\xe5\x10\x22\xaf\x60\x54\x8d\x5b\x28"; - int nzero, none; - int show = 0; - - prng_init(&pr, key, strlen(key)); - prng_bytes(&pr, buf, sizeof(buf)); - for (p = buf, n = sizeof(buf); n > 0; p++, n--) { - if (*p == 0) - nzero++; - if (*p == 255) - none++; - } - if (nzero > 3 || none > 3) { - fprintf(stderr, "suspiciously non-random output!\n"); - show = 1; - } - if (memcmp(buf, good, strlen(good)) != 0) { - fprintf(stderr, "incorrect output!\n"); - show = 1; - } - if (show) { - fprintf(stderr, "0x"); - for (p = buf, n = sizeof(buf); n > 0; p++, n--) - fprintf(stderr, "%02x", *p); - fprintf(stderr, "\n"); - exit(1); - } - if (prng_count(&pr) != sizeof(buf)) { - fprintf(stderr, "got %u bytes, but count is %lu\n", - sizeof(buf), prng_count(&pr)); - exit(1); - } - prng_final(&pr); - exit(0); -} - -#endif /* PRNG_MAIN */ diff --git a/src/libfreeswan/satoa.c b/src/libfreeswan/satoa.c deleted file mode 100644 index 09a152727..000000000 --- a/src/libfreeswan/satoa.c +++ /dev/null @@ -1,100 +0,0 @@ -/* - * convert from binary form of SA ID to ASCII - * Copyright (C) 1998, 1999, 2001 Henry Spencer. - * - * This library is free software; you can redistribute it and/or modify it - * under the terms of the GNU Library General Public License as published by - * the Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This library is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public - * License for more details. - */ -#include "internal.h" -#include "freeswan.h" - -static struct typename { - char type; - char *name; -} typenames[] = { - { SA_AH, "ah" }, - { SA_ESP, "esp" }, - { SA_IPIP, "tun" }, - { SA_COMP, "comp" }, - { SA_INT, "int" }, - { 0, NULL } -}; - -/* - - satoa - convert SA to ASCII "ah507@1.2.3.4" - */ -size_t /* space needed for full conversion */ -satoa(sa, format, dst, dstlen) -struct sa_id sa; -int format; /* character */ -char *dst; /* need not be valid if dstlen is 0 */ -size_t dstlen; -{ - size_t len = 0; /* 0 means not handled yet */ - int base; - struct typename *tn; - char buf[30+ADDRTOA_BUF]; - - switch (format) { - case 0: - base = 16; /* temporarily at least */ - break; - case 'd': - base = 10; - break; - default: - return 0; - break; - } - - for (tn = typenames; tn->name != NULL; tn++) - if (sa.proto == tn->type) - break; - if (tn->name == NULL) - return 0; - - if (strcmp(tn->name, PASSTHROUGHTYPE) == 0 && - sa.spi == PASSTHROUGHSPI && - sa.dst.s_addr == PASSTHROUGHDST) { - strcpy(buf, PASSTHROUGHNAME); - len = strlen(buf); - } else if (sa.proto == SA_INT && sa.dst.s_addr == 0) { - char *p; - - switch (ntohl(sa.spi)) { - case SPI_PASS: p = "%pass"; break; - case SPI_DROP: p = "%drop"; break; - case SPI_REJECT: p = "%reject"; break; - case SPI_HOLD: p = "%hold"; break; - case SPI_TRAP: p = "%trap"; break; - case SPI_TRAPSUBNET: p = "%trapsubnet"; break; - default: p = NULL; break; - } - if (p != NULL) { - strcpy(buf, p); - len = strlen(buf); - } - } - - if (len == 0) { - strcpy(buf, tn->name); - len = strlen(buf); - len += ultoa(ntohl(sa.spi), base, buf+len, sizeof(buf)-len); - *(buf+len-1) = '@'; - len += addrtoa(sa.dst, 0, buf+len, sizeof(buf)-len); - } - - if (dst != NULL) { - if (len > dstlen) - *(buf+dstlen-1) = '\0'; - strcpy(dst, buf); - } - return len; -} diff --git a/src/libhydra/Makefile.in b/src/libhydra/Makefile.in index 8e5697b79..8b1e7384f 100644 --- a/src/libhydra/Makefile.in +++ b/src/libhydra/Makefile.in @@ -271,9 +271,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -312,6 +310,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/kernel/kernel_interface.c b/src/libhydra/kernel/kernel_interface.c index 3e6d46205..4fd5a7535 100644 --- a/src/libhydra/kernel/kernel_interface.c +++ b/src/libhydra/kernel/kernel_interface.c @@ -78,8 +78,8 @@ METHOD(kernel_interface_t, get_cpi, status_t, METHOD(kernel_interface_t, add_sa, status_t, private_kernel_interface_t *this, host_t *src, host_t *dst, - u_int32_t spi, u_int8_t protocol, u_int32_t reqid, - mark_t mark, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t *src_ts, traffic_selector_t *dst_ts) @@ -89,8 +89,8 @@ METHOD(kernel_interface_t, add_sa, status_t, return NOT_SUPPORTED; } return this->ipsec->add_sa(this->ipsec, src, dst, spi, protocol, reqid, - mark, lifetime, enc_alg, enc_key, int_alg, int_key, mode, ipcomp, - cpi, encap, inbound, src_ts, dst_ts); + mark, tfc, lifetime, enc_alg, enc_key, int_alg, int_key, mode, + ipcomp, cpi, encap, inbound, src_ts, dst_ts); } METHOD(kernel_interface_t, update_sa, status_t, diff --git a/src/libhydra/kernel/kernel_interface.h b/src/libhydra/kernel/kernel_interface.h index 8b0c7a296..ec73fa1f7 100644 --- a/src/libhydra/kernel/kernel_interface.h +++ b/src/libhydra/kernel/kernel_interface.h @@ -91,6 +91,7 @@ struct kernel_interface_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark optional mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -108,7 +109,7 @@ struct kernel_interface_t { status_t (*add_sa) (kernel_interface_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/kernel/kernel_ipsec.h b/src/libhydra/kernel/kernel_ipsec.h index 49d9cc07a..3e2d8b9ce 100644 --- a/src/libhydra/kernel/kernel_ipsec.h +++ b/src/libhydra/kernel/kernel_ipsec.h @@ -204,6 +204,7 @@ struct kernel_ipsec_t { * @param protocol protocol for this SA (ESP/AH) * @param reqid unique ID for this SA * @param mark mark for this SA + * @param tfc Traffic Flow Confidentiality padding for this SA * @param lifetime lifetime_cfg_t for this SA * @param enc_alg Algorithm to use for encryption (ESP only) * @param enc_key key to use for encryption @@ -221,7 +222,7 @@ struct kernel_ipsec_t { status_t (*add_sa) (kernel_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, - mark_t mark, lifetime_cfg_t *lifetime, + mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, diff --git a/src/libhydra/plugins/attr/Makefile.in b/src/libhydra/plugins/attr/Makefile.in index 72182e57f..2da06a89c 100644 --- a/src/libhydra/plugins/attr/Makefile.in +++ b/src/libhydra/plugins/attr/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr/attr_plugin.c b/src/libhydra/plugins/attr/attr_plugin.c index 24c00bb44..0f66b680a 100644 --- a/src/libhydra/plugins/attr/attr_plugin.c +++ b/src/libhydra/plugins/attr/attr_plugin.c @@ -36,10 +36,8 @@ struct private_attr_plugin_t { attr_provider_t *provider; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_attr_plugin_t *this) { hydra->attributes->remove_provider(hydra->attributes, &this->provider->provider); this->provider->destroy(this->provider); @@ -51,11 +49,16 @@ static void destroy(private_attr_plugin_t *this) */ plugin_t *attr_plugin_create() { - private_attr_plugin_t *this = malloc_thing(private_attr_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_attr_plugin_t *this; - this->provider = attr_provider_create(); + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .provider = attr_provider_create(), + ); hydra->attributes->add_provider(hydra->attributes, &this->provider->provider); return &this->public.plugin; diff --git a/src/libhydra/plugins/attr_sql/Makefile.in b/src/libhydra/plugins/attr_sql/Makefile.in index dfb41cc02..26e7a3038 100644 --- a/src/libhydra/plugins/attr_sql/Makefile.in +++ b/src/libhydra/plugins/attr_sql/Makefile.in @@ -232,9 +232,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -273,6 +271,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c index 70e7a2247..ca9de023e 100644 --- a/src/libhydra/plugins/attr_sql/attr_sql_plugin.c +++ b/src/libhydra/plugins/attr_sql/attr_sql_plugin.c @@ -43,10 +43,8 @@ struct private_attr_sql_plugin_t { }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_attr_sql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_attr_sql_plugin_t *this) { hydra->attributes->remove_provider(hydra->attributes, &this->attribute->provider); this->attribute->destroy(this->attribute); @@ -59,21 +57,26 @@ static void destroy(private_attr_sql_plugin_t *this) */ plugin_t *attr_sql_plugin_create() { - char *uri; private_attr_sql_plugin_t *this; + char *uri; - uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", NULL); + uri = lib->settings->get_str(lib->settings, "libhydra.plugins.attr-sql.database", + NULL); if (!uri) { DBG1(DBG_CFG, "attr-sql plugin: database URI not set"); return NULL; } - this = malloc_thing(private_attr_sql_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .db = lib->db->create(lib->db, uri), + ); - this->db = lib->db->create(lib->db, uri); if (!this->db) { DBG1(DBG_CFG, "attr-sql plugin failed to connect to database"); diff --git a/src/libhydra/plugins/kernel_klips/Makefile.in b/src/libhydra/plugins/kernel_klips/Makefile.in index a451bd6f5..7d2464456 100644 --- a/src/libhydra/plugins/kernel_klips/Makefile.in +++ b/src/libhydra/plugins/kernel_klips/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c index 0ccb2ac5f..cf9a3e1fd 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_ipsec.c @@ -1668,7 +1668,7 @@ static status_t group_ipip_sa(private_kernel_klips_ipsec_t *this, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_klips_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, diff --git a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c index 1a22835c0..3c312ca2b 100644 --- a/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c +++ b/src/libhydra/plugins/kernel_klips/kernel_klips_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_klips_plugin_t { kernel_klips_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_klips_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_klips_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_klips_plugin_t *this) */ plugin_t *kernel_klips_plugin_create() { - private_kernel_klips_plugin_t *this = malloc_thing(private_kernel_klips_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_klips_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_klips_ipsec_create); diff --git a/src/libhydra/plugins/kernel_netlink/Makefile.in b/src/libhydra/plugins/kernel_netlink/Makefile.in index d41ee1456..c7404fe06 100644 --- a/src/libhydra/plugins/kernel_netlink/Makefile.in +++ b/src/libhydra/plugins/kernel_netlink/Makefile.in @@ -224,9 +224,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -265,6 +263,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c index 8cc9a6283..4dc80785c 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c @@ -58,8 +58,8 @@ #endif /*IPV6_XFRM_POLICY*/ /** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 +#define PRIO_LOW 1024 +#define PRIO_HIGH 512 /** * map the limit for bytes and packets to XFRM_INF per default @@ -866,7 +866,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_netlink_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, u_int8_t protocol, u_int32_t reqid, mark_t mark, - lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, + u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, traffic_selector_t* src_ts, traffic_selector_t* dst_ts) @@ -882,7 +882,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, if (ipcomp != IPCOMP_NONE && cpi != 0) { lifetime_cfg_t lft = {{0,0,0},{0,0,0},{0,0,0}}; - add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, + add_sa(this, src, dst, htonl(ntohs(cpi)), IPPROTO_COMP, reqid, mark, tfc, &lft, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, ipcomp, 0, FALSE, inbound, NULL, NULL); ipcomp = IPCOMP_NONE; @@ -920,6 +920,7 @@ METHOD(kernel_ipsec_t, add_sa, status_t, sa->flags |= XFRM_STATE_AF_UNSPEC; break; case MODE_BEET: + case MODE_TRANSPORT: if(src_ts && dst_ts) { sa->sel = ts2selector(src_ts, dst_ts); @@ -1153,6 +1154,24 @@ METHOD(kernel_ipsec_t, add_sa, status_t, rthdr = XFRM_RTA_NEXT(rthdr); } + if (tfc) + { + u_int32_t *tfcpad; + + rthdr->rta_type = XFRMA_TFCPAD; + rthdr->rta_len = RTA_LENGTH(sizeof(u_int32_t)); + + hdr->nlmsg_len += rthdr->rta_len; + if (hdr->nlmsg_len > sizeof(request)) + { + return FAILED; + } + + tfcpad = (u_int32_t*)RTA_DATA(rthdr); + *tfcpad = tfc; + rthdr = XFRM_RTA_NEXT(rthdr); + } + if (this->socket_xfrm->send_ack(this->socket_xfrm, hdr) != SUCCESS) { if (mark.value) @@ -1687,11 +1706,16 @@ METHOD(kernel_ipsec_t, add_policy, status_t, policy_info = (struct xfrm_userpolicy_info*)NLMSG_DATA(hdr); policy_info->sel = policy->sel; policy_info->dir = policy->direction; - /* calculate priority based on source selector size, small size = high prio */ + + /* calculate priority based on selector size, small size = high prio */ policy_info->priority = routed ? PRIO_LOW : PRIO_HIGH; - policy_info->priority -= policy->sel.prefixlen_s * 10; - policy_info->priority -= policy->sel.proto ? 2 : 0; - policy_info->priority -= policy->sel.sport_mask ? 1 : 0; + policy_info->priority -= policy->sel.prefixlen_s; + policy_info->priority -= policy->sel.prefixlen_d; + policy_info->priority <<= 2; /* make some room for the two flags */ + policy_info->priority += policy->sel.sport_mask || + policy->sel.dport_mask ? 0 : 2; + policy_info->priority += policy->sel.proto ? 0 : 1; + policy_info->action = type != POLICY_DROP ? XFRM_POLICY_ALLOW : XFRM_POLICY_BLOCK; policy_info->share = XFRM_SHARE_ANY; @@ -1813,6 +1837,8 @@ METHOD(kernel_ipsec_t, add_policy, status_t, if (route->if_name) { + DBG2(DBG_KNL, "installing route: %R via %H src %H dev %s", + src_ts, route->gateway, route->src_ip, route->if_name); switch (hydra->kernel_interface->add_route( hydra->kernel_interface, route->dst_net, route->prefixlen, route->gateway, diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c index 212675d1a..9fc1a03f5 100644 --- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c +++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_plugin.c @@ -33,10 +33,8 @@ struct private_kernel_netlink_plugin_t { kernel_netlink_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_netlink_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_netlink_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); @@ -50,10 +48,15 @@ static void destroy(private_kernel_netlink_plugin_t *this) */ plugin_t *kernel_netlink_plugin_create() { - private_kernel_netlink_plugin_t *this = malloc_thing(private_kernel_netlink_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_kernel_netlink_plugin_t *this; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_netlink_ipsec_create); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, diff --git a/src/libhydra/plugins/kernel_pfkey/Makefile.in b/src/libhydra/plugins/kernel_pfkey/Makefile.in index a98ae42d1..40363f319 100644 --- a/src/libhydra/plugins/kernel_pfkey/Makefile.in +++ b/src/libhydra/plugins/kernel_pfkey/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c index f5786447b..681811528 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_ipsec.c @@ -99,8 +99,8 @@ #endif /** default priority of installed policies */ -#define PRIO_LOW 3000 -#define PRIO_HIGH 2000 +#define PRIO_LOW 1024 +#define PRIO_HIGH 512 #ifdef __APPLE__ /** from xnu/bsd/net/pfkeyv2.h */ @@ -1206,7 +1206,7 @@ METHOD(kernel_ipsec_t, get_cpi, status_t, METHOD(kernel_ipsec_t, add_sa, status_t, private_kernel_pfkey_ipsec_t *this, host_t *src, host_t *dst, u_int32_t spi, - u_int8_t protocol, u_int32_t reqid, mark_t mark, + u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc, lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key, u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi, bool encap, bool inbound, @@ -1651,11 +1651,14 @@ METHOD(kernel_ipsec_t, add_policy, status_t, pol->sadb_x_policy_dir = dir2kernel(direction); pol->sadb_x_policy_type = IPSEC_POLICY_IPSEC; #ifdef HAVE_STRUCT_SADB_X_POLICY_SADB_X_POLICY_PRIORITY - /* calculate priority based on source selector size, small size = high prio */ + /* calculate priority based on selector size, small size = high prio */ pol->sadb_x_policy_priority = routed ? PRIO_LOW : PRIO_HIGH; - pol->sadb_x_policy_priority -= policy->src.mask * 10; - pol->sadb_x_policy_priority -= policy->src.proto != IPSEC_PROTO_ANY ? 2 : 0; - pol->sadb_x_policy_priority -= policy->src.net->get_port(policy->src.net) ? 1 : 0; + pol->sadb_x_policy_priority -= policy->src.mask; + pol->sadb_x_policy_priority -= policy->dst.mask; + pol->sadb_x_policy_priority <<= 2; /* make some room for the flags */ + pol->sadb_x_policy_priority += policy->src.net->get_port(policy->src.net) || + policy->dst.net->get_port(policy->dst.net) ? 0 : 2; + pol->sadb_x_policy_priority += policy->src.proto != IPSEC_PROTO_ANY ? 0 : 1; #endif /* one or more sadb_x_ipsecrequest extensions are added to the sadb_x_policy extension */ diff --git a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c index 781ba5008..9e7a7904d 100644 --- a/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c +++ b/src/libhydra/plugins/kernel_pfkey/kernel_pfkey_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_pfkey_plugin_t { kernel_pfkey_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfkey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_pfkey_plugin_t *this) { hydra->kernel_interface->remove_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_pfkey_plugin_t *this) */ plugin_t *kernel_pfkey_plugin_create() { - private_kernel_pfkey_plugin_t *this = malloc_thing(private_kernel_pfkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_pfkey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_ipsec_interface(hydra->kernel_interface, (kernel_ipsec_constructor_t)kernel_pfkey_ipsec_create); diff --git a/src/libhydra/plugins/kernel_pfroute/Makefile.in b/src/libhydra/plugins/kernel_pfroute/Makefile.in index b0bc00c70..4db374b75 100644 --- a/src/libhydra/plugins/kernel_pfroute/Makefile.in +++ b/src/libhydra/plugins/kernel_pfroute/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c index 5f351bd72..a4cb53edd 100644 --- a/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c +++ b/src/libhydra/plugins/kernel_pfroute/kernel_pfroute_plugin.c @@ -32,10 +32,8 @@ struct private_kernel_pfroute_plugin_t { kernel_pfroute_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_kernel_pfroute_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_kernel_pfroute_plugin_t *this) { hydra->kernel_interface->remove_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); @@ -47,10 +45,15 @@ static void destroy(private_kernel_pfroute_plugin_t *this) */ plugin_t *kernel_pfroute_plugin_create() { - private_kernel_pfroute_plugin_t *this = malloc_thing(private_kernel_pfroute_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_kernel_pfroute_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); hydra->kernel_interface->add_net_interface(hydra->kernel_interface, (kernel_net_constructor_t)kernel_pfroute_net_create); diff --git a/src/libhydra/plugins/resolve/Makefile.in b/src/libhydra/plugins/resolve/Makefile.in index aedc8fdb7..e6c5fb712 100644 --- a/src/libhydra/plugins/resolve/Makefile.in +++ b/src/libhydra/plugins/resolve/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libhydra/plugins/resolve/resolve_plugin.c b/src/libhydra/plugins/resolve/resolve_plugin.c index 502129593..ad18c7060 100644 --- a/src/libhydra/plugins/resolve/resolve_plugin.c +++ b/src/libhydra/plugins/resolve/resolve_plugin.c @@ -36,10 +36,8 @@ struct private_resolve_plugin_t { resolve_handler_t *handler; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_resolve_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_resolve_plugin_t *this) { hydra->attributes->remove_handler(hydra->attributes, &this->handler->handler); this->handler->destroy(this->handler); @@ -51,10 +49,16 @@ static void destroy(private_resolve_plugin_t *this) */ plugin_t *resolve_plugin_create() { - private_resolve_plugin_t *this = malloc_thing(private_resolve_plugin_t); + private_resolve_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - this->handler = resolve_handler_create(); + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .handler = resolve_handler_create(), + ); hydra->attributes->add_handler(hydra->attributes, &this->handler->handler); return &this->public.plugin; diff --git a/src/libsimaka/Makefile.in b/src/libsimaka/Makefile.in index 0aa509acc..ef7a6ee38 100644 --- a/src/libsimaka/Makefile.in +++ b/src/libsimaka/Makefile.in @@ -192,9 +192,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -233,6 +231,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/Makefile.am b/src/libstrongswan/Makefile.am index 2ab8aa636..6a29d8eea 100644 --- a/src/libstrongswan/Makefile.am +++ b/src/libstrongswan/Makefile.am @@ -30,8 +30,7 @@ credentials/keys/private_key.c credentials/keys/private_key.h \ credentials/keys/public_key.c credentials/keys/public_key.h \ credentials/keys/shared_key.c credentials/keys/shared_key.h \ credentials/certificates/certificate.c credentials/certificates/certificate.h \ -credentials/certificates/x509.h credentials/certificates/x509.c \ -credentials/certificates/ac.h \ +credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -136,6 +135,13 @@ else SUBDIRS = . endif +if USE_AF_ALG + SUBDIRS += plugins/af_alg +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/af_alg/libstrongswan-af-alg.la +endif +endif + if USE_AES SUBDIRS += plugins/aes if MONOLITHIC @@ -227,6 +233,13 @@ if MONOLITHIC endif endif +if USE_CONSTRAINTS + SUBDIRS += plugins/constraints +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/constraints/libstrongswan-constraints.la +endif +endif + if USE_PUBKEY SUBDIRS += plugins/pubkey if MONOLITHIC @@ -269,6 +282,13 @@ if MONOLITHIC endif endif +if USE_SOUP + SUBDIRS += plugins/soup +if MONOLITHIC + libstrongswan_la_LIBADD += plugins/soup/libstrongswan-soup.la +endif +endif + if USE_LDAP SUBDIRS += plugins/ldap if MONOLITHIC diff --git a/src/libstrongswan/Makefile.in b/src/libstrongswan/Makefile.in index 8be6dd9b8..76b4f70c6 100644 --- a/src/libstrongswan/Makefile.in +++ b/src/libstrongswan/Makefile.in @@ -44,70 +44,76 @@ host_triplet = @host@ @USE_INTEGRITY_TEST_TRUE@ integrity_checker.c integrity_checker.h @USE_VSTR_TRUE@am__append_6 = -lvstr -@USE_AES_TRUE@am__append_7 = plugins/aes -@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_8 = plugins/aes/libstrongswan-aes.la -@USE_DES_TRUE@am__append_9 = plugins/des -@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_10 = plugins/des/libstrongswan-des.la -@USE_BLOWFISH_TRUE@am__append_11 = plugins/blowfish -@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_12 = plugins/blowfish/libstrongswan-blowfish.la -@USE_MD4_TRUE@am__append_13 = plugins/md4 -@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_14 = plugins/md4/libstrongswan-md4.la -@USE_MD5_TRUE@am__append_15 = plugins/md5 -@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_16 = plugins/md5/libstrongswan-md5.la -@USE_SHA1_TRUE@am__append_17 = plugins/sha1 -@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_18 = plugins/sha1/libstrongswan-sha1.la -@USE_SHA2_TRUE@am__append_19 = plugins/sha2 -@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_20 = plugins/sha2/libstrongswan-sha2.la -@USE_GMP_TRUE@am__append_21 = plugins/gmp -@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_22 = plugins/gmp/libstrongswan-gmp.la -@USE_RANDOM_TRUE@am__append_23 = plugins/random -@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_24 = plugins/random/libstrongswan-random.la -@USE_HMAC_TRUE@am__append_25 = plugins/hmac -@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_26 = plugins/hmac/libstrongswan-hmac.la -@USE_XCBC_TRUE@am__append_27 = plugins/xcbc -@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_28 = plugins/xcbc/libstrongswan-xcbc.la -@USE_X509_TRUE@am__append_29 = plugins/x509 -@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_30 = plugins/x509/libstrongswan-x509.la -@USE_REVOCATION_TRUE@am__append_31 = plugins/revocation -@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_32 = plugins/revocation/libstrongswan-revocation.la -@USE_PUBKEY_TRUE@am__append_33 = plugins/pubkey -@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_34 = plugins/pubkey/libstrongswan-pubkey.la -@USE_PKCS1_TRUE@am__append_35 = plugins/pkcs1 -@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_36 = plugins/pkcs1/libstrongswan-pkcs1.la -@USE_PGP_TRUE@am__append_37 = plugins/pgp -@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_38 = plugins/pgp/libstrongswan-pgp.la -@USE_DNSKEY_TRUE@am__append_39 = plugins/dnskey -@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_40 = plugins/dnskey/libstrongswan-dnskey.la -@USE_PEM_TRUE@am__append_41 = plugins/pem -@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_42 = plugins/pem/libstrongswan-pem.la -@USE_CURL_TRUE@am__append_43 = plugins/curl -@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_44 = plugins/curl/libstrongswan-curl.la -@USE_LDAP_TRUE@am__append_45 = plugins/ldap -@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_46 = plugins/ldap/libstrongswan-ldap.la -@USE_MYSQL_TRUE@am__append_47 = plugins/mysql -@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_48 = plugins/mysql/libstrongswan-mysql.la -@USE_SQLITE_TRUE@am__append_49 = plugins/sqlite -@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_50 = plugins/sqlite/libstrongswan-sqlite.la -@USE_PADLOCK_TRUE@am__append_51 = plugins/padlock -@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_52 = plugins/padlock/libstrongswan-padlock.la -@USE_OPENSSL_TRUE@am__append_53 = plugins/openssl -@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_54 = plugins/openssl/libstrongswan-openssl.la -@USE_GCRYPT_TRUE@am__append_55 = plugins/gcrypt -@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_56 = plugins/gcrypt/libstrongswan-gcrypt.la -@USE_FIPS_PRF_TRUE@am__append_57 = plugins/fips_prf -@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_58 = plugins/fips_prf/libstrongswan-fips-prf.la -@USE_AGENT_TRUE@am__append_59 = plugins/agent -@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_60 = plugins/agent/libstrongswan-agent.la -@USE_PKCS11_TRUE@am__append_61 = plugins/pkcs11 -@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_62 = plugins/pkcs11/libstrongswan-pkcs11.la -@USE_CTR_TRUE@am__append_63 = plugins/ctr -@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_64 = plugins/ctr/libstrongswan-ctr.la -@USE_CCM_TRUE@am__append_65 = plugins/ccm -@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_66 = plugins/ccm/libstrongswan-ccm.la -@USE_GCM_TRUE@am__append_67 = plugins/gcm -@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_68 = plugins/gcm/libstrongswan-gcm.la -@USE_TEST_VECTORS_TRUE@am__append_69 = plugins/test_vectors -@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_70 = plugins/test_vectors/libstrongswan-test-vectors.la +@USE_AF_ALG_TRUE@am__append_7 = plugins/af_alg +@MONOLITHIC_TRUE@@USE_AF_ALG_TRUE@am__append_8 = plugins/af_alg/libstrongswan-af-alg.la +@USE_AES_TRUE@am__append_9 = plugins/aes +@MONOLITHIC_TRUE@@USE_AES_TRUE@am__append_10 = plugins/aes/libstrongswan-aes.la +@USE_DES_TRUE@am__append_11 = plugins/des +@MONOLITHIC_TRUE@@USE_DES_TRUE@am__append_12 = plugins/des/libstrongswan-des.la +@USE_BLOWFISH_TRUE@am__append_13 = plugins/blowfish +@MONOLITHIC_TRUE@@USE_BLOWFISH_TRUE@am__append_14 = plugins/blowfish/libstrongswan-blowfish.la +@USE_MD4_TRUE@am__append_15 = plugins/md4 +@MONOLITHIC_TRUE@@USE_MD4_TRUE@am__append_16 = plugins/md4/libstrongswan-md4.la +@USE_MD5_TRUE@am__append_17 = plugins/md5 +@MONOLITHIC_TRUE@@USE_MD5_TRUE@am__append_18 = plugins/md5/libstrongswan-md5.la +@USE_SHA1_TRUE@am__append_19 = plugins/sha1 +@MONOLITHIC_TRUE@@USE_SHA1_TRUE@am__append_20 = plugins/sha1/libstrongswan-sha1.la +@USE_SHA2_TRUE@am__append_21 = plugins/sha2 +@MONOLITHIC_TRUE@@USE_SHA2_TRUE@am__append_22 = plugins/sha2/libstrongswan-sha2.la +@USE_GMP_TRUE@am__append_23 = plugins/gmp +@MONOLITHIC_TRUE@@USE_GMP_TRUE@am__append_24 = plugins/gmp/libstrongswan-gmp.la +@USE_RANDOM_TRUE@am__append_25 = plugins/random +@MONOLITHIC_TRUE@@USE_RANDOM_TRUE@am__append_26 = plugins/random/libstrongswan-random.la +@USE_HMAC_TRUE@am__append_27 = plugins/hmac +@MONOLITHIC_TRUE@@USE_HMAC_TRUE@am__append_28 = plugins/hmac/libstrongswan-hmac.la +@USE_XCBC_TRUE@am__append_29 = plugins/xcbc +@MONOLITHIC_TRUE@@USE_XCBC_TRUE@am__append_30 = plugins/xcbc/libstrongswan-xcbc.la +@USE_X509_TRUE@am__append_31 = plugins/x509 +@MONOLITHIC_TRUE@@USE_X509_TRUE@am__append_32 = plugins/x509/libstrongswan-x509.la +@USE_REVOCATION_TRUE@am__append_33 = plugins/revocation +@MONOLITHIC_TRUE@@USE_REVOCATION_TRUE@am__append_34 = plugins/revocation/libstrongswan-revocation.la +@USE_CONSTRAINTS_TRUE@am__append_35 = plugins/constraints +@MONOLITHIC_TRUE@@USE_CONSTRAINTS_TRUE@am__append_36 = plugins/constraints/libstrongswan-constraints.la +@USE_PUBKEY_TRUE@am__append_37 = plugins/pubkey +@MONOLITHIC_TRUE@@USE_PUBKEY_TRUE@am__append_38 = plugins/pubkey/libstrongswan-pubkey.la +@USE_PKCS1_TRUE@am__append_39 = plugins/pkcs1 +@MONOLITHIC_TRUE@@USE_PKCS1_TRUE@am__append_40 = plugins/pkcs1/libstrongswan-pkcs1.la +@USE_PGP_TRUE@am__append_41 = plugins/pgp +@MONOLITHIC_TRUE@@USE_PGP_TRUE@am__append_42 = plugins/pgp/libstrongswan-pgp.la +@USE_DNSKEY_TRUE@am__append_43 = plugins/dnskey +@MONOLITHIC_TRUE@@USE_DNSKEY_TRUE@am__append_44 = plugins/dnskey/libstrongswan-dnskey.la +@USE_PEM_TRUE@am__append_45 = plugins/pem +@MONOLITHIC_TRUE@@USE_PEM_TRUE@am__append_46 = plugins/pem/libstrongswan-pem.la +@USE_CURL_TRUE@am__append_47 = plugins/curl +@MONOLITHIC_TRUE@@USE_CURL_TRUE@am__append_48 = plugins/curl/libstrongswan-curl.la +@USE_SOUP_TRUE@am__append_49 = plugins/soup +@MONOLITHIC_TRUE@@USE_SOUP_TRUE@am__append_50 = plugins/soup/libstrongswan-soup.la +@USE_LDAP_TRUE@am__append_51 = plugins/ldap +@MONOLITHIC_TRUE@@USE_LDAP_TRUE@am__append_52 = plugins/ldap/libstrongswan-ldap.la +@USE_MYSQL_TRUE@am__append_53 = plugins/mysql +@MONOLITHIC_TRUE@@USE_MYSQL_TRUE@am__append_54 = plugins/mysql/libstrongswan-mysql.la +@USE_SQLITE_TRUE@am__append_55 = plugins/sqlite +@MONOLITHIC_TRUE@@USE_SQLITE_TRUE@am__append_56 = plugins/sqlite/libstrongswan-sqlite.la +@USE_PADLOCK_TRUE@am__append_57 = plugins/padlock +@MONOLITHIC_TRUE@@USE_PADLOCK_TRUE@am__append_58 = plugins/padlock/libstrongswan-padlock.la +@USE_OPENSSL_TRUE@am__append_59 = plugins/openssl +@MONOLITHIC_TRUE@@USE_OPENSSL_TRUE@am__append_60 = plugins/openssl/libstrongswan-openssl.la +@USE_GCRYPT_TRUE@am__append_61 = plugins/gcrypt +@MONOLITHIC_TRUE@@USE_GCRYPT_TRUE@am__append_62 = plugins/gcrypt/libstrongswan-gcrypt.la +@USE_FIPS_PRF_TRUE@am__append_63 = plugins/fips_prf +@MONOLITHIC_TRUE@@USE_FIPS_PRF_TRUE@am__append_64 = plugins/fips_prf/libstrongswan-fips-prf.la +@USE_AGENT_TRUE@am__append_65 = plugins/agent +@MONOLITHIC_TRUE@@USE_AGENT_TRUE@am__append_66 = plugins/agent/libstrongswan-agent.la +@USE_PKCS11_TRUE@am__append_67 = plugins/pkcs11 +@MONOLITHIC_TRUE@@USE_PKCS11_TRUE@am__append_68 = plugins/pkcs11/libstrongswan-pkcs11.la +@USE_CTR_TRUE@am__append_69 = plugins/ctr +@MONOLITHIC_TRUE@@USE_CTR_TRUE@am__append_70 = plugins/ctr/libstrongswan-ctr.la +@USE_CCM_TRUE@am__append_71 = plugins/ccm +@MONOLITHIC_TRUE@@USE_CCM_TRUE@am__append_72 = plugins/ccm/libstrongswan-ccm.la +@USE_GCM_TRUE@am__append_73 = plugins/gcm +@MONOLITHIC_TRUE@@USE_GCM_TRUE@am__append_74 = plugins/gcm/libstrongswan-gcm.la +@USE_TEST_VECTORS_TRUE@am__append_75 = plugins/test_vectors +@MONOLITHIC_TRUE@@USE_TEST_VECTORS_TRUE@am__append_76 = plugins/test_vectors/libstrongswan-test-vectors.la subdir = src/libstrongswan DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 @@ -162,7 +168,8 @@ libstrongswan_la_DEPENDENCIES = $(am__DEPENDENCIES_1) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ - $(am__append_66) $(am__append_68) $(am__append_70) + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ chunk.h debug.c debug.h enum.c enum.h settings.h settings.c \ printf_hook.c printf_hook.h asn1/asn1.c asn1/asn1.h \ @@ -187,8 +194,7 @@ am__libstrongswan_la_SOURCES_DIST = library.c library.h chunk.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ - credentials/certificates/x509.h \ - credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -238,7 +244,7 @@ am_libstrongswan_la_OBJECTS = library.lo chunk.lo debug.lo enum.lo \ crypto_tester.lo diffie_hellman.lo aead.lo transform.lo \ credential_factory.lo builder.lo cred_encoding.lo \ private_key.lo public_key.lo shared_key.lo certificate.lo \ - x509.lo crl.lo ocsp_response.lo ietf_attributes.lo \ + crl.lo ocsp_response.lo ietf_attributes.lo \ credential_manager.lo auth_cfg_wrapper.lo \ ocsp_response_wrapper.lo cert_cache.lo mem_cred.lo \ callback_cred.lo auth_cfg.lo database_factory.lo \ @@ -278,14 +284,16 @@ AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ distdir ETAGS = etags CTAGS = ctags -DIST_SUBDIRS = . plugins/aes plugins/des plugins/blowfish plugins/md4 \ - plugins/md5 plugins/sha1 plugins/sha2 plugins/gmp \ - plugins/random plugins/hmac plugins/xcbc plugins/x509 \ - plugins/revocation plugins/pubkey plugins/pkcs1 plugins/pgp \ - plugins/dnskey plugins/pem plugins/curl plugins/ldap \ - plugins/mysql plugins/sqlite plugins/padlock plugins/openssl \ - plugins/gcrypt plugins/fips_prf plugins/agent plugins/pkcs11 \ - plugins/ctr plugins/ccm plugins/gcm plugins/test_vectors +DIST_SUBDIRS = . plugins/af_alg plugins/aes plugins/des \ + plugins/blowfish plugins/md4 plugins/md5 plugins/sha1 \ + plugins/sha2 plugins/gmp plugins/random plugins/hmac \ + plugins/xcbc plugins/x509 plugins/revocation \ + plugins/constraints plugins/pubkey plugins/pkcs1 plugins/pgp \ + plugins/dnskey plugins/pem plugins/curl plugins/soup \ + plugins/ldap plugins/mysql plugins/sqlite plugins/padlock \ + plugins/openssl plugins/gcrypt plugins/fips_prf plugins/agent \ + plugins/pkcs11 plugins/ctr plugins/ccm plugins/gcm \ + plugins/test_vectors DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) am__relativize = \ dir0=`pwd`; \ @@ -431,9 +439,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -472,6 +478,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -507,8 +515,7 @@ libstrongswan_la_SOURCES = library.c library.h chunk.c chunk.h debug.c \ credentials/keys/shared_key.h \ credentials/certificates/certificate.c \ credentials/certificates/certificate.h \ - credentials/certificates/x509.h \ - credentials/certificates/x509.c credentials/certificates/ac.h \ + credentials/certificates/x509.h credentials/certificates/ac.h \ credentials/certificates/crl.h credentials/certificates/crl.c \ credentials/certificates/pkcs10.h \ credentials/certificates/ocsp_request.h \ @@ -559,7 +566,8 @@ libstrongswan_la_LIBADD = $(PTHREADLIB) $(DLLIB) $(BTLIB) $(SOCKLIB) \ $(am__append_48) $(am__append_50) $(am__append_52) \ $(am__append_54) $(am__append_56) $(am__append_58) \ $(am__append_60) $(am__append_62) $(am__append_64) \ - $(am__append_66) $(am__append_68) $(am__append_70) + $(am__append_66) $(am__append_68) $(am__append_70) \ + $(am__append_72) $(am__append_74) $(am__append_76) INCLUDES = -I$(top_srcdir)/src/libstrongswan AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DPLUGINDIR=\"${plugindir}\" \ -DSTRONGSWAN_CONF=\"${strongswan_conf}\" $(am__append_1) \ @@ -592,7 +600,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_FALSE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_FALSE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_FALSE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) +@MONOLITHIC_FALSE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_FALSE@ $(am__append_71) $(am__append_73) \ +@MONOLITHIC_FALSE@ $(am__append_75) # build plugins with their own Makefile ####################################### @@ -611,7 +621,9 @@ $(srcdir)/crypto/proposal/proposal_keywords.c @MONOLITHIC_TRUE@ $(am__append_55) $(am__append_57) \ @MONOLITHIC_TRUE@ $(am__append_59) $(am__append_61) \ @MONOLITHIC_TRUE@ $(am__append_63) $(am__append_65) \ -@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) +@MONOLITHIC_TRUE@ $(am__append_67) $(am__append_69) \ +@MONOLITHIC_TRUE@ $(am__append_71) $(am__append_73) \ +@MONOLITHIC_TRUE@ $(am__append_75) all: $(BUILT_SOURCES) $(MAKE) $(AM_MAKEFLAGS) all-recursive @@ -749,7 +761,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/traffic_selector.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/transform.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utils.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/x509.Plo@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @@ -933,13 +944,6 @@ certificate.lo: credentials/certificates/certificate.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o certificate.lo `test -f 'credentials/certificates/certificate.c' || echo '$(srcdir)/'`credentials/certificates/certificate.c -x509.lo: credentials/certificates/x509.c -@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT x509.lo -MD -MP -MF $(DEPDIR)/x509.Tpo -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/x509.Tpo $(DEPDIR)/x509.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='credentials/certificates/x509.c' object='x509.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o x509.lo `test -f 'credentials/certificates/x509.c' || echo '$(srcdir)/'`credentials/certificates/x509.c - crl.lo: credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crl.lo -MD -MP -MF $(DEPDIR)/crl.Tpo -c -o crl.lo `test -f 'credentials/certificates/crl.c' || echo '$(srcdir)/'`credentials/certificates/crl.c @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/crl.Tpo $(DEPDIR)/crl.Plo diff --git a/src/libstrongswan/asn1/asn1.c b/src/libstrongswan/asn1/asn1.c index 6f549d42d..f80c2b93b 100644 --- a/src/libstrongswan/asn1/asn1.c +++ b/src/libstrongswan/asn1/asn1.c @@ -123,6 +123,100 @@ chunk_t asn1_build_known_oid(int n) return oid; } +/* + * Defined in header. + */ +chunk_t asn1_oid_from_string(char *str) +{ + enumerator_t *enumerator; + u_char buf[32]; + char *end; + int i = 0, pos = 0; + u_int val, first = 0; + + enumerator = enumerator_create_token(str, ".", ""); + while (enumerator->enumerate(enumerator, &str)) + { + val = strtoul(str, &end, 10); + if (end == str || pos > countof(buf)) + { + pos = 0; + break; + } + switch (i++) + { + case 0: + first = val; + break; + case 1: + buf[pos++] = first * 40 + val; + break; + default: + if (val < 128) + { + buf[pos++] = val; + } + else + { + buf[pos++] = 128 | (val >> 7); + buf[pos++] = (val % 256) & 0x7F; + } + break; + } + } + enumerator->destroy(enumerator); + + return chunk_clone(chunk_create(buf, pos)); +} + +/* + * Defined in header. + */ +char *asn1_oid_to_string(chunk_t oid) +{ + char buf[64], *pos = buf; + int len; + u_int val; + + if (!oid.len) + { + return NULL; + } + val = oid.ptr[0] / 40; + len = snprintf(buf, sizeof(buf), "%d.%d", val, oid.ptr[0] - val * 40); + oid = chunk_skip(oid, 1); + if (len < 0 || len >= sizeof(buf)) + { + return NULL; + } + pos += len; + + while (oid.len) + { + if (oid.ptr[0] < 128) + { + len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", oid.ptr[0]); + oid = chunk_skip(oid, 1); + } + else + { + if (oid.len == 1) + { + return NULL; + } + val = ((u_int)(oid.ptr[0] & 0x7F) << 7) + oid.ptr[1]; + len = snprintf(pos, sizeof(buf) + buf - pos, ".%d", val); + oid = chunk_skip(oid, 2); + } + if (len < 0 || len >= sizeof(buf) + buf - pos) + { + return NULL; + } + pos += len; + } + return strdup(buf); +} + /* * Defined in header. */ diff --git a/src/libstrongswan/asn1/asn1.h b/src/libstrongswan/asn1/asn1.h index 866c28095..05a060827 100644 --- a/src/libstrongswan/asn1/asn1.h +++ b/src/libstrongswan/asn1/asn1.h @@ -114,6 +114,22 @@ int asn1_known_oid(chunk_t object); */ chunk_t asn1_build_known_oid(int n); +/** + * Convert human readable OID to ASN.1 DER encoding, without OID header. + * + * @param str OID string (e.g. 1.2.345.67.8) + * @return allocated ASN.1 encoded OID, chunk_empty on error + */ +chunk_t asn1_oid_from_string(char *str); + +/** + * Convert a DER encoded ASN.1 OID to a human readable string. + * + * @param oid DER encoded OID, without header + * @return human readable OID string, allocated, NULL on error + */ +char* asn1_oid_to_string(chunk_t oid); + /** * Returns the length of an ASN.1 object * The blob pointer is advanced past the tag length fields diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c index 3e5bbbabd..2a7a38a52 100644 --- a/src/libstrongswan/asn1/asn1_parser.c +++ b/src/libstrongswan/asn1/asn1_parser.c @@ -78,10 +78,8 @@ struct private_asn1_parser_t { chunk_t blobs[ASN1_MAX_LEVEL + 2]; }; -/** - * Implementation of asn1_parser_t.iterate - */ -static bool iterate(private_asn1_parser_t *this, int *objectID, chunk_t *object) +METHOD(asn1_parser_t, iterate, bool, + private_asn1_parser_t *this, int *objectID, chunk_t *object) { chunk_t *blob, *blob1; u_char *start_ptr; @@ -234,43 +232,33 @@ end: return this->success; } -/** - * Implementation of asn1_parser_t.get_level - */ -static u_int get_level(private_asn1_parser_t *this) +METHOD(asn1_parser_t, get_level, u_int, +private_asn1_parser_t *this) { return this->level0 + this->objects[this->line].level; } -/** - * Implementation of asn1_parser_t.set_top_level - */ -static void set_top_level(private_asn1_parser_t *this, u_int level0) +METHOD(asn1_parser_t, set_top_level, void, + private_asn1_parser_t *this, u_int level0) { this->level0 = level0; } -/** - * Implementation of asn1_parser_t.set_flags - */ -static void set_flags(private_asn1_parser_t *this, bool implicit, bool private) +METHOD(asn1_parser_t, set_flags, void, + private_asn1_parser_t *this, bool implicit, bool private) { this->implicit = implicit; this->private = private; } -/** - * Implementation of asn1_parser_t.success - */ -static bool success(private_asn1_parser_t *this) +METHOD(asn1_parser_t, success, bool, + private_asn1_parser_t *this) { return this->success; } -/** - * Implementation of asn1_parser_t.destroy - */ -static void destroy(private_asn1_parser_t *this) +METHOD(asn1_parser_t, destroy, void, + private_asn1_parser_t *this) { free(this); } @@ -280,20 +268,22 @@ static void destroy(private_asn1_parser_t *this) */ asn1_parser_t* asn1_parser_create(asn1Object_t const *objects, chunk_t blob) { - private_asn1_parser_t *this = malloc_thing(private_asn1_parser_t); - - memset(this, '\0', sizeof(private_asn1_parser_t)); - this->objects = objects; - this->blobs[0] = blob; - this->line = -1; - this->success = TRUE; - - this->public.iterate = (bool (*)(asn1_parser_t*, int*, chunk_t*))iterate; - this->public.get_level = (u_int (*)(asn1_parser_t*))get_level; - this->public.set_top_level = (void (*)(asn1_parser_t*, u_int))set_top_level; - this->public.set_flags = (void (*)(asn1_parser_t*, bool, bool))set_flags; - this->public.success = (bool (*)(asn1_parser_t*))success; - this->public.destroy = (void (*)(asn1_parser_t*))destroy; + private_asn1_parser_t *this; + + INIT(this, + .public = { + .iterate = _iterate, + .get_level = _get_level, + .set_top_level = _set_top_level, + .set_flags = _set_flags, + .success = _success, + .destroy = _destroy, + }, + .objects = objects, + .blobs[0] = blob, + .line = -1, + .success = TRUE, + ); return &this->public; } diff --git a/src/libstrongswan/asn1/oid.c b/src/libstrongswan/asn1/oid.c index 1e5dec8a5..57a00a39e 100644 --- a/src/libstrongswan/asn1/oid.c +++ b/src/libstrongswan/asn1/oid.c @@ -10,360 +10,363 @@ #include "oid.h" const oid_t oid_names[] = { - {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ - { 0x82, 0, 1, 1, "" }, /* 1 */ - { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ - { 0x01, 0, 1, 3, "Deutsche Telekom AG" }, /* 3 */ - { 0x0A, 0, 1, 4, "" }, /* 4 */ - { 0x07, 0, 1, 5, "" }, /* 5 */ - { 0x14, 0, 0, 6, "ND" }, /* 6 */ - {0x09, 18, 1, 0, "data" }, /* 7 */ - { 0x92, 0, 1, 1, "" }, /* 8 */ - { 0x26, 0, 1, 2, "" }, /* 9 */ - { 0x89, 0, 1, 3, "" }, /* 10 */ - { 0x93, 0, 1, 4, "" }, /* 11 */ - { 0xF2, 0, 1, 5, "" }, /* 12 */ - { 0x2C, 0, 1, 6, "" }, /* 13 */ - { 0x64, 0, 1, 7, "pilot" }, /* 14 */ - { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ - { 0x01, 17, 0, 9, "UID" }, /* 16 */ - { 0x19, 0, 0, 9, "DC" }, /* 17 */ - {0x55, 64, 1, 0, "X.500" }, /* 18 */ - { 0x04, 36, 1, 1, "X.509" }, /* 19 */ - { 0x03, 21, 0, 2, "CN" }, /* 20 */ - { 0x04, 22, 0, 2, "S" }, /* 21 */ - { 0x05, 23, 0, 2, "SN" }, /* 22 */ - { 0x06, 24, 0, 2, "C" }, /* 23 */ - { 0x07, 25, 0, 2, "L" }, /* 24 */ - { 0x08, 26, 0, 2, "ST" }, /* 25 */ - { 0x0A, 27, 0, 2, "O" }, /* 26 */ - { 0x0B, 28, 0, 2, "OU" }, /* 27 */ - { 0x0C, 29, 0, 2, "T" }, /* 28 */ - { 0x0D, 30, 0, 2, "D" }, /* 29 */ - { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ - { 0x29, 32, 0, 2, "N" }, /* 31 */ - { 0x2A, 33, 0, 2, "G" }, /* 32 */ - { 0x2B, 34, 0, 2, "I" }, /* 33 */ - { 0x2D, 35, 0, 2, "ID" }, /* 34 */ - { 0x48, 0, 0, 2, "role" }, /* 35 */ - { 0x1D, 0, 1, 1, "id-ce" }, /* 36 */ - { 0x09, 38, 0, 2, "subjectDirectoryAttrs" }, /* 37 */ - { 0x0E, 39, 0, 2, "subjectKeyIdentifier" }, /* 38 */ - { 0x0F, 40, 0, 2, "keyUsage" }, /* 39 */ - { 0x10, 41, 0, 2, "privateKeyUsagePeriod" }, /* 40 */ - { 0x11, 42, 0, 2, "subjectAltName" }, /* 41 */ - { 0x12, 43, 0, 2, "issuerAltName" }, /* 42 */ - { 0x13, 44, 0, 2, "basicConstraints" }, /* 43 */ - { 0x14, 45, 0, 2, "crlNumber" }, /* 44 */ - { 0x15, 46, 0, 2, "reasonCode" }, /* 45 */ - { 0x17, 47, 0, 2, "holdInstructionCode" }, /* 46 */ - { 0x18, 48, 0, 2, "invalidityDate" }, /* 47 */ - { 0x1B, 49, 0, 2, "deltaCrlIndicator" }, /* 48 */ - { 0x1C, 50, 0, 2, "issuingDistributionPoint" }, /* 49 */ - { 0x1D, 51, 0, 2, "certificateIssuer" }, /* 50 */ - { 0x1E, 52, 0, 2, "nameConstraints" }, /* 51 */ - { 0x1F, 53, 0, 2, "crlDistributionPoints" }, /* 52 */ - { 0x20, 55, 1, 2, "certificatePolicies" }, /* 53 */ - { 0x00, 0, 0, 3, "anyPolicy" }, /* 54 */ - { 0x21, 56, 0, 2, "policyMappings" }, /* 55 */ - { 0x23, 57, 0, 2, "authorityKeyIdentifier" }, /* 56 */ - { 0x24, 58, 0, 2, "policyConstraints" }, /* 57 */ - { 0x25, 60, 1, 2, "extendedKeyUsage" }, /* 58 */ - { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 59 */ - { 0x2E, 61, 0, 2, "freshestCRL" }, /* 60 */ - { 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */ - { 0x37, 63, 0, 2, "targetInformation" }, /* 62 */ - { 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */ - {0x2A, 161, 1, 0, "" }, /* 64 */ - { 0x83, 77, 1, 1, "" }, /* 65 */ - { 0x08, 0, 1, 2, "jp" }, /* 66 */ - { 0x8C, 0, 1, 3, "" }, /* 67 */ - { 0x9A, 0, 1, 4, "" }, /* 68 */ - { 0x4B, 0, 1, 5, "" }, /* 69 */ - { 0x3D, 0, 1, 6, "" }, /* 70 */ - { 0x01, 0, 1, 7, "security" }, /* 71 */ - { 0x01, 0, 1, 8, "algorithm" }, /* 72 */ - { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 73 */ - { 0x02, 75, 0, 10, "camellia128-cbc" }, /* 74 */ - { 0x03, 76, 0, 10, "camellia192-cbc" }, /* 75 */ - { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */ - { 0x86, 0, 1, 1, "" }, /* 77 */ - { 0x48, 0, 1, 2, "us" }, /* 78 */ - { 0x86, 120, 1, 3, "" }, /* 79 */ - { 0xF6, 85, 1, 4, "" }, /* 80 */ - { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */ - { 0x07, 0, 1, 6, "Entrust" }, /* 82 */ - { 0x41, 0, 1, 7, "nsn-ce" }, /* 83 */ - { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */ - { 0xF7, 0, 1, 4, "" }, /* 85 */ - { 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */ - { 0x01, 115, 1, 6, "PKCS" }, /* 87 */ - { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */ - { 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */ - { 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */ - { 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */ - { 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */ - { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */ - { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */ - { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */ - { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */ - { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */ - { 0x01, 99, 0, 8, "data" }, /* 98 */ - { 0x02, 100, 0, 8, "signedData" }, /* 99 */ - { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */ - { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */ - { 0x05, 103, 0, 8, "digestedData" }, /* 102 */ - { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */ - { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */ - { 0x01, 106, 0, 8, "E" }, /* 105 */ - { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */ - { 0x03, 108, 0, 8, "contentType" }, /* 107 */ - { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */ - { 0x05, 110, 0, 8, "signingTime" }, /* 109 */ - { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */ - { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */ - { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */ - { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */ - { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */ - { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */ - { 0x02, 117, 0, 7, "md2" }, /* 116 */ - { 0x05, 0, 0, 7, "md5" }, /* 117 */ - { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */ - { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */ - { 0xCE, 0, 1, 3, "" }, /* 120 */ - { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */ - { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */ - { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */ - { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */ - { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */ - { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */ - { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */ - { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */ - { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */ - { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */ - { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */ - { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */ - { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */ - { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */ - { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */ - { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */ - { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */ - { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */ - { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */ - { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */ - { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */ - { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */ - { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */ - { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */ - { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */ - { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */ - { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */ - { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */ - { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */ - { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */ - { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */ - { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */ - { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */ - { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */ - { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */ - { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */ - { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */ - { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ - { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ - { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ - {0x2B, 309, 1, 0, "" }, /* 161 */ - { 0x06, 223, 1, 1, "dod" }, /* 162 */ - { 0x01, 0, 1, 2, "internet" }, /* 163 */ - { 0x04, 183, 1, 3, "private" }, /* 164 */ - { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ - { 0x82, 176, 1, 5, "" }, /* 166 */ - { 0x37, 0, 1, 6, "Microsoft" }, /* 167 */ - { 0x0A, 172, 1, 7, "" }, /* 168 */ - { 0x03, 0, 1, 8, "" }, /* 169 */ - { 0x03, 171, 0, 9, "msSGC" }, /* 170 */ - { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ - { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ - { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ - { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ - { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ - { 0x89, 0, 1, 5, "" }, /* 176 */ - { 0x31, 0, 1, 6, "" }, /* 177 */ - { 0x01, 0, 1, 7, "" }, /* 178 */ - { 0x01, 0, 1, 8, "" }, /* 179 */ - { 0x02, 0, 1, 9, "" }, /* 180 */ - { 0x02, 182, 0, 10, "" }, /* 181 */ - { 0x4B, 0, 0, 10, "TCGID" }, /* 182 */ - { 0x05, 0, 1, 3, "security" }, /* 183 */ - { 0x05, 0, 1, 4, "mechanisms" }, /* 184 */ - { 0x07, 0, 1, 5, "id-pkix" }, /* 185 */ - { 0x01, 190, 1, 6, "id-pe" }, /* 186 */ - { 0x01, 188, 0, 7, "authorityInfoAccess" }, /* 187 */ - { 0x03, 189, 0, 7, "qcStatements" }, /* 188 */ - { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 189 */ - { 0x02, 193, 1, 6, "id-qt" }, /* 190 */ - { 0x01, 192, 0, 7, "cps" }, /* 191 */ - { 0x02, 0, 0, 7, "unotice" }, /* 192 */ - { 0x03, 203, 1, 6, "id-kp" }, /* 193 */ - { 0x01, 195, 0, 7, "serverAuth" }, /* 194 */ - { 0x02, 196, 0, 7, "clientAuth" }, /* 195 */ - { 0x03, 197, 0, 7, "codeSigning" }, /* 196 */ - { 0x04, 198, 0, 7, "emailProtection" }, /* 197 */ - { 0x05, 199, 0, 7, "ipsecEndSystem" }, /* 198 */ - { 0x06, 200, 0, 7, "ipsecTunnel" }, /* 199 */ - { 0x07, 201, 0, 7, "ipsecUser" }, /* 200 */ - { 0x08, 202, 0, 7, "timeStamping" }, /* 201 */ - { 0x09, 0, 0, 7, "ocspSigning" }, /* 202 */ - { 0x08, 205, 1, 6, "id-otherNames" }, /* 203 */ - { 0x05, 0, 0, 7, "xmppAddr" }, /* 204 */ - { 0x0A, 210, 1, 6, "id-aca" }, /* 205 */ - { 0x01, 207, 0, 7, "authenticationInfo" }, /* 206 */ - { 0x02, 208, 0, 7, "accessIdentity" }, /* 207 */ - { 0x03, 209, 0, 7, "chargingIdentity" }, /* 208 */ - { 0x04, 0, 0, 7, "group" }, /* 209 */ - { 0x0B, 211, 0, 6, "subjectInfoAccess" }, /* 210 */ - { 0x30, 0, 1, 6, "id-ad" }, /* 211 */ - { 0x01, 220, 1, 7, "ocsp" }, /* 212 */ - { 0x01, 214, 0, 8, "basic" }, /* 213 */ - { 0x02, 215, 0, 8, "nonce" }, /* 214 */ - { 0x03, 216, 0, 8, "crl" }, /* 215 */ - { 0x04, 217, 0, 8, "response" }, /* 216 */ - { 0x05, 218, 0, 8, "noCheck" }, /* 217 */ - { 0x06, 219, 0, 8, "archiveCutoff" }, /* 218 */ - { 0x07, 0, 0, 8, "serviceLocator" }, /* 219 */ - { 0x02, 221, 0, 7, "caIssuers" }, /* 220 */ - { 0x03, 222, 0, 7, "timeStamping" }, /* 221 */ - { 0x05, 0, 0, 7, "caRepository" }, /* 222 */ - { 0x0E, 229, 1, 1, "oiw" }, /* 223 */ - { 0x03, 0, 1, 2, "secsig" }, /* 224 */ - { 0x02, 0, 1, 3, "algorithms" }, /* 225 */ - { 0x07, 227, 0, 4, "des-cbc" }, /* 226 */ - { 0x1A, 228, 0, 4, "sha-1" }, /* 227 */ - { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 228 */ - { 0x24, 275, 1, 1, "TeleTrusT" }, /* 229 */ - { 0x03, 0, 1, 2, "algorithm" }, /* 230 */ - { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 231 */ - { 0x01, 236, 1, 4, "rsaSignature" }, /* 232 */ - { 0x02, 234, 0, 5, "rsaSigWithripemd160" }, /* 233 */ - { 0x03, 235, 0, 5, "rsaSigWithripemd128" }, /* 234 */ - { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 235 */ - { 0x02, 0, 1, 4, "ecSign" }, /* 236 */ - { 0x01, 238, 0, 5, "ecSignWithsha1" }, /* 237 */ - { 0x02, 239, 0, 5, "ecSignWithripemd160" }, /* 238 */ - { 0x03, 240, 0, 5, "ecSignWithmd2" }, /* 239 */ - { 0x04, 241, 0, 5, "ecSignWithmd5" }, /* 240 */ - { 0x05, 258, 1, 5, "ttt-ecg" }, /* 241 */ - { 0x01, 246, 1, 6, "fieldType" }, /* 242 */ - { 0x01, 0, 1, 7, "characteristictwoField" }, /* 243 */ - { 0x01, 0, 1, 8, "basisType" }, /* 244 */ - { 0x01, 0, 0, 9, "ipBasis" }, /* 245 */ - { 0x02, 248, 1, 6, "keyType" }, /* 246 */ - { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 247 */ - { 0x03, 249, 0, 6, "curve" }, /* 248 */ - { 0x04, 256, 1, 6, "signatures" }, /* 249 */ - { 0x01, 251, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 250 */ - { 0x02, 252, 0, 7, "ecgdsa-with-SHA1" }, /* 251 */ - { 0x03, 253, 0, 7, "ecgdsa-with-SHA224" }, /* 252 */ - { 0x04, 254, 0, 7, "ecgdsa-with-SHA256" }, /* 253 */ - { 0x05, 255, 0, 7, "ecgdsa-with-SHA384" }, /* 254 */ - { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 255 */ - { 0x05, 0, 1, 6, "module" }, /* 256 */ - { 0x01, 0, 0, 7, "1" }, /* 257 */ - { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 258 */ - { 0x01, 0, 1, 6, "ellipticCurve" }, /* 259 */ - { 0x01, 0, 1, 7, "versionOne" }, /* 260 */ - { 0x01, 262, 0, 8, "brainpoolP160r1" }, /* 261 */ - { 0x02, 263, 0, 8, "brainpoolP160t1" }, /* 262 */ - { 0x03, 264, 0, 8, "brainpoolP192r1" }, /* 263 */ - { 0x04, 265, 0, 8, "brainpoolP192t1" }, /* 264 */ - { 0x05, 266, 0, 8, "brainpoolP224r1" }, /* 265 */ - { 0x06, 267, 0, 8, "brainpoolP224t1" }, /* 266 */ - { 0x07, 268, 0, 8, "brainpoolP256r1" }, /* 267 */ - { 0x08, 269, 0, 8, "brainpoolP256t1" }, /* 268 */ - { 0x09, 270, 0, 8, "brainpoolP320r1" }, /* 269 */ - { 0x0A, 271, 0, 8, "brainpoolP320t1" }, /* 270 */ - { 0x0B, 272, 0, 8, "brainpoolP384r1" }, /* 271 */ - { 0x0C, 273, 0, 8, "brainpoolP384t1" }, /* 272 */ - { 0x0D, 274, 0, 8, "brainpoolP512r1" }, /* 273 */ - { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 274 */ - { 0x81, 0, 1, 1, "" }, /* 275 */ - { 0x04, 0, 1, 2, "Certicom" }, /* 276 */ - { 0x00, 0, 1, 3, "curve" }, /* 277 */ - { 0x01, 279, 0, 4, "sect163k1" }, /* 278 */ - { 0x02, 280, 0, 4, "sect163r1" }, /* 279 */ - { 0x03, 281, 0, 4, "sect239k1" }, /* 280 */ - { 0x04, 282, 0, 4, "sect113r1" }, /* 281 */ - { 0x05, 283, 0, 4, "sect113r2" }, /* 282 */ - { 0x06, 284, 0, 4, "secp112r1" }, /* 283 */ - { 0x07, 285, 0, 4, "secp112r2" }, /* 284 */ - { 0x08, 286, 0, 4, "secp160r1" }, /* 285 */ - { 0x09, 287, 0, 4, "secp160k1" }, /* 286 */ - { 0x0A, 288, 0, 4, "secp256k1" }, /* 287 */ - { 0x0F, 289, 0, 4, "sect163r2" }, /* 288 */ - { 0x10, 290, 0, 4, "sect283k1" }, /* 289 */ - { 0x11, 291, 0, 4, "sect283r1" }, /* 290 */ - { 0x16, 292, 0, 4, "sect131r1" }, /* 291 */ - { 0x17, 293, 0, 4, "sect131r2" }, /* 292 */ - { 0x18, 294, 0, 4, "sect193r1" }, /* 293 */ - { 0x19, 295, 0, 4, "sect193r2" }, /* 294 */ - { 0x1A, 296, 0, 4, "sect233k1" }, /* 295 */ - { 0x1B, 297, 0, 4, "sect233r1" }, /* 296 */ - { 0x1C, 298, 0, 4, "secp128r1" }, /* 297 */ - { 0x1D, 299, 0, 4, "secp128r2" }, /* 298 */ - { 0x1E, 300, 0, 4, "secp160r2" }, /* 299 */ - { 0x1F, 301, 0, 4, "secp192k1" }, /* 300 */ - { 0x20, 302, 0, 4, "secp224k1" }, /* 301 */ - { 0x21, 303, 0, 4, "secp224r1" }, /* 302 */ - { 0x22, 304, 0, 4, "secp384r1" }, /* 303 */ - { 0x23, 305, 0, 4, "secp521r1" }, /* 304 */ - { 0x24, 306, 0, 4, "sect409k1" }, /* 305 */ - { 0x25, 307, 0, 4, "sect409r1" }, /* 306 */ - { 0x26, 308, 0, 4, "sect571k1" }, /* 307 */ - { 0x27, 0, 0, 4, "sect571r1" }, /* 308 */ - {0x60, 0, 1, 0, "" }, /* 309 */ - { 0x86, 0, 1, 1, "" }, /* 310 */ - { 0x48, 0, 1, 2, "" }, /* 311 */ - { 0x01, 0, 1, 3, "organization" }, /* 312 */ - { 0x65, 331, 1, 4, "gov" }, /* 313 */ - { 0x03, 0, 1, 5, "csor" }, /* 314 */ - { 0x04, 0, 1, 6, "nistalgorithm" }, /* 315 */ - { 0x01, 326, 1, 7, "aes" }, /* 316 */ - { 0x02, 318, 0, 8, "id-aes128-CBC" }, /* 317 */ - { 0x06, 319, 0, 8, "id-aes128-GCM" }, /* 318 */ - { 0x07, 320, 0, 8, "id-aes128-CCM" }, /* 319 */ - { 0x16, 321, 0, 8, "id-aes192-CBC" }, /* 320 */ - { 0x1A, 322, 0, 8, "id-aes192-GCM" }, /* 321 */ - { 0x1B, 323, 0, 8, "id-aes192-CCM" }, /* 322 */ - { 0x2A, 324, 0, 8, "id-aes256-CBC" }, /* 323 */ - { 0x2E, 325, 0, 8, "id-aes256-GCM" }, /* 324 */ - { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 325 */ - { 0x02, 0, 1, 7, "hashalgs" }, /* 326 */ - { 0x01, 328, 0, 8, "id-SHA-256" }, /* 327 */ - { 0x02, 329, 0, 8, "id-SHA-384" }, /* 328 */ - { 0x03, 330, 0, 8, "id-SHA-512" }, /* 329 */ - { 0x04, 0, 0, 8, "id-SHA-224" }, /* 330 */ - { 0x86, 0, 1, 4, "" }, /* 331 */ - { 0xf8, 0, 1, 5, "" }, /* 332 */ - { 0x42, 345, 1, 6, "netscape" }, /* 333 */ - { 0x01, 340, 1, 7, "" }, /* 334 */ - { 0x01, 336, 0, 8, "nsCertType" }, /* 335 */ - { 0x03, 337, 0, 8, "nsRevocationUrl" }, /* 336 */ - { 0x04, 338, 0, 8, "nsCaRevocationUrl" }, /* 337 */ - { 0x08, 339, 0, 8, "nsCaPolicyUrl" }, /* 338 */ - { 0x0d, 0, 0, 8, "nsComment" }, /* 339 */ - { 0x03, 343, 1, 7, "directory" }, /* 340 */ - { 0x01, 0, 1, 8, "" }, /* 341 */ - { 0x03, 0, 0, 9, "employeeNumber" }, /* 342 */ - { 0x04, 0, 1, 7, "policy" }, /* 343 */ - { 0x01, 0, 0, 8, "nsSGC" }, /* 344 */ - { 0x45, 0, 1, 6, "verisign" }, /* 345 */ - { 0x01, 0, 1, 7, "pki" }, /* 346 */ - { 0x09, 0, 1, 8, "attributes" }, /* 347 */ - { 0x02, 349, 0, 9, "messageType" }, /* 348 */ - { 0x03, 350, 0, 9, "pkiStatus" }, /* 349 */ - { 0x04, 351, 0, 9, "failInfo" }, /* 350 */ - { 0x05, 352, 0, 9, "senderNonce" }, /* 351 */ - { 0x06, 353, 0, 9, "recipientNonce" }, /* 352 */ - { 0x07, 354, 0, 9, "transID" }, /* 353 */ - { 0x08, 355, 0, 9, "extensionReq" }, /* 354 */ - { 0x08, 0, 0, 9, "extensionReq" } /* 355 */ + {0x02, 7, 1, 0, "ITU-T Administration" }, /* 0 */ + { 0x82, 0, 1, 1, "" }, /* 1 */ + { 0x06, 0, 1, 2, "Germany ITU-T member" }, /* 2 */ + { 0x01, 0, 1, 3, "Deutsche Telekom AG" }, /* 3 */ + { 0x0A, 0, 1, 4, "" }, /* 4 */ + { 0x07, 0, 1, 5, "" }, /* 5 */ + { 0x14, 0, 0, 6, "ND" }, /* 6 */ + {0x09, 18, 1, 0, "data" }, /* 7 */ + { 0x92, 0, 1, 1, "" }, /* 8 */ + { 0x26, 0, 1, 2, "" }, /* 9 */ + { 0x89, 0, 1, 3, "" }, /* 10 */ + { 0x93, 0, 1, 4, "" }, /* 11 */ + { 0xF2, 0, 1, 5, "" }, /* 12 */ + { 0x2C, 0, 1, 6, "" }, /* 13 */ + { 0x64, 0, 1, 7, "pilot" }, /* 14 */ + { 0x01, 0, 1, 8, "pilotAttributeType" }, /* 15 */ + { 0x01, 17, 0, 9, "UID" }, /* 16 */ + { 0x19, 0, 0, 9, "DC" }, /* 17 */ + {0x55, 64, 1, 0, "X.500" }, /* 18 */ + { 0x04, 36, 1, 1, "X.509" }, /* 19 */ + { 0x03, 21, 0, 2, "CN" }, /* 20 */ + { 0x04, 22, 0, 2, "S" }, /* 21 */ + { 0x05, 23, 0, 2, "SN" }, /* 22 */ + { 0x06, 24, 0, 2, "C" }, /* 23 */ + { 0x07, 25, 0, 2, "L" }, /* 24 */ + { 0x08, 26, 0, 2, "ST" }, /* 25 */ + { 0x0A, 27, 0, 2, "O" }, /* 26 */ + { 0x0B, 28, 0, 2, "OU" }, /* 27 */ + { 0x0C, 29, 0, 2, "T" }, /* 28 */ + { 0x0D, 30, 0, 2, "D" }, /* 29 */ + { 0x24, 31, 0, 2, "userCertificate" }, /* 30 */ + { 0x29, 32, 0, 2, "N" }, /* 31 */ + { 0x2A, 33, 0, 2, "G" }, /* 32 */ + { 0x2B, 34, 0, 2, "I" }, /* 33 */ + { 0x2D, 35, 0, 2, "ID" }, /* 34 */ + { 0x48, 0, 0, 2, "role" }, /* 35 */ + { 0x1D, 0, 1, 1, "id-ce" }, /* 36 */ + { 0x09, 38, 0, 2, "subjectDirectoryAttrs" }, /* 37 */ + { 0x0E, 39, 0, 2, "subjectKeyIdentifier" }, /* 38 */ + { 0x0F, 40, 0, 2, "keyUsage" }, /* 39 */ + { 0x10, 41, 0, 2, "privateKeyUsagePeriod" }, /* 40 */ + { 0x11, 42, 0, 2, "subjectAltName" }, /* 41 */ + { 0x12, 43, 0, 2, "issuerAltName" }, /* 42 */ + { 0x13, 44, 0, 2, "basicConstraints" }, /* 43 */ + { 0x14, 45, 0, 2, "crlNumber" }, /* 44 */ + { 0x15, 46, 0, 2, "reasonCode" }, /* 45 */ + { 0x17, 47, 0, 2, "holdInstructionCode" }, /* 46 */ + { 0x18, 48, 0, 2, "invalidityDate" }, /* 47 */ + { 0x1B, 49, 0, 2, "deltaCrlIndicator" }, /* 48 */ + { 0x1C, 50, 0, 2, "issuingDistributionPoint" }, /* 49 */ + { 0x1D, 51, 0, 2, "certificateIssuer" }, /* 50 */ + { 0x1E, 52, 0, 2, "nameConstraints" }, /* 51 */ + { 0x1F, 53, 0, 2, "crlDistributionPoints" }, /* 52 */ + { 0x20, 55, 1, 2, "certificatePolicies" }, /* 53 */ + { 0x00, 0, 0, 3, "anyPolicy" }, /* 54 */ + { 0x21, 56, 0, 2, "policyMappings" }, /* 55 */ + { 0x23, 57, 0, 2, "authorityKeyIdentifier" }, /* 56 */ + { 0x24, 58, 0, 2, "policyConstraints" }, /* 57 */ + { 0x25, 60, 1, 2, "extendedKeyUsage" }, /* 58 */ + { 0x00, 0, 0, 3, "anyExtendedKeyUsage" }, /* 59 */ + { 0x2E, 61, 0, 2, "freshestCRL" }, /* 60 */ + { 0x36, 62, 0, 2, "inhibitAnyPolicy" }, /* 61 */ + { 0x37, 63, 0, 2, "targetInformation" }, /* 62 */ + { 0x38, 0, 0, 2, "noRevAvail" }, /* 63 */ + {0x2A, 161, 1, 0, "" }, /* 64 */ + { 0x83, 77, 1, 1, "" }, /* 65 */ + { 0x08, 0, 1, 2, "jp" }, /* 66 */ + { 0x8C, 0, 1, 3, "" }, /* 67 */ + { 0x9A, 0, 1, 4, "" }, /* 68 */ + { 0x4B, 0, 1, 5, "" }, /* 69 */ + { 0x3D, 0, 1, 6, "" }, /* 70 */ + { 0x01, 0, 1, 7, "security" }, /* 71 */ + { 0x01, 0, 1, 8, "algorithm" }, /* 72 */ + { 0x01, 0, 1, 9, "symm-encryption-alg" }, /* 73 */ + { 0x02, 75, 0, 10, "camellia128-cbc" }, /* 74 */ + { 0x03, 76, 0, 10, "camellia192-cbc" }, /* 75 */ + { 0x04, 0, 0, 10, "camellia256-cbc" }, /* 76 */ + { 0x86, 0, 1, 1, "" }, /* 77 */ + { 0x48, 0, 1, 2, "us" }, /* 78 */ + { 0x86, 120, 1, 3, "" }, /* 79 */ + { 0xF6, 85, 1, 4, "" }, /* 80 */ + { 0x7D, 0, 1, 5, "NortelNetworks" }, /* 81 */ + { 0x07, 0, 1, 6, "Entrust" }, /* 82 */ + { 0x41, 0, 1, 7, "nsn-ce" }, /* 83 */ + { 0x00, 0, 0, 8, "entrustVersInfo" }, /* 84 */ + { 0xF7, 0, 1, 4, "" }, /* 85 */ + { 0x0D, 0, 1, 5, "RSADSI" }, /* 86 */ + { 0x01, 115, 1, 6, "PKCS" }, /* 87 */ + { 0x01, 97, 1, 7, "PKCS-1" }, /* 88 */ + { 0x01, 90, 0, 8, "rsaEncryption" }, /* 89 */ + { 0x02, 91, 0, 8, "md2WithRSAEncryption" }, /* 90 */ + { 0x04, 92, 0, 8, "md5WithRSAEncryption" }, /* 91 */ + { 0x05, 93, 0, 8, "sha-1WithRSAEncryption" }, /* 92 */ + { 0x0B, 94, 0, 8, "sha256WithRSAEncryption" }, /* 93 */ + { 0x0C, 95, 0, 8, "sha384WithRSAEncryption" }, /* 94 */ + { 0x0D, 96, 0, 8, "sha512WithRSAEncryption" }, /* 95 */ + { 0x0E, 0, 0, 8, "sha224WithRSAEncryption" }, /* 96 */ + { 0x07, 104, 1, 7, "PKCS-7" }, /* 97 */ + { 0x01, 99, 0, 8, "data" }, /* 98 */ + { 0x02, 100, 0, 8, "signedData" }, /* 99 */ + { 0x03, 101, 0, 8, "envelopedData" }, /* 100 */ + { 0x04, 102, 0, 8, "signedAndEnvelopedData" }, /* 101 */ + { 0x05, 103, 0, 8, "digestedData" }, /* 102 */ + { 0x06, 0, 0, 8, "encryptedData" }, /* 103 */ + { 0x09, 0, 1, 7, "PKCS-9" }, /* 104 */ + { 0x01, 106, 0, 8, "E" }, /* 105 */ + { 0x02, 107, 0, 8, "unstructuredName" }, /* 106 */ + { 0x03, 108, 0, 8, "contentType" }, /* 107 */ + { 0x04, 109, 0, 8, "messageDigest" }, /* 108 */ + { 0x05, 110, 0, 8, "signingTime" }, /* 109 */ + { 0x06, 111, 0, 8, "counterSignature" }, /* 110 */ + { 0x07, 112, 0, 8, "challengePassword" }, /* 111 */ + { 0x08, 113, 0, 8, "unstructuredAddress" }, /* 112 */ + { 0x0E, 114, 0, 8, "extensionRequest" }, /* 113 */ + { 0x0F, 0, 0, 8, "S/MIME Capabilities" }, /* 114 */ + { 0x02, 118, 1, 6, "digestAlgorithm" }, /* 115 */ + { 0x02, 117, 0, 7, "md2" }, /* 116 */ + { 0x05, 0, 0, 7, "md5" }, /* 117 */ + { 0x03, 0, 1, 6, "encryptionAlgorithm" }, /* 118 */ + { 0x07, 0, 0, 7, "3des-ede-cbc" }, /* 119 */ + { 0xCE, 0, 1, 3, "" }, /* 120 */ + { 0x3D, 0, 1, 4, "ansi-X9-62" }, /* 121 */ + { 0x02, 124, 1, 5, "id-publicKeyType" }, /* 122 */ + { 0x01, 0, 0, 6, "id-ecPublicKey" }, /* 123 */ + { 0x03, 154, 1, 5, "ellipticCurve" }, /* 124 */ + { 0x00, 146, 1, 6, "c-TwoCurve" }, /* 125 */ + { 0x01, 127, 0, 7, "c2pnb163v1" }, /* 126 */ + { 0x02, 128, 0, 7, "c2pnb163v2" }, /* 127 */ + { 0x03, 129, 0, 7, "c2pnb163v3" }, /* 128 */ + { 0x04, 130, 0, 7, "c2pnb176w1" }, /* 129 */ + { 0x05, 131, 0, 7, "c2tnb191v1" }, /* 130 */ + { 0x06, 132, 0, 7, "c2tnb191v2" }, /* 131 */ + { 0x07, 133, 0, 7, "c2tnb191v3" }, /* 132 */ + { 0x08, 134, 0, 7, "c2onb191v4" }, /* 133 */ + { 0x09, 135, 0, 7, "c2onb191v5" }, /* 134 */ + { 0x0A, 136, 0, 7, "c2pnb208w1" }, /* 135 */ + { 0x0B, 137, 0, 7, "c2tnb239v1" }, /* 136 */ + { 0x0C, 138, 0, 7, "c2tnb239v2" }, /* 137 */ + { 0x0D, 139, 0, 7, "c2tnb239v3" }, /* 138 */ + { 0x0E, 140, 0, 7, "c2onb239v4" }, /* 139 */ + { 0x0F, 141, 0, 7, "c2onb239v5" }, /* 140 */ + { 0x10, 142, 0, 7, "c2pnb272w1" }, /* 141 */ + { 0x11, 143, 0, 7, "c2pnb304w1" }, /* 142 */ + { 0x12, 144, 0, 7, "c2tnb359v1" }, /* 143 */ + { 0x13, 145, 0, 7, "c2pnb368w1" }, /* 144 */ + { 0x14, 0, 0, 7, "c2tnb431r1" }, /* 145 */ + { 0x01, 0, 1, 6, "primeCurve" }, /* 146 */ + { 0x01, 148, 0, 7, "prime192v1" }, /* 147 */ + { 0x02, 149, 0, 7, "prime192v2" }, /* 148 */ + { 0x03, 150, 0, 7, "prime192v3" }, /* 149 */ + { 0x04, 151, 0, 7, "prime239v1" }, /* 150 */ + { 0x05, 152, 0, 7, "prime239v2" }, /* 151 */ + { 0x06, 153, 0, 7, "prime239v3" }, /* 152 */ + { 0x07, 0, 0, 7, "prime256v1" }, /* 153 */ + { 0x04, 0, 1, 5, "id-ecSigType" }, /* 154 */ + { 0x01, 156, 0, 6, "ecdsa-with-SHA1" }, /* 155 */ + { 0x03, 0, 1, 6, "ecdsa-with-Specified" }, /* 156 */ + { 0x01, 158, 0, 7, "ecdsa-with-SHA224" }, /* 157 */ + { 0x02, 159, 0, 7, "ecdsa-with-SHA256" }, /* 158 */ + { 0x03, 160, 0, 7, "ecdsa-with-SHA384" }, /* 159 */ + { 0x04, 0, 0, 7, "ecdsa-with-SHA512" }, /* 160 */ + {0x2B, 312, 1, 0, "" }, /* 161 */ + { 0x06, 226, 1, 1, "dod" }, /* 162 */ + { 0x01, 0, 1, 2, "internet" }, /* 163 */ + { 0x04, 186, 1, 3, "private" }, /* 164 */ + { 0x01, 0, 1, 4, "enterprise" }, /* 165 */ + { 0x82, 179, 1, 5, "" }, /* 166 */ + { 0x37, 176, 1, 6, "Microsoft" }, /* 167 */ + { 0x0A, 172, 1, 7, "" }, /* 168 */ + { 0x03, 0, 1, 8, "" }, /* 169 */ + { 0x03, 171, 0, 9, "msSGC" }, /* 170 */ + { 0x04, 0, 0, 9, "msEncryptingFileSystem" }, /* 171 */ + { 0x14, 0, 1, 7, "msEnrollmentInfrastructure"}, /* 172 */ + { 0x02, 0, 1, 8, "msCertificateTypeExtension"}, /* 173 */ + { 0x02, 175, 0, 9, "msSmartcardLogon" }, /* 174 */ + { 0x03, 0, 0, 9, "msUPN" }, /* 175 */ + { 0xA0, 0, 1, 6, "" }, /* 176 */ + { 0x2A, 0, 1, 7, "ITA" }, /* 177 */ + { 0x01, 0, 0, 8, "strongSwan" }, /* 178 */ + { 0x89, 0, 1, 5, "" }, /* 179 */ + { 0x31, 0, 1, 6, "" }, /* 180 */ + { 0x01, 0, 1, 7, "" }, /* 181 */ + { 0x01, 0, 1, 8, "" }, /* 182 */ + { 0x02, 0, 1, 9, "" }, /* 183 */ + { 0x02, 0, 1, 10, "" }, /* 184 */ + { 0x4B, 0, 0, 11, "TCGID" }, /* 185 */ + { 0x05, 0, 1, 3, "security" }, /* 186 */ + { 0x05, 0, 1, 4, "mechanisms" }, /* 187 */ + { 0x07, 0, 1, 5, "id-pkix" }, /* 188 */ + { 0x01, 193, 1, 6, "id-pe" }, /* 189 */ + { 0x01, 191, 0, 7, "authorityInfoAccess" }, /* 190 */ + { 0x03, 192, 0, 7, "qcStatements" }, /* 191 */ + { 0x07, 0, 0, 7, "ipAddrBlocks" }, /* 192 */ + { 0x02, 196, 1, 6, "id-qt" }, /* 193 */ + { 0x01, 195, 0, 7, "cps" }, /* 194 */ + { 0x02, 0, 0, 7, "unotice" }, /* 195 */ + { 0x03, 206, 1, 6, "id-kp" }, /* 196 */ + { 0x01, 198, 0, 7, "serverAuth" }, /* 197 */ + { 0x02, 199, 0, 7, "clientAuth" }, /* 198 */ + { 0x03, 200, 0, 7, "codeSigning" }, /* 199 */ + { 0x04, 201, 0, 7, "emailProtection" }, /* 200 */ + { 0x05, 202, 0, 7, "ipsecEndSystem" }, /* 201 */ + { 0x06, 203, 0, 7, "ipsecTunnel" }, /* 202 */ + { 0x07, 204, 0, 7, "ipsecUser" }, /* 203 */ + { 0x08, 205, 0, 7, "timeStamping" }, /* 204 */ + { 0x09, 0, 0, 7, "ocspSigning" }, /* 205 */ + { 0x08, 208, 1, 6, "id-otherNames" }, /* 206 */ + { 0x05, 0, 0, 7, "xmppAddr" }, /* 207 */ + { 0x0A, 213, 1, 6, "id-aca" }, /* 208 */ + { 0x01, 210, 0, 7, "authenticationInfo" }, /* 209 */ + { 0x02, 211, 0, 7, "accessIdentity" }, /* 210 */ + { 0x03, 212, 0, 7, "chargingIdentity" }, /* 211 */ + { 0x04, 0, 0, 7, "group" }, /* 212 */ + { 0x0B, 214, 0, 6, "subjectInfoAccess" }, /* 213 */ + { 0x30, 0, 1, 6, "id-ad" }, /* 214 */ + { 0x01, 223, 1, 7, "ocsp" }, /* 215 */ + { 0x01, 217, 0, 8, "basic" }, /* 216 */ + { 0x02, 218, 0, 8, "nonce" }, /* 217 */ + { 0x03, 219, 0, 8, "crl" }, /* 218 */ + { 0x04, 220, 0, 8, "response" }, /* 219 */ + { 0x05, 221, 0, 8, "noCheck" }, /* 220 */ + { 0x06, 222, 0, 8, "archiveCutoff" }, /* 221 */ + { 0x07, 0, 0, 8, "serviceLocator" }, /* 222 */ + { 0x02, 224, 0, 7, "caIssuers" }, /* 223 */ + { 0x03, 225, 0, 7, "timeStamping" }, /* 224 */ + { 0x05, 0, 0, 7, "caRepository" }, /* 225 */ + { 0x0E, 232, 1, 1, "oiw" }, /* 226 */ + { 0x03, 0, 1, 2, "secsig" }, /* 227 */ + { 0x02, 0, 1, 3, "algorithms" }, /* 228 */ + { 0x07, 230, 0, 4, "des-cbc" }, /* 229 */ + { 0x1A, 231, 0, 4, "sha-1" }, /* 230 */ + { 0x1D, 0, 0, 4, "sha-1WithRSASignature" }, /* 231 */ + { 0x24, 278, 1, 1, "TeleTrusT" }, /* 232 */ + { 0x03, 0, 1, 2, "algorithm" }, /* 233 */ + { 0x03, 0, 1, 3, "signatureAlgorithm" }, /* 234 */ + { 0x01, 239, 1, 4, "rsaSignature" }, /* 235 */ + { 0x02, 237, 0, 5, "rsaSigWithripemd160" }, /* 236 */ + { 0x03, 238, 0, 5, "rsaSigWithripemd128" }, /* 237 */ + { 0x04, 0, 0, 5, "rsaSigWithripemd256" }, /* 238 */ + { 0x02, 0, 1, 4, "ecSign" }, /* 239 */ + { 0x01, 241, 0, 5, "ecSignWithsha1" }, /* 240 */ + { 0x02, 242, 0, 5, "ecSignWithripemd160" }, /* 241 */ + { 0x03, 243, 0, 5, "ecSignWithmd2" }, /* 242 */ + { 0x04, 244, 0, 5, "ecSignWithmd5" }, /* 243 */ + { 0x05, 261, 1, 5, "ttt-ecg" }, /* 244 */ + { 0x01, 249, 1, 6, "fieldType" }, /* 245 */ + { 0x01, 0, 1, 7, "characteristictwoField" }, /* 246 */ + { 0x01, 0, 1, 8, "basisType" }, /* 247 */ + { 0x01, 0, 0, 9, "ipBasis" }, /* 248 */ + { 0x02, 251, 1, 6, "keyType" }, /* 249 */ + { 0x01, 0, 0, 7, "ecgPublicKey" }, /* 250 */ + { 0x03, 252, 0, 6, "curve" }, /* 251 */ + { 0x04, 259, 1, 6, "signatures" }, /* 252 */ + { 0x01, 254, 0, 7, "ecgdsa-with-RIPEMD160" }, /* 253 */ + { 0x02, 255, 0, 7, "ecgdsa-with-SHA1" }, /* 254 */ + { 0x03, 256, 0, 7, "ecgdsa-with-SHA224" }, /* 255 */ + { 0x04, 257, 0, 7, "ecgdsa-with-SHA256" }, /* 256 */ + { 0x05, 258, 0, 7, "ecgdsa-with-SHA384" }, /* 257 */ + { 0x06, 0, 0, 7, "ecgdsa-with-SHA512" }, /* 258 */ + { 0x05, 0, 1, 6, "module" }, /* 259 */ + { 0x01, 0, 0, 7, "1" }, /* 260 */ + { 0x08, 0, 1, 5, "ecStdCurvesAndGeneration" }, /* 261 */ + { 0x01, 0, 1, 6, "ellipticCurve" }, /* 262 */ + { 0x01, 0, 1, 7, "versionOne" }, /* 263 */ + { 0x01, 265, 0, 8, "brainpoolP160r1" }, /* 264 */ + { 0x02, 266, 0, 8, "brainpoolP160t1" }, /* 265 */ + { 0x03, 267, 0, 8, "brainpoolP192r1" }, /* 266 */ + { 0x04, 268, 0, 8, "brainpoolP192t1" }, /* 267 */ + { 0x05, 269, 0, 8, "brainpoolP224r1" }, /* 268 */ + { 0x06, 270, 0, 8, "brainpoolP224t1" }, /* 269 */ + { 0x07, 271, 0, 8, "brainpoolP256r1" }, /* 270 */ + { 0x08, 272, 0, 8, "brainpoolP256t1" }, /* 271 */ + { 0x09, 273, 0, 8, "brainpoolP320r1" }, /* 272 */ + { 0x0A, 274, 0, 8, "brainpoolP320t1" }, /* 273 */ + { 0x0B, 275, 0, 8, "brainpoolP384r1" }, /* 274 */ + { 0x0C, 276, 0, 8, "brainpoolP384t1" }, /* 275 */ + { 0x0D, 277, 0, 8, "brainpoolP512r1" }, /* 276 */ + { 0x0E, 0, 0, 8, "brainpoolP512t1" }, /* 277 */ + { 0x81, 0, 1, 1, "" }, /* 278 */ + { 0x04, 0, 1, 2, "Certicom" }, /* 279 */ + { 0x00, 0, 1, 3, "curve" }, /* 280 */ + { 0x01, 282, 0, 4, "sect163k1" }, /* 281 */ + { 0x02, 283, 0, 4, "sect163r1" }, /* 282 */ + { 0x03, 284, 0, 4, "sect239k1" }, /* 283 */ + { 0x04, 285, 0, 4, "sect113r1" }, /* 284 */ + { 0x05, 286, 0, 4, "sect113r2" }, /* 285 */ + { 0x06, 287, 0, 4, "secp112r1" }, /* 286 */ + { 0x07, 288, 0, 4, "secp112r2" }, /* 287 */ + { 0x08, 289, 0, 4, "secp160r1" }, /* 288 */ + { 0x09, 290, 0, 4, "secp160k1" }, /* 289 */ + { 0x0A, 291, 0, 4, "secp256k1" }, /* 290 */ + { 0x0F, 292, 0, 4, "sect163r2" }, /* 291 */ + { 0x10, 293, 0, 4, "sect283k1" }, /* 292 */ + { 0x11, 294, 0, 4, "sect283r1" }, /* 293 */ + { 0x16, 295, 0, 4, "sect131r1" }, /* 294 */ + { 0x17, 296, 0, 4, "sect131r2" }, /* 295 */ + { 0x18, 297, 0, 4, "sect193r1" }, /* 296 */ + { 0x19, 298, 0, 4, "sect193r2" }, /* 297 */ + { 0x1A, 299, 0, 4, "sect233k1" }, /* 298 */ + { 0x1B, 300, 0, 4, "sect233r1" }, /* 299 */ + { 0x1C, 301, 0, 4, "secp128r1" }, /* 300 */ + { 0x1D, 302, 0, 4, "secp128r2" }, /* 301 */ + { 0x1E, 303, 0, 4, "secp160r2" }, /* 302 */ + { 0x1F, 304, 0, 4, "secp192k1" }, /* 303 */ + { 0x20, 305, 0, 4, "secp224k1" }, /* 304 */ + { 0x21, 306, 0, 4, "secp224r1" }, /* 305 */ + { 0x22, 307, 0, 4, "secp384r1" }, /* 306 */ + { 0x23, 308, 0, 4, "secp521r1" }, /* 307 */ + { 0x24, 309, 0, 4, "sect409k1" }, /* 308 */ + { 0x25, 310, 0, 4, "sect409r1" }, /* 309 */ + { 0x26, 311, 0, 4, "sect571k1" }, /* 310 */ + { 0x27, 0, 0, 4, "sect571r1" }, /* 311 */ + {0x60, 0, 1, 0, "" }, /* 312 */ + { 0x86, 0, 1, 1, "" }, /* 313 */ + { 0x48, 0, 1, 2, "" }, /* 314 */ + { 0x01, 0, 1, 3, "organization" }, /* 315 */ + { 0x65, 334, 1, 4, "gov" }, /* 316 */ + { 0x03, 0, 1, 5, "csor" }, /* 317 */ + { 0x04, 0, 1, 6, "nistalgorithm" }, /* 318 */ + { 0x01, 329, 1, 7, "aes" }, /* 319 */ + { 0x02, 321, 0, 8, "id-aes128-CBC" }, /* 320 */ + { 0x06, 322, 0, 8, "id-aes128-GCM" }, /* 321 */ + { 0x07, 323, 0, 8, "id-aes128-CCM" }, /* 322 */ + { 0x16, 324, 0, 8, "id-aes192-CBC" }, /* 323 */ + { 0x1A, 325, 0, 8, "id-aes192-GCM" }, /* 324 */ + { 0x1B, 326, 0, 8, "id-aes192-CCM" }, /* 325 */ + { 0x2A, 327, 0, 8, "id-aes256-CBC" }, /* 326 */ + { 0x2E, 328, 0, 8, "id-aes256-GCM" }, /* 327 */ + { 0x2F, 0, 0, 8, "id-aes256-CCM" }, /* 328 */ + { 0x02, 0, 1, 7, "hashalgs" }, /* 329 */ + { 0x01, 331, 0, 8, "id-SHA-256" }, /* 330 */ + { 0x02, 332, 0, 8, "id-SHA-384" }, /* 331 */ + { 0x03, 333, 0, 8, "id-SHA-512" }, /* 332 */ + { 0x04, 0, 0, 8, "id-SHA-224" }, /* 333 */ + { 0x86, 0, 1, 4, "" }, /* 334 */ + { 0xf8, 0, 1, 5, "" }, /* 335 */ + { 0x42, 348, 1, 6, "netscape" }, /* 336 */ + { 0x01, 343, 1, 7, "" }, /* 337 */ + { 0x01, 339, 0, 8, "nsCertType" }, /* 338 */ + { 0x03, 340, 0, 8, "nsRevocationUrl" }, /* 339 */ + { 0x04, 341, 0, 8, "nsCaRevocationUrl" }, /* 340 */ + { 0x08, 342, 0, 8, "nsCaPolicyUrl" }, /* 341 */ + { 0x0d, 0, 0, 8, "nsComment" }, /* 342 */ + { 0x03, 346, 1, 7, "directory" }, /* 343 */ + { 0x01, 0, 1, 8, "" }, /* 344 */ + { 0x03, 0, 0, 9, "employeeNumber" }, /* 345 */ + { 0x04, 0, 1, 7, "policy" }, /* 346 */ + { 0x01, 0, 0, 8, "nsSGC" }, /* 347 */ + { 0x45, 0, 1, 6, "verisign" }, /* 348 */ + { 0x01, 0, 1, 7, "pki" }, /* 349 */ + { 0x09, 0, 1, 8, "attributes" }, /* 350 */ + { 0x02, 352, 0, 9, "messageType" }, /* 351 */ + { 0x03, 353, 0, 9, "pkiStatus" }, /* 352 */ + { 0x04, 354, 0, 9, "failInfo" }, /* 353 */ + { 0x05, 355, 0, 9, "senderNonce" }, /* 354 */ + { 0x06, 356, 0, 9, "recipientNonce" }, /* 355 */ + { 0x07, 357, 0, 9, "transID" }, /* 356 */ + { 0x08, 358, 0, 9, "extensionReq" }, /* 357 */ + { 0x08, 0, 0, 9, "extensionReq" } /* 358 */ }; diff --git a/src/libstrongswan/asn1/oid.h b/src/libstrongswan/asn1/oid.h index 16c9e854b..b6ee9a10d 100644 --- a/src/libstrongswan/asn1/oid.h +++ b/src/libstrongswan/asn1/oid.h @@ -49,8 +49,11 @@ extern const oid_t oid_names[]; #define OID_DELTA_CRL_INDICATOR 48 #define OID_NAME_CONSTRAINTS 51 #define OID_CRL_DISTRIBUTION_POINTS 52 +#define OID_CERTIFICATE_POLICIES 53 #define OID_ANY_POLICY 54 +#define OID_POLICY_MAPPINGS 55 #define OID_AUTHORITY_KEY_ID 56 +#define OID_POLICY_CONSTRAINTS 57 #define OID_EXTENDED_KEY_USAGE 58 #define OID_FRESHEST_CRL 60 #define OID_INHIBIT_ANY_POLICY 61 @@ -117,92 +120,95 @@ extern const oid_t oid_names[]; #define OID_ECDSA_WITH_SHA384 159 #define OID_ECDSA_WITH_SHA512 160 #define OID_USER_PRINCIPAL_NAME 175 -#define OID_TCGID 182 -#define OID_AUTHORITY_INFO_ACCESS 187 -#define OID_IP_ADDR_BLOCKS 189 -#define OID_SERVER_AUTH 194 -#define OID_CLIENT_AUTH 195 -#define OID_OCSP_SIGNING 202 -#define OID_XMPP_ADDR 204 -#define OID_AUTHENTICATION_INFO 206 -#define OID_ACCESS_IDENTITY 207 -#define OID_CHARGING_IDENTITY 208 -#define OID_GROUP 209 -#define OID_OCSP 212 -#define OID_BASIC 213 -#define OID_NONCE 214 -#define OID_CRL 215 -#define OID_RESPONSE 216 -#define OID_NO_CHECK 217 -#define OID_ARCHIVE_CUTOFF 218 -#define OID_SERVICE_LOCATOR 219 -#define OID_CA_ISSUERS 220 -#define OID_DES_CBC 226 -#define OID_SHA1 227 -#define OID_SHA1_WITH_RSA_OIW 228 -#define OID_ECGDSA_PUBKEY 247 -#define OID_ECGDSA_SIG_WITH_RIPEMD160 250 -#define OID_ECGDSA_SIG_WITH_SHA1 251 -#define OID_ECGDSA_SIG_WITH_SHA224 252 -#define OID_ECGDSA_SIG_WITH_SHA256 253 -#define OID_ECGDSA_SIG_WITH_SHA384 254 -#define OID_ECGDSA_SIG_WITH_SHA512 255 -#define OID_SECT163K1 278 -#define OID_SECT163R1 279 -#define OID_SECT239K1 280 -#define OID_SECT113R1 281 -#define OID_SECT113R2 282 -#define OID_SECT112R1 283 -#define OID_SECT112R2 284 -#define OID_SECT160R1 285 -#define OID_SECT160K1 286 -#define OID_SECT256K1 287 -#define OID_SECT163R2 288 -#define OID_SECT283K1 289 -#define OID_SECT283R1 290 -#define OID_SECT131R1 291 -#define OID_SECT131R2 292 -#define OID_SECT193R1 293 -#define OID_SECT193R2 294 -#define OID_SECT233K1 295 -#define OID_SECT233R1 296 -#define OID_SECT128R1 297 -#define OID_SECT128R2 298 -#define OID_SECT160R2 299 -#define OID_SECT192K1 300 -#define OID_SECT224K1 301 -#define OID_SECT224R1 302 -#define OID_SECT384R1 303 -#define OID_SECT521R1 304 -#define OID_SECT409K1 305 -#define OID_SECT409R1 306 -#define OID_SECT571K1 307 -#define OID_SECT571R1 308 -#define OID_AES128_CBC 317 -#define OID_AES128_GCM 318 -#define OID_AES128_CCM 319 -#define OID_AES192_CBC 320 -#define OID_AES192_GCM 321 -#define OID_AES192_CCM 322 -#define OID_AES256_CBC 323 -#define OID_AES256_GCM 324 -#define OID_AES256_CCM 325 -#define OID_SHA256 327 -#define OID_SHA384 328 -#define OID_SHA512 329 -#define OID_SHA224 330 -#define OID_NS_REVOCATION_URL 336 -#define OID_NS_CA_REVOCATION_URL 337 -#define OID_NS_CA_POLICY_URL 338 -#define OID_NS_COMMENT 339 -#define OID_EMPLOYEE_NUMBER 342 -#define OID_PKI_MESSAGE_TYPE 348 -#define OID_PKI_STATUS 349 -#define OID_PKI_FAIL_INFO 350 -#define OID_PKI_SENDER_NONCE 351 -#define OID_PKI_RECIPIENT_NONCE 352 -#define OID_PKI_TRANS_ID 353 +#define OID_STRONGSWAN 178 +#define OID_TCGID 185 +#define OID_AUTHORITY_INFO_ACCESS 190 +#define OID_IP_ADDR_BLOCKS 192 +#define OID_POLICY_QUALIFIER_CPS 194 +#define OID_POLICY_QUALIFIER_UNOTICE 195 +#define OID_SERVER_AUTH 197 +#define OID_CLIENT_AUTH 198 +#define OID_OCSP_SIGNING 205 +#define OID_XMPP_ADDR 207 +#define OID_AUTHENTICATION_INFO 209 +#define OID_ACCESS_IDENTITY 210 +#define OID_CHARGING_IDENTITY 211 +#define OID_GROUP 212 +#define OID_OCSP 215 +#define OID_BASIC 216 +#define OID_NONCE 217 +#define OID_CRL 218 +#define OID_RESPONSE 219 +#define OID_NO_CHECK 220 +#define OID_ARCHIVE_CUTOFF 221 +#define OID_SERVICE_LOCATOR 222 +#define OID_CA_ISSUERS 223 +#define OID_DES_CBC 229 +#define OID_SHA1 230 +#define OID_SHA1_WITH_RSA_OIW 231 +#define OID_ECGDSA_PUBKEY 250 +#define OID_ECGDSA_SIG_WITH_RIPEMD160 253 +#define OID_ECGDSA_SIG_WITH_SHA1 254 +#define OID_ECGDSA_SIG_WITH_SHA224 255 +#define OID_ECGDSA_SIG_WITH_SHA256 256 +#define OID_ECGDSA_SIG_WITH_SHA384 257 +#define OID_ECGDSA_SIG_WITH_SHA512 258 +#define OID_SECT163K1 281 +#define OID_SECT163R1 282 +#define OID_SECT239K1 283 +#define OID_SECT113R1 284 +#define OID_SECT113R2 285 +#define OID_SECT112R1 286 +#define OID_SECT112R2 287 +#define OID_SECT160R1 288 +#define OID_SECT160K1 289 +#define OID_SECT256K1 290 +#define OID_SECT163R2 291 +#define OID_SECT283K1 292 +#define OID_SECT283R1 293 +#define OID_SECT131R1 294 +#define OID_SECT131R2 295 +#define OID_SECT193R1 296 +#define OID_SECT193R2 297 +#define OID_SECT233K1 298 +#define OID_SECT233R1 299 +#define OID_SECT128R1 300 +#define OID_SECT128R2 301 +#define OID_SECT160R2 302 +#define OID_SECT192K1 303 +#define OID_SECT224K1 304 +#define OID_SECT224R1 305 +#define OID_SECT384R1 306 +#define OID_SECT521R1 307 +#define OID_SECT409K1 308 +#define OID_SECT409R1 309 +#define OID_SECT571K1 310 +#define OID_SECT571R1 311 +#define OID_AES128_CBC 320 +#define OID_AES128_GCM 321 +#define OID_AES128_CCM 322 +#define OID_AES192_CBC 323 +#define OID_AES192_GCM 324 +#define OID_AES192_CCM 325 +#define OID_AES256_CBC 326 +#define OID_AES256_GCM 327 +#define OID_AES256_CCM 328 +#define OID_SHA256 330 +#define OID_SHA384 331 +#define OID_SHA512 332 +#define OID_SHA224 333 +#define OID_NS_REVOCATION_URL 339 +#define OID_NS_CA_REVOCATION_URL 340 +#define OID_NS_CA_POLICY_URL 341 +#define OID_NS_COMMENT 342 +#define OID_EMPLOYEE_NUMBER 345 +#define OID_PKI_MESSAGE_TYPE 351 +#define OID_PKI_STATUS 352 +#define OID_PKI_FAIL_INFO 353 +#define OID_PKI_SENDER_NONCE 354 +#define OID_PKI_RECIPIENT_NONCE 355 +#define OID_PKI_TRANS_ID 356 -#define OID_MAX 356 +#define OID_MAX 359 #endif /* OID_H_ */ diff --git a/src/libstrongswan/asn1/oid.txt b/src/libstrongswan/asn1/oid.txt index 36db0299c..e2931c7dd 100644 --- a/src/libstrongswan/asn1/oid.txt +++ b/src/libstrongswan/asn1/oid.txt @@ -51,11 +51,11 @@ 0x1D "certificateIssuer" 0x1E "nameConstraints" OID_NAME_CONSTRAINTS 0x1F "crlDistributionPoints" OID_CRL_DISTRIBUTION_POINTS - 0x20 "certificatePolicies" + 0x20 "certificatePolicies" OID_CERTIFICATE_POLICIES 0x00 "anyPolicy" OID_ANY_POLICY - 0x21 "policyMappings" + 0x21 "policyMappings" OID_POLICY_MAPPINGS 0x23 "authorityKeyIdentifier" OID_AUTHORITY_KEY_ID - 0x24 "policyConstraints" + 0x24 "policyConstraints" OID_POLICY_CONSTRAINTS 0x25 "extendedKeyUsage" OID_EXTENDED_KEY_USAGE 0x00 "anyExtendedKeyUsage" 0x2E "freshestCRL" OID_FRESHEST_CRL @@ -124,7 +124,7 @@ 0x01 "id-ecPublicKey" OID_EC_PUBLICKEY 0x03 "ellipticCurve" 0x00 "c-TwoCurve" - 0x01 "c2pnb163v1" OID_C2PNB163V1 + 0x01 "c2pnb163v1" OID_C2PNB163V1 0x02 "c2pnb163v2" OID_C2PNB163V2 0x03 "c2pnb163v3" OID_C2PNB163V3 0x04 "c2pnb176w1" OID_C2PNB176W1 @@ -174,13 +174,16 @@ 0x02 "msCertificateTypeExtension" 0x02 "msSmartcardLogon" 0x03 "msUPN" OID_USER_PRINCIPAL_NAME + 0xA0 "" + 0x2A "ITA" + 0x01 "strongSwan" OID_STRONGSWAN 0x89 "" 0x31 "" 0x01 "" 0x01 "" 0x02 "" 0x02 "" - 0x4B "TCGID" OID_TCGID + 0x4B "TCGID" OID_TCGID 0x05 "security" 0x05 "mechanisms" 0x07 "id-pkix" @@ -189,8 +192,8 @@ 0x03 "qcStatements" 0x07 "ipAddrBlocks" OID_IP_ADDR_BLOCKS 0x02 "id-qt" - 0x01 "cps" - 0x02 "unotice" + 0x01 "cps" OID_POLICY_QUALIFIER_CPS + 0x02 "unotice" OID_POLICY_QUALIFIER_UNOTICE 0x03 "id-kp" 0x01 "serverAuth" OID_SERVER_AUTH 0x02 "clientAuth" OID_CLIENT_AUTH diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index ce718b9cb..23a3f62d9 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -131,11 +131,13 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)entry->value; cert->destroy(cert); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -147,6 +149,8 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: break; } } @@ -172,6 +176,8 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: /* integer type */ enumerator->current->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -182,10 +188,12 @@ static void replace(auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* pointer type */ enumerator->current->value = va_arg(args, void*); break; @@ -237,6 +245,8 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_EAP_TYPE: return (void*)EAP_NAK; case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: return (void*)0; case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: @@ -248,10 +258,12 @@ static void* get(private_auth_cfg_t *this, auth_rule_t type) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: default: return NULL; } @@ -274,6 +286,8 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -284,10 +298,12 @@ static void add(private_auth_cfg_t *this, auth_rule_t type, ...) case AUTH_RULE_CA_CERT: case AUTH_RULE_IM_CERT: case AUTH_RULE_SUBJECT_CERT: + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* pointer type */ entry->value = va_arg(args, void*); break; @@ -358,38 +374,45 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: { - cert_validation_t validated, required; + uintptr_t validated; - required = (uintptr_t)value; - validated = (uintptr_t)get(this, t1); - switch (required) + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &validated)) { - case VALIDATION_FAILED: - /* no constraint */ - break; - case VALIDATION_SKIPPED: - if (validated == VALIDATION_SKIPPED) - { - break; - } - /* FALL */ - case VALIDATION_GOOD: - if (validated == VALIDATION_GOOD) - { - break; - } - /* FALL */ - default: - success = FALSE; - if (log_error) + if (t2 == t1) + { + switch ((uintptr_t)value) { - DBG1(DBG_CFG, "constraint check failed: %N is %N, " - "but requires at least %N", auth_rule_names, - t1, cert_validation_names, validated, - cert_validation_names, required); + case VALIDATION_FAILED: + /* no constraint */ + break; + case VALIDATION_SKIPPED: + if (validated == VALIDATION_SKIPPED) + { + break; + } + /* FALL */ + case VALIDATION_GOOD: + if (validated == VALIDATION_GOOD) + { + break; + } + /* FALL */ + default: + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint check failed: " + "%N is %N, but requires at least %N", + auth_rule_names, t1, + cert_validation_names, validated, + cert_validation_names, (uintptr_t)value); + } + break; } - break; + } } + e2->destroy(e2); break; } case AUTH_RULE_IDENTITY: @@ -473,10 +496,76 @@ static bool complies(private_auth_cfg_t *this, auth_cfg_t *constraints, e2->destroy(e2); break; } + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: + { + uintptr_t strength; + + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &strength)) + { + if (t2 == t1) + { + if ((uintptr_t)value > strength) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit " + "public keys, but %d bit key used", + (uintptr_t)value, strength); + } + } + } + else if (t2 == AUTH_RULE_RSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit ECDSA, " + "but RSA used", (uintptr_t)value); + } + } + else if (t2 == AUTH_RULE_ECDSA_STRENGTH) + { + success = FALSE; + if (log_error) + { + DBG1(DBG_CFG, "constraint requires %d bit RSA, " + "but ECDSA used", (uintptr_t)value); + } + } + } + e2->destroy(e2); + break; + } + case AUTH_RULE_CERT_POLICY: + { + char *oid1, *oid2; + + oid1 = (char*)value; + success = FALSE; + e2 = create_enumerator(this); + while (e2->enumerate(e2, &t2, &oid2)) + { + if (t2 == t1 && streq(oid1, oid2)) + { + success = TRUE; + break; + } + } + e2->destroy(e2); + if (!success && log_error) + { + DBG1(DBG_CFG, "constraint requires cert policy %s", oid1); + } + break; + } case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: + case AUTH_HELPER_REVOCATION_CERT: /* skip helpers */ continue; } @@ -523,6 +612,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)value; @@ -534,6 +624,8 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_AUTH_CLASS: case AUTH_RULE_EAP_TYPE: case AUTH_RULE_EAP_VENDOR: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: { add(this, type, (uintptr_t)value); break; @@ -548,6 +640,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy add(this, type, id->clone(id)); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -600,6 +693,8 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: { if (i1->value == i2->value) { @@ -613,6 +708,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *c1, *c2; @@ -643,6 +739,7 @@ static bool equals(private_auth_cfg_t *this, private_auth_cfg_t *other) } continue; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -725,11 +822,13 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_SUBJECT_CERT: case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: + case AUTH_HELPER_REVOCATION_CERT: { certificate_t *cert = (certificate_t*)entry->value; clone->add(clone, entry->type, cert->get_ref(cert)); break; } + case AUTH_RULE_CERT_POLICY: case AUTH_HELPER_IM_HASH_URL: case AUTH_HELPER_SUBJECT_HASH_URL: { @@ -741,6 +840,8 @@ static auth_cfg_t* clone_(private_auth_cfg_t *this) case AUTH_RULE_EAP_VENDOR: case AUTH_RULE_CRL_VALIDATION: case AUTH_RULE_OCSP_VALIDATION: + case AUTH_RULE_RSA_STRENGTH: + case AUTH_RULE_ECDSA_STRENGTH: clone->add(clone, entry->type, (uintptr_t)entry->value); break; } diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 19624a2fe..489ce1134 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -90,6 +90,12 @@ enum auth_rule_t { * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ AUTH_RULE_GROUP, + /** required RSA public key strength, u_int in bits */ + AUTH_RULE_RSA_STRENGTH, + /** required ECDSA public key strength, u_int in bits */ + AUTH_RULE_ECDSA_STRENGTH, + /** certificatePolicy constraint, numerical OID as char* */ + AUTH_RULE_CERT_POLICY, /** intermediate certificate, certificate_t* */ AUTH_HELPER_IM_CERT, @@ -99,6 +105,8 @@ enum auth_rule_t { AUTH_HELPER_IM_HASH_URL, /** Hash and URL of a end-entity certificate, char* */ AUTH_HELPER_SUBJECT_HASH_URL, + /** revocation certificate (CRL, OCSP), certificate_t* */ + AUTH_HELPER_REVOCATION_CERT, }; /** diff --git a/src/libstrongswan/credentials/builder.c b/src/libstrongswan/credentials/builder.c index c43e5fd5d..f9a277a2c 100644 --- a/src/libstrongswan/credentials/builder.c +++ b/src/libstrongswan/credentials/builder.c @@ -43,8 +43,16 @@ ENUM(builder_part_names, BUILD_FROM_FILE, BUILD_END, "BUILD_CRL_DISTRIBUTION_POINTS", "BUILD_OCSP_ACCESS_LOCATIONS", "BUILD_PATHLEN", + "BUILD_PERMITTED_NAME_CONSTRAINTS", + "BUILD_EXCLUDED_NAME_CONSTRAINTS", + "BUILD_CERTIFICATE_POLICIES", + "BUILD_POLICY_MAPPINGS", + "BUILD_POLICY_REQUIRE_EXPLICIT", + "BUILD_POLICY_INHIBIT_MAPPING", + "BUILD_POLICY_INHIBIT_ANY", "BUILD_X509_FLAG", "BUILD_REVOKED_ENUMERATOR", + "BUILD_BASE_CRL", "BUILD_CHALLENGE_PWD", "BUILD_PKCS11_MODULE", "BUILD_PKCS11_SLOT", diff --git a/src/libstrongswan/credentials/builder.h b/src/libstrongswan/credentials/builder.h index dc87da2a4..325b668cd 100644 --- a/src/libstrongswan/credentials/builder.h +++ b/src/libstrongswan/credentials/builder.h @@ -87,16 +87,32 @@ enum builder_part_t { BUILD_CA_CERT, /** a certificate, certificate_t* */ BUILD_CERT, - /** CRL distribution point URIs, linked_list_t* containing char* */ + /** CRL distribution point URIs, x509_cdp_t* */ BUILD_CRL_DISTRIBUTION_POINTS, /** OCSP AuthorityInfoAccess locations, linked_list_t* containing char* */ BUILD_OCSP_ACCESS_LOCATIONS, /** certificate path length constraint */ BUILD_PATHLEN, + /** permitted X509 name constraints, linked_list_t* of identification_t* */ + BUILD_PERMITTED_NAME_CONSTRAINTS, + /** excluded X509 name constraints, linked_list_t* of identification_t* */ + BUILD_EXCLUDED_NAME_CONSTRAINTS, + /** certificatePolicy OIDs, linked_list_t* of x509_cert_policy_t* */ + BUILD_CERTIFICATE_POLICIES, + /** policyMapping OIDs, linked_list_t* of x509_policy_mapping_t* */ + BUILD_POLICY_MAPPINGS, + /** requireExplicitPolicy constraint, int */ + BUILD_POLICY_REQUIRE_EXPLICIT, + /** inhibitPolicyMapping constraint, int */ + BUILD_POLICY_INHIBIT_MAPPING, + /** inhibitAnyPolicy constraint, int */ + BUILD_POLICY_INHIBIT_ANY, /** enforce an additional X509 flag, x509_flag_t */ BUILD_X509_FLAG, /** enumerator_t over (chunk_t serial, time_t date, crl_reason_t reason) */ BUILD_REVOKED_ENUMERATOR, + /** Base CRL serial for a delta CRL, chunk_t, */ + BUILD_BASE_CRL, /** PKCS#10 challenge password */ BUILD_CHALLENGE_PWD, /** friendly name of a PKCS#11 module, null terminated char* */ diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1e67c23ab..733d9d612 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,12 +40,13 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking - * @param pathlen the current length of the path up to the root CA + * @param pathlen the current length of the path bottom-up + * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info */ bool (*validate)(cert_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, - auth_cfg_t *auth); + certificate_t *issuer, bool online, u_int pathlen, + bool anchor, auth_cfg_t *auth); }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/certificates/crl.h b/src/libstrongswan/credentials/certificates/crl.h index 9425311fb..2f3497474 100644 --- a/src/libstrongswan/credentials/certificates/crl.h +++ b/src/libstrongswan/credentials/certificates/crl.h @@ -71,6 +71,21 @@ struct crl_t { */ chunk_t (*get_authKeyIdentifier)(crl_t *this); + /** + * Is this CRL a delta CRL? + * + * @param base_crl gets to baseCrlNumber, if this is a delta CRL + * @return TRUE if delta CRL + */ + bool (*is_delta_crl)(crl_t *this, chunk_t *base_crl); + + /** + * Create an enumerator over Freshest CRL distribution points and issuers. + * + * @return enumerator over x509_cdp_t + */ + enumerator_t* (*create_delta_crl_uri_enumerator)(crl_t *this); + /** * Create an enumerator over all revoked certificates. * diff --git a/src/libstrongswan/credentials/certificates/x509.c b/src/libstrongswan/credentials/certificates/x509.c deleted file mode 100644 index 66dc192c1..000000000 --- a/src/libstrongswan/credentials/certificates/x509.c +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (C) 2008 Martin Willi - * Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See . - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#include "x509.h" - -ENUM(x509_flag_names, X509_NONE, X509_IP_ADDR_BLOCKS, - "X509_NONE", - "X509_CA", - "X509_AA", - "X509_OCSP_SIGNER", - "X509_SERVER_AUTH", - "X509_CLIENT_AUTH", - "X509_SELF_SIGNED", - "X509_IP_ADDR_BLOCKS", -); - diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h index 6e0a5002a..fec02dbad 100644 --- a/src/libstrongswan/credentials/certificates/x509.h +++ b/src/libstrongswan/credentials/certificates/x509.h @@ -24,10 +24,15 @@ #include #include -#define X509_NO_PATH_LEN_CONSTRAINT -1 +/* constraints are currently restricted to the range 0..127 */ +#define X509_NO_CONSTRAINT 255 typedef struct x509_t x509_t; +typedef struct x509_cert_policy_t x509_cert_policy_t; +typedef struct x509_policy_mapping_t x509_policy_mapping_t; +typedef struct x509_cdp_t x509_cdp_t; typedef enum x509_flag_t x509_flag_t; +typedef enum x509_constraint_t x509_constraint_t; /** * X.509 certificate flags. @@ -49,12 +54,55 @@ enum x509_flag_t { X509_SELF_SIGNED = (1<<5), /** cert has an ipAddrBlocks extension */ X509_IP_ADDR_BLOCKS = (1<<6), + /** cert has CRL sign key usage */ + X509_CRL_SIGN = (1<<7), }; /** - * enum names for x509 flags + * Different numerical X.509 constraints. */ -extern enum_name_t *x509_flag_names; +enum x509_constraint_t { + /** pathLenConstraint basicConstraints */ + X509_PATH_LEN, + /** inhibitPolicyMapping policyConstraint */ + X509_INHIBIT_POLICY_MAPPING, + /** requireExplicitPolicy policyConstraint */ + X509_REQUIRE_EXPLICIT_POLICY, + /** inhibitAnyPolicy constraint */ + X509_INHIBIT_ANY_POLICY, +}; + +/** + * X.509 certPolicy extension. + */ +struct x509_cert_policy_t { + /** OID of certPolicy */ + chunk_t oid; + /** Certification Practice Statement URI qualifier */ + char *cps_uri; + /** UserNotice Text qualifier */ + char *unotice_text; +}; + +/** + * X.509 policyMapping extension + */ +struct x509_policy_mapping_t { + /** OID of issuerDomainPolicy */ + chunk_t issuer; + /** OID of subjectDomainPolicy */ + chunk_t subject; +}; + +/** + * X.509 CRL distributionPoint + */ +struct x509_cdp_t { + /** CDP URI, as string */ + char *uri; + /** CRL issuer */ + identification_t *issuer; +}; /** * X.509 certificate interface. @@ -98,11 +146,12 @@ struct x509_t { chunk_t (*get_authKeyIdentifier)(x509_t *this); /** - * Get an optional path length constraint. + * Get a numerical X.509 constraint. * - * @return pathLenConstraint, -1 if no constraint exists + * @param type type of constraint to get + * @return constraint, X509_NO_CONSTRAINT if none found */ - int (*get_pathLenConstraint)(x509_t *this); + u_int (*get_constraint)(x509_t *this, x509_constraint_t type); /** * Create an enumerator over all subjectAltNames. @@ -112,9 +161,9 @@ struct x509_t { enumerator_t* (*create_subjectAltName_enumerator)(x509_t *this); /** - * Create an enumerator over all CRL URIs. + * Create an enumerator over all CRL URIs and CRL Issuers. * - * @return enumerator over URIs as char* + * @return enumerator over x509_cdp_t */ enumerator_t* (*create_crl_uri_enumerator)(x509_t *this); @@ -131,6 +180,30 @@ struct x509_t { * @return enumerator over ipAddrBlocks as traffic_selector_t* */ enumerator_t* (*create_ipAddrBlock_enumerator)(x509_t *this); + + /** + * Create an enumerator over name constraints. + * + * @param perm TRUE for permitted, FALSE for excluded subtrees + * @return enumerator over subtrees as identification_t + */ + enumerator_t* (*create_name_constraint_enumerator)(x509_t *this, bool perm); + + /** + * Create an enumerator over certificate policies. + * + * @return enumerator over x509_cert_policy_t + */ + enumerator_t* (*create_cert_policy_enumerator)(x509_t *this); + + /** + * Create an enumerator over policy mappings. + * + * @return enumerator over x509_policy_mapping + */ + enumerator_t* (*create_policy_mapping_enumerator)(x509_t *this); + + }; #endif /** X509_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 97e8d8887..27b97eab3 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool online, int pathlen, auth_cfg_t *auth) + certificate_t *subject, certificate_t *issuer, bool online, + int pathlen, bool trusted, auth_cfg_t *auth) { time_t not_before, not_after; cert_validator_t *validator; @@ -471,29 +471,12 @@ static bool check_certificate(private_credential_manager_t *this, ¬_before, FALSE, ¬_after, FALSE); return FALSE; } - if (issuer->get_type(issuer) == CERT_X509 && - subject->get_type(subject) == CERT_X509) - { - int pathlen_constraint; - x509_t *x509; - - /* check path length constraint */ - x509 = (x509_t*)issuer; - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && - pathlen > pathlen_constraint) - { - DBG1(DBG_CFG, "path length of %d violates constraint of %d", - pathlen, pathlen_constraint); - return FALSE; - } - } enumerator = this->validators->create_enumerator(this->validators); while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, - online, pathlen, auth)) + online, pathlen, trusted, auth)) { enumerator->destroy(enumerator); return FALSE; @@ -550,6 +533,37 @@ static certificate_t *get_issuer_cert(private_credential_manager_t *this, return issuer; } +/** + * Get the strength of certificate, add it to auth + */ +static void get_key_strength(certificate_t *cert, auth_cfg_t *auth) +{ + uintptr_t strength; + public_key_t *key; + key_type_t type; + + key = cert->get_public_key(cert); + if (key) + { + type = key->get_type(key); + strength = key->get_keysize(key); + DBG2(DBG_CFG, " certificate \"%Y\" key: %d bit %N", + cert->get_subject(cert), strength, key_type_names, type); + switch (type) + { + case KEY_RSA: + auth->add(auth, AUTH_RULE_RSA_STRENGTH, strength); + break; + case KEY_ECDSA: + auth->add(auth, AUTH_RULE_ECDSA_STRENGTH, strength); + break; + default: + break; + } + key->destroy(key); + } +} + /** * try to verify the trust chain of subject, return TRUE if trusted */ @@ -562,7 +576,9 @@ static bool verify_trust_chain(private_credential_manager_t *this, int pathlen; auth = auth_cfg_create(); + get_key_strength(subject, auth); current = subject->get_ref(subject); + auth->add(auth, AUTH_RULE_SUBJECT_CERT, current->get_ref(current)); for (pathlen = 0; pathlen <= MAX_TRUST_PATH_LEN; pathlen++) { @@ -607,13 +623,17 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } - if (!check_certificate(this, current, issuer, online, pathlen, - current == subject ? auth : NULL)) + if (!check_certificate(this, current, issuer, online, + pathlen, trusted, auth)) { trusted = FALSE; issuer->destroy(issuer); break; } + if (issuer) + { + get_key_strength(issuer, auth); + } current->destroy(current); current = issuer; if (trusted) @@ -636,6 +656,14 @@ static bool verify_trust_chain(private_credential_manager_t *this, return trusted; } +/** + * List find match function for certificates + */ +static bool cert_equals(certificate_t *a, certificate_t *b) +{ + return a->equals(a, b); +} + /** * enumerator for trusted certificates */ @@ -656,6 +684,8 @@ typedef struct { certificate_t *pretrusted; /** currently enumerating auth config */ auth_cfg_t *auth; + /** list of failed candidates */ + linked_list_t *failed; } trusted_enumerator_t; METHOD(enumerator_t, trusted_enumerate, bool, @@ -683,11 +713,14 @@ METHOD(enumerator_t, trusted_enumerate, bool, verify_trust_chain(this->this, this->pretrusted, this->auth, TRUE, this->online)) { - this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, - this->pretrusted->get_ref(this->pretrusted)); DBG1(DBG_CFG, " using trusted certificate \"%Y\"", this->pretrusted->get_subject(this->pretrusted)); *cert = this->pretrusted; + if (!this->auth->get(this->auth, AUTH_RULE_SUBJECT_CERT)) + { /* add cert to auth info, if not returned by trustchain */ + this->auth->add(this->auth, AUTH_RULE_SUBJECT_CERT, + this->pretrusted->get_ref(this->pretrusted)); + } if (auth) { *auth = this->auth; @@ -705,6 +738,12 @@ METHOD(enumerator_t, trusted_enumerate, bool, continue; } + if (this->failed->find_first(this->failed, (void*)cert_equals, + NULL, current) == SUCCESS) + { /* check each candidate only once */ + continue; + } + DBG1(DBG_CFG, " using certificate \"%Y\"", current->get_subject(current)); if (verify_trust_chain(this->this, current, this->auth, FALSE, @@ -717,6 +756,7 @@ METHOD(enumerator_t, trusted_enumerate, bool, } return TRUE; } + this->failed->insert_last(this->failed, current->get_ref(current)); } return FALSE; } @@ -727,6 +767,7 @@ METHOD(enumerator_t, trusted_destroy, void, DESTROY_IF(this->pretrusted); DESTROY_IF(this->auth); DESTROY_IF(this->candidates); + this->failed->destroy_offset(this->failed, offsetof(certificate_t, destroy)); free(this); } @@ -745,6 +786,7 @@ METHOD(credential_manager_t, create_trusted_enumerator, enumerator_t*, .type = type, .id = id, .online = online, + .failed = linked_list_create(), ); return &enumerator->public; } diff --git a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c index 5e8458616..225fabe31 100644 --- a/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c +++ b/src/libstrongswan/credentials/sets/auth_cfg_wrapper.c @@ -132,7 +132,8 @@ static bool enumerate(wrapper_enumerator_t *this, certificate_t **cert) } } else if (rule != AUTH_HELPER_SUBJECT_CERT && - rule != AUTH_HELPER_IM_CERT) + rule != AUTH_HELPER_IM_CERT && + rule != AUTH_HELPER_REVOCATION_CERT) { /* handle only HELPER certificates */ continue; } diff --git a/src/libstrongswan/credentials/sets/mem_cred.c b/src/libstrongswan/credentials/sets/mem_cred.c index c29a99f1f..e023e8443 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.c +++ b/src/libstrongswan/credentials/sets/mem_cred.c @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperwsil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -54,6 +56,11 @@ struct private_mem_cred_t { * List of shared keys, as shared_entry_t */ linked_list_t *shared; + + /** + * List of CDPs, as cdp_t + */ + linked_list_t *cdps; }; /** @@ -144,21 +151,104 @@ static bool certificate_equals(certificate_t *item, certificate_t *cert) return item->equals(item, cert); } +/** + * Add a certificate the the cache. Returns a reference to "cert" or a + * previously cached certificate that equals "cert". + */ +static certificate_t *add_cert_internal(private_mem_cred_t *this, bool trusted, + certificate_t *cert) +{ + certificate_t *cached; + this->lock->write_lock(this->lock); + if (this->untrusted->find_first(this->untrusted, + (linked_list_match_t)certificate_equals, + (void**)&cached, cert) == SUCCESS) + { + cert->destroy(cert); + cert = cached->get_ref(cached); + } + else + { + if (trusted) + { + this->trusted->insert_first(this->trusted, cert->get_ref(cert)); + } + this->untrusted->insert_first(this->untrusted, cert->get_ref(cert)); + } + this->lock->unlock(this->lock); + return cert; +} + METHOD(mem_cred_t, add_cert, void, private_mem_cred_t *this, bool trusted, certificate_t *cert) { + certificate_t *cached = add_cert_internal(this, trusted, cert); + cached->destroy(cached); +} + +METHOD(mem_cred_t, add_cert_ref, certificate_t*, + private_mem_cred_t *this, bool trusted, certificate_t *cert) +{ + return add_cert_internal(this, trusted, cert); +} + +METHOD(mem_cred_t, add_crl, bool, + private_mem_cred_t *this, crl_t *crl) +{ + certificate_t *current, *cert = &crl->certificate; + enumerator_t *enumerator; + bool new = TRUE; + this->lock->write_lock(this->lock); - if (this->untrusted->find_last(this->untrusted, - (linked_list_match_t)certificate_equals, NULL, cert) != SUCCESS) + enumerator = this->untrusted->create_enumerator(this->untrusted); + while (enumerator->enumerate(enumerator, (void**)¤t)) { - if (trusted) + if (current->get_type(current) == CERT_X509_CRL) { - this->trusted->insert_last(this->trusted, cert->get_ref(cert)); + bool found = FALSE; + crl_t *crl_c = (crl_t*)current; + chunk_t authkey = crl->get_authKeyIdentifier(crl); + chunk_t authkey_c = crl_c->get_authKeyIdentifier(crl_c); + + /* compare authorityKeyIdentifiers if available */ + if (chunk_equals(authkey, authkey_c)) + { + found = TRUE; + } + else + { + identification_t *issuer = cert->get_issuer(cert); + identification_t *issuer_c = current->get_issuer(current); + + /* otherwise compare issuer distinguished names */ + if (issuer->equals(issuer, issuer_c)) + { + found = TRUE; + } + } + if (found) + { + new = crl_is_newer(crl, crl_c); + if (new) + { + this->untrusted->remove_at(this->untrusted, enumerator); + } + else + { + cert->destroy(cert); + } + break; + } } - this->untrusted->insert_last(this->untrusted, cert->get_ref(cert)); } - cert->destroy(cert); + enumerator->destroy(enumerator); + + if (new) + { + this->untrusted->insert_first(this->untrusted, cert); + } this->lock->unlock(this->lock); + return new; } /** @@ -218,7 +308,7 @@ METHOD(mem_cred_t, add_key, void, private_mem_cred_t *this, private_key_t *key) { this->lock->write_lock(this->lock); - this->keys->insert_last(this->keys, key); + this->keys->insert_first(this->keys, key); this->lock->unlock(this->lock); } @@ -342,32 +432,137 @@ METHOD(credential_set_t, create_shared_enumerator, enumerator_t*, (void*)shared_filter, data, (void*)shared_data_destroy); } -METHOD(mem_cred_t, add_shared, void, - private_mem_cred_t *this, shared_key_t *shared, ...) +METHOD(mem_cred_t, add_shared_list, void, + private_mem_cred_t *this, shared_key_t *shared, linked_list_t* owners) { shared_entry_t *entry; - identification_t *id; - va_list args; INIT(entry, .shared = shared, - .owners = linked_list_create(), + .owners = owners, ); + this->lock->write_lock(this->lock); + this->shared->insert_first(this->shared, entry); + this->lock->unlock(this->lock); +} + +METHOD(mem_cred_t, add_shared, void, + private_mem_cred_t *this, shared_key_t *shared, ...) +{ + identification_t *id; + linked_list_t *owners = linked_list_create(); + va_list args; + va_start(args, shared); do { id = va_arg(args, identification_t*); if (id) { - entry->owners->insert_last(entry->owners, id); + owners->insert_first(owners, id); } } while (id); va_end(args); + add_shared_list(this, shared, owners); +} + +/** + * Certificate distribution point + */ +typedef struct { + certificate_type_t type; + identification_t *id; + char *uri; +} cdp_t; + +/** + * Destroy a CDP entry + */ +static void cdp_destroy(cdp_t *this) +{ + this->id->destroy(this->id); + free(this->uri); + free(this); +} + +METHOD(mem_cred_t, add_cdp, void, + private_mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri) +{ + cdp_t *cdp; + + INIT(cdp, + .type = type, + .id = id->clone(id), + .uri = strdup(uri), + ); + this->lock->write_lock(this->lock); + this->cdps->insert_last(this->cdps, cdp); + this->lock->unlock(this->lock); +} + +/** + * CDP enumerator data + */ +typedef struct { + certificate_type_t type; + identification_t *id; + rwlock_t *lock; +} cdp_data_t; + +/** + * Clean up CDP enumerator data + */ +static void cdp_data_destroy(cdp_data_t *data) +{ + data->lock->unlock(data->lock); + free(data); +} + +/** + * CDP enumerator filter + */ +static bool cdp_filter(cdp_data_t *data, cdp_t **cdp, char **uri) +{ + if (data->type != CERT_ANY && data->type != (*cdp)->type) + { + return FALSE; + } + if (data->id && !(*cdp)->id->matches((*cdp)->id, data->id)) + { + return FALSE; + } + *uri = (*cdp)->uri; + return TRUE; +} + +METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, + private_mem_cred_t *this, certificate_type_t type, identification_t *id) +{ + cdp_data_t *data; + + INIT(data, + .type = type, + .id = id, + .lock = this->lock, + ); + this->lock->read_lock(this->lock); + return enumerator_create_filter(this->cdps->create_enumerator(this->cdps), + (void*)cdp_filter, data, (void*)cdp_data_destroy); + +} + +METHOD(mem_cred_t, clear_secrets, void, + private_mem_cred_t *this) +{ this->lock->write_lock(this->lock); - this->shared->insert_last(this->shared, entry); + this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); + this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->keys = linked_list_create(); + this->shared = linked_list_create(); this->lock->unlock(this->lock); } @@ -379,13 +574,13 @@ METHOD(mem_cred_t, clear_, void, offsetof(certificate_t, destroy)); this->untrusted->destroy_offset(this->untrusted, offsetof(certificate_t, destroy)); - this->keys->destroy_offset(this->keys, offsetof(private_key_t, destroy)); - this->shared->destroy_function(this->shared, (void*)shared_entry_destroy); + this->cdps->destroy_function(this->cdps, (void*)cdp_destroy); this->trusted = linked_list_create(); this->untrusted = linked_list_create(); - this->keys = linked_list_create(); - this->shared = linked_list_create(); + this->cdps = linked_list_create(); this->lock->unlock(this->lock); + + clear_secrets(this); } METHOD(mem_cred_t, destroy, void, @@ -396,6 +591,7 @@ METHOD(mem_cred_t, destroy, void, this->untrusted->destroy(this->untrusted); this->keys->destroy(this->keys); this->shared->destroy(this->shared); + this->cdps->destroy(this->cdps); this->lock->destroy(this->lock); free(this); } @@ -413,19 +609,25 @@ mem_cred_t *mem_cred_create() .create_shared_enumerator = _create_shared_enumerator, .create_private_enumerator = _create_private_enumerator, .create_cert_enumerator = _create_cert_enumerator, - .create_cdp_enumerator = (void*)return_null, + .create_cdp_enumerator = _create_cdp_enumerator, .cache_cert = (void*)nop, }, .add_cert = _add_cert, + .add_cert_ref = _add_cert_ref, + .add_crl = _add_crl, .add_key = _add_key, .add_shared = _add_shared, + .add_shared_list = _add_shared_list, + .add_cdp = _add_cdp, .clear = _clear_, + .clear_secrets = _clear_secrets, .destroy = _destroy, }, .trusted = linked_list_create(), .untrusted = linked_list_create(), .keys = linked_list_create(), .shared = linked_list_create(), + .cdps = linked_list_create(), .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), ); diff --git a/src/libstrongswan/credentials/sets/mem_cred.h b/src/libstrongswan/credentials/sets/mem_cred.h index b26e43d6c..eb46b065b 100644 --- a/src/libstrongswan/credentials/sets/mem_cred.h +++ b/src/libstrongswan/credentials/sets/mem_cred.h @@ -1,4 +1,6 @@ /* + * Copyright (C) 2010 Tobias Brunner + * Hochschule fuer Technik Rapperswil * Copyright (C) 2010 Martin Willi * Copyright (C) 2010 revosec AG * @@ -24,6 +26,8 @@ typedef struct mem_cred_t mem_cred_t; #include +#include +#include /** * Generic in-memory credential set. @@ -43,6 +47,26 @@ struct mem_cred_t { */ void (*add_cert)(mem_cred_t *this, bool trusted, certificate_t *cert); + /** + * Add a certificate to the credential set, returning a reference to it or + * to a cached duplicate. + * + * @param trusted TRUE to serve certificate as trusted + * @param cert certificate, reference gets owned by set + * @return reference to cert or a previously cached duplicate + */ + certificate_t *(*add_cert_ref)(mem_cred_t *this, bool trusted, + certificate_t *cert); + + /** + * Add an X.509 CRL to the credential set. + * + * @param crl CRL, gets owned by set + * @return TRUE, if the CRL is newer than an existing one (or + * new at all) + */ + bool (*add_crl)(mem_cred_t *this, crl_t *crl); + /** * Add a private key to the credential set. * @@ -54,15 +78,39 @@ struct mem_cred_t { * Add a shared key to the credential set. * * @param shared shared key to add, gets owned by set - * @param ... NULL terminated list of owners identification_t* + * @param ... NULL terminated list of owners (identification_t*) */ void (*add_shared)(mem_cred_t *this, shared_key_t *shared, ...); + /** + * Add a shared key to the credential set. + * + * @param shared shared key to add, gets owned by set + * @param owners list of owners (identification_t*), gets owned + */ + void (*add_shared_list)(mem_cred_t *this, shared_key_t *shared, + linked_list_t *owners); + /** + * Add a certificate distribution point to the set. + * + * @param type type of the certificate + * @param id certificate ID CDP has a cert for, gets cloned + * @param uri CDP URI, gets strduped + */ + void (*add_cdp)(mem_cred_t *this, certificate_type_t type, + identification_t *id, char *uri); + /** * Clear all credentials from the credential set. */ void (*clear)(mem_cred_t *this); + /** + * Clear the secrets (private and shared keys, not the certificates) from + * the credential set. + */ + void (*clear_secrets)(mem_cred_t *this); + /** * Destroy a mem_cred_t. */ diff --git a/src/libstrongswan/crypto/crypto_factory.c b/src/libstrongswan/crypto/crypto_factory.c index f2f01987d..2d13896d6 100644 --- a/src/libstrongswan/crypto/crypto_factory.c +++ b/src/libstrongswan/crypto/crypto_factory.c @@ -20,13 +20,29 @@ #include #include +const char *default_plugin_name = "default"; + typedef struct entry_t entry_t; + struct entry_t { - /* algorithm */ + /** + * algorithm + */ u_int algo; - /* benchmarked speed */ + + /** + * plugin that registered this algorithm + */ + const char *plugin_name; + + /** + * benchmarked speed + */ u_int speed; - /* constructor */ + + /** + * constructor + */ union { crypter_constructor_t create_crypter; aead_constructor_t create_aead; @@ -128,7 +144,8 @@ METHOD(crypto_factory_t, create_crypter, crypter_t*, { if (this->test_on_create && !this->tester->test_crypter(this->tester, algo, key_size, - entry->create_crypter, NULL)) + entry->create_crypter, NULL, + default_plugin_name)) { continue; } @@ -160,7 +177,8 @@ METHOD(crypto_factory_t, create_aead, aead_t*, { if (this->test_on_create && !this->tester->test_aead(this->tester, algo, key_size, - entry->create_aead, NULL)) + entry->create_aead, NULL, + default_plugin_name)) { continue; } @@ -191,7 +209,8 @@ METHOD(crypto_factory_t, create_signer, signer_t*, { if (this->test_on_create && !this->tester->test_signer(this->tester, algo, - entry->create_signer, NULL)) + entry->create_signer, NULL, + default_plugin_name)) { continue; } @@ -223,7 +242,8 @@ METHOD(crypto_factory_t, create_hasher, hasher_t*, { if (this->test_on_create && algo != HASH_PREFERRED && !this->tester->test_hasher(this->tester, algo, - entry->create_hasher, NULL)) + entry->create_hasher, NULL, + default_plugin_name)) { continue; } @@ -254,7 +274,8 @@ METHOD(crypto_factory_t, create_prf, prf_t*, { if (this->test_on_create && !this->tester->test_prf(this->tester, algo, - entry->create_prf, NULL)) + entry->create_prf, NULL, + default_plugin_name)) { continue; } @@ -286,7 +307,8 @@ METHOD(crypto_factory_t, create_rng, rng_t*, { if (this->test_on_create && !this->tester->test_rng(this->tester, quality, - entry->create_rng, NULL)) + entry->create_rng, NULL, + default_plugin_name)) { continue; } @@ -350,7 +372,8 @@ METHOD(crypto_factory_t, create_dh, diffie_hellman_t*, * Insert an algorithm entry to a list */ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, - int algo, u_int speed, void *create) + int algo, const char *plugin_name, + u_int speed, void *create) { entry_t *entry, *current; linked_list_t *tmp; @@ -358,6 +381,7 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, INIT(entry, .algo = algo, + .plugin_name = plugin_name, .speed = speed, ); entry->create = create; @@ -391,16 +415,16 @@ static void add_entry(private_crypto_factory_t *this, linked_list_t *list, } METHOD(crypto_factory_t, add_crypter, void, - private_crypto_factory_t *this, encryption_algorithm_t algo, - crypter_constructor_t create) + private_crypto_factory_t *this, encryption_algorithm_t algo, + const char *plugin_name, crypter_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_crypter(this->tester, algo, 0, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->crypters, algo, speed, create); + add_entry(this, this->crypters, algo, plugin_name, speed, create); } } @@ -425,16 +449,16 @@ METHOD(crypto_factory_t, remove_crypter, void, } METHOD(crypto_factory_t, add_aead, void, - private_crypto_factory_t *this, encryption_algorithm_t algo, - aead_constructor_t create) + private_crypto_factory_t *this, encryption_algorithm_t algo, + const char *plugin_name, aead_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_aead(this->tester, algo, 0, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->aeads, algo, speed, create); + add_entry(this, this->aeads, algo, plugin_name, speed, create); } } @@ -459,16 +483,16 @@ METHOD(crypto_factory_t, remove_aead, void, } METHOD(crypto_factory_t, add_signer, void, - private_crypto_factory_t *this, integrity_algorithm_t algo, - signer_constructor_t create) + private_crypto_factory_t *this, integrity_algorithm_t algo, + const char *plugin_name, signer_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_signer(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->signers, algo, speed, create); + add_entry(this, this->signers, algo, plugin_name, speed, create); } } @@ -493,16 +517,16 @@ METHOD(crypto_factory_t, remove_signer, void, } METHOD(crypto_factory_t, add_hasher, void, - private_crypto_factory_t *this, hash_algorithm_t algo, - hasher_constructor_t create) + private_crypto_factory_t *this, hash_algorithm_t algo, + const char *plugin_name, hasher_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_hasher(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->hashers, algo, speed, create); + add_entry(this, this->hashers, algo, plugin_name, speed, create); } } @@ -527,16 +551,16 @@ METHOD(crypto_factory_t, remove_hasher, void, } METHOD(crypto_factory_t, add_prf, void, - private_crypto_factory_t *this, pseudo_random_function_t algo, - prf_constructor_t create) + private_crypto_factory_t *this, pseudo_random_function_t algo, + const char *plugin_name, prf_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_prf(this->tester, algo, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->prfs, algo, speed, create); + add_entry(this, this->prfs, algo, plugin_name, speed, create); } } @@ -562,15 +586,15 @@ METHOD(crypto_factory_t, remove_prf, void, METHOD(crypto_factory_t, add_rng, void, private_crypto_factory_t *this, rng_quality_t quality, - rng_constructor_t create) + const char *plugin_name, rng_constructor_t create) { u_int speed = 0; if (!this->test_on_add || this->tester->test_rng(this->tester, quality, create, - this->bench ? &speed : NULL)) + this->bench ? &speed : NULL, plugin_name)) { - add_entry(this, this->rngs, quality, speed, create); + add_entry(this, this->rngs, quality, plugin_name, speed, create); } } @@ -595,10 +619,10 @@ METHOD(crypto_factory_t, remove_rng, void, } METHOD(crypto_factory_t, add_dh, void, - private_crypto_factory_t *this, diffie_hellman_group_t group, - dh_constructor_t create) + private_crypto_factory_t *this, diffie_hellman_group_t group, + const char *plugin_name, dh_constructor_t create) { - add_entry(this, this->dhs, group, 0, create); + add_entry(this, this->dhs, group, plugin_name, 0, create); } METHOD(crypto_factory_t, remove_dh, void, @@ -660,9 +684,11 @@ static enumerator_t *create_enumerator(private_crypto_factory_t *this, /** * Filter function to enumerate algorithm, not entry */ -static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo) +static bool crypter_filter(void *n, entry_t **entry, encryption_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -681,9 +707,11 @@ METHOD(crypto_factory_t, create_aead_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo) +static bool signer_filter(void *n, entry_t **entry, integrity_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -696,9 +724,11 @@ METHOD(crypto_factory_t, create_signer_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo) +static bool hasher_filter(void *n, entry_t **entry, hash_algorithm_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -711,9 +741,11 @@ METHOD(crypto_factory_t, create_hasher_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo) +static bool prf_filter(void *n, entry_t **entry, pseudo_random_function_t *algo, + void *i2, const char **plugin_name) { *algo = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -726,9 +758,11 @@ METHOD(crypto_factory_t, create_prf_enumerator, enumerator_t*, /** * Filter function to enumerate algorithm, not entry */ -static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group) +static bool dh_filter(void *n, entry_t **entry, diffie_hellman_group_t *group, + void *i2, const char **plugin_name) { *group = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; return TRUE; } @@ -738,6 +772,22 @@ METHOD(crypto_factory_t, create_dh_enumerator, enumerator_t*, return create_enumerator(this, this->dhs, dh_filter); } +/** + * Filter function to enumerate algorithm, not entry + */ +static bool rng_filter(void *n, entry_t **entry, rng_quality_t *quality, + void *i2, const char **plugin_name) +{ + *quality = (*entry)->algo; + *plugin_name = (*entry)->plugin_name; + return TRUE; +} + +METHOD(crypto_factory_t, create_rng_enumerator, enumerator_t*, + private_crypto_factory_t *this) +{ + return create_enumerator(this, this->rngs, rng_filter); +} METHOD(crypto_factory_t, add_test_vector, void, private_crypto_factory_t *this, transform_type_t type, void *vector) { @@ -812,6 +862,7 @@ crypto_factory_t *crypto_factory_create() .create_hasher_enumerator = _create_hasher_enumerator, .create_prf_enumerator = _create_prf_enumerator, .create_dh_enumerator = _create_dh_enumerator, + .create_rng_enumerator = _create_rng_enumerator, .add_test_vector = _add_test_vector, .destroy = _destroy, }, diff --git a/src/libstrongswan/crypto/crypto_factory.h b/src/libstrongswan/crypto/crypto_factory.h index ff06eda7b..8e5db6355 100644 --- a/src/libstrongswan/crypto/crypto_factory.h +++ b/src/libstrongswan/crypto/crypto_factory.h @@ -33,6 +33,8 @@ typedef struct crypto_factory_t crypto_factory_t; #include #include +#define CRYPTO_MAX_ALG_LINE 120 /* characters */ + /** * Constructor function for crypters */ @@ -144,11 +146,12 @@ struct crypto_factory_t { * Register a crypter constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_crypter)(crypto_factory_t *this, encryption_algorithm_t algo, - crypter_constructor_t create); + const char *plugin_name, crypter_constructor_t create); /** * Unregister a crypter constructor. @@ -168,21 +171,23 @@ struct crypto_factory_t { * Register a aead constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_aead)(crypto_factory_t *this, encryption_algorithm_t algo, - aead_constructor_t create); + const char *plugin_name, aead_constructor_t create); /** * Register a signer constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_signer)(crypto_factory_t *this, integrity_algorithm_t algo, - signer_constructor_t create); + const char *plugin_name, signer_constructor_t create); /** * Unregister a signer constructor. @@ -198,11 +203,12 @@ struct crypto_factory_t { * create_hasher(HASH_PREFERRED). * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_hasher)(crypto_factory_t *this, hash_algorithm_t algo, - hasher_constructor_t create); + const char *plugin_name, hasher_constructor_t create); /** * Unregister a hasher constructor. @@ -215,11 +221,12 @@ struct crypto_factory_t { * Register a prf constructor. * * @param algo algorithm to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_prf)(crypto_factory_t *this, pseudo_random_function_t algo, - prf_constructor_t create); + const char *plugin_name, prf_constructor_t create); /** * Unregister a prf constructor. @@ -232,9 +239,11 @@ struct crypto_factory_t { * Register a source of randomness. * * @param quality quality of randomness this RNG serves + * @param plugin_name plugin that registered this algorithm * @param create constructor function for such a quality */ - void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, rng_constructor_t create); + void (*add_rng)(crypto_factory_t *this, rng_quality_t quality, + const char *plugin_name, rng_constructor_t create); /** * Unregister a source of randomness. @@ -247,11 +256,12 @@ struct crypto_factory_t { * Register a diffie hellman constructor. * * @param group dh group to constructor + * @param plugin_name plugin that registered this algorithm * @param create constructor function for that algorithm * @return */ void (*add_dh)(crypto_factory_t *this, diffie_hellman_group_t group, - dh_constructor_t create); + const char *plugin_name, dh_constructor_t create); /** * Unregister a diffie hellman constructor. @@ -302,6 +312,13 @@ struct crypto_factory_t { */ enumerator_t* (*create_dh_enumerator)(crypto_factory_t *this); + /** + * Create an enumerator over all registered random generators. + * + * @return enumerator over rng_quality_t + */ + enumerator_t* (*create_rng_enumerator)(crypto_factory_t *this); + /** * Add a test vector to the crypto factory. * diff --git a/src/libstrongswan/crypto/crypto_tester.c b/src/libstrongswan/crypto/crypto_tester.c index d17485ff2..276f4329a 100644 --- a/src/libstrongswan/crypto/crypto_tester.c +++ b/src/libstrongswan/crypto/crypto_tester.c @@ -165,7 +165,7 @@ static u_int bench_crypter(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_crypter, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, - crypter_constructor_t create, u_int *speed) + crypter_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; crypter_test_vector_t *vector; @@ -188,7 +188,11 @@ METHOD(crypto_tester_t, test_crypter, bool, } crypter = create(alg, vector->key_size); if (!crypter) - { /* key size not supported... */ + { + DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", + encryption_algorithm_names, alg, plugin_name, + BITS_PER_BYTE * vector->key_size); + failed = TRUE; continue; } @@ -231,31 +235,40 @@ METHOD(crypto_tester_t, test_crypter, bool, crypter->destroy(crypter); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - encryption_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + encryption_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", - this->required ? "disabled" : "enabled ", - encryption_algorithm_names, alg); - return !this->required; + if (failed) + { + DBG1(DBG_LIB,"disable %N[%s]: no key size supported", + encryption_algorithm_names, alg, plugin_name); + return FALSE; + } + else + { + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg, plugin_name); + return !this->required; + } } if (!failed) { if (speed) { *speed = bench_crypter(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - encryption_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + encryption_algorithm_names, alg, tested, plugin_name, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - encryption_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + encryption_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -311,7 +324,7 @@ static u_int bench_aead(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_aead, bool, private_crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, - aead_constructor_t create, u_int *speed) + aead_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; aead_test_vector_t *vector; @@ -335,7 +348,11 @@ METHOD(crypto_tester_t, test_aead, bool, } aead = create(alg, vector->key_size); if (!aead) - { /* key size not supported... */ + { + DBG1(DBG_LIB, "%N[%s]: %u bit key size not supported", + encryption_algorithm_names, alg, plugin_name, + BITS_PER_BYTE * vector->key_size); + failed = TRUE; continue; } @@ -388,31 +405,40 @@ METHOD(crypto_tester_t, test_aead, bool, aead->destroy(aead); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - encryption_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + encryption_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", - this->required ? "disabled" : "enabled ", - encryption_algorithm_names, alg); - return !this->required; + if (failed) + { + DBG1(DBG_LIB,"disable %N[%s]: no key size supported", + encryption_algorithm_names, alg, plugin_name); + return FALSE; + } + else + { + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", + this->required ? "disabled" : "enabled ", + encryption_algorithm_names, alg, plugin_name); + return !this->required; + } } if (!failed) { if (speed) { *speed = bench_aead(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - encryption_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + encryption_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - encryption_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + encryption_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -460,7 +486,7 @@ static u_int bench_signer(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_signer, bool, private_crypto_tester_t *this, integrity_algorithm_t alg, - signer_constructor_t create, u_int *speed) + signer_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; signer_test_vector_t *vector; @@ -482,8 +508,8 @@ METHOD(crypto_tester_t, test_signer, bool, signer = create(alg); if (!signer) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - integrity_algorithm_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + integrity_algorithm_names, alg, plugin_name); failed = TRUE; break; } @@ -538,17 +564,17 @@ METHOD(crypto_tester_t, test_signer, bool, signer->destroy(signer); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - integrity_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + integrity_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - integrity_algorithm_names, alg); + integrity_algorithm_names, alg, plugin_name); return !this->required; } if (!failed) @@ -556,13 +582,13 @@ METHOD(crypto_tester_t, test_signer, bool, if (speed) { *speed = bench_signer(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - integrity_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + integrity_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - integrity_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + integrity_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -604,7 +630,7 @@ static u_int bench_hasher(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_hasher, bool, private_crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create, u_int *speed) + hasher_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; hasher_test_vector_t *vector; @@ -626,8 +652,8 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher = create(alg); if (!hasher) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - hash_algorithm_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + hash_algorithm_names, alg, plugin_name); failed = TRUE; break; } @@ -669,17 +695,17 @@ METHOD(crypto_tester_t, test_hasher, bool, hasher->destroy(hasher); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - hash_algorithm_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + hash_algorithm_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - hash_algorithm_names, alg); + hash_algorithm_names, alg, plugin_name); return !this->required; } if (!failed) @@ -687,13 +713,13 @@ METHOD(crypto_tester_t, test_hasher, bool, if (speed) { *speed = bench_hasher(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - hash_algorithm_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + hash_algorithm_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - hash_algorithm_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + hash_algorithm_names, alg, plugin_name, tested); } } return !failed; @@ -735,7 +761,7 @@ static u_int bench_prf(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_prf, bool, private_crypto_tester_t *this, pseudo_random_function_t alg, - prf_constructor_t create, u_int *speed) + prf_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; prf_test_vector_t *vector; @@ -757,8 +783,8 @@ METHOD(crypto_tester_t, test_prf, bool, prf = create(alg); if (!prf) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - pseudo_random_function_names, alg); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + pseudo_random_function_names, alg, plugin_name); failed = TRUE; break; } @@ -811,17 +837,17 @@ METHOD(crypto_tester_t, test_prf, bool, prf->destroy(prf); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - pseudo_random_function_names, alg, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + pseudo_random_function_names, alg, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? "disabled" : "enabled ", - pseudo_random_function_names, alg); + pseudo_random_function_names, alg, plugin_name); return !this->required; } if (!failed) @@ -829,13 +855,13 @@ METHOD(crypto_tester_t, test_prf, bool, if (speed) { *speed = bench_prf(this, alg, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - pseudo_random_function_names, alg, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + pseudo_random_function_names, alg, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - pseudo_random_function_names, alg, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + pseudo_random_function_names, alg, plugin_name, tested); } } return !failed; @@ -874,7 +900,7 @@ static u_int bench_rng(private_crypto_tester_t *this, METHOD(crypto_tester_t, test_rng, bool, private_crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create, u_int *speed) + rng_constructor_t create, u_int *speed, const char *plugin_name) { enumerator_t *enumerator; rng_test_vector_t *vector; @@ -883,8 +909,8 @@ METHOD(crypto_tester_t, test_rng, bool, if (!this->rng_true && quality == RNG_TRUE) { - DBG1(DBG_LIB, "enabled %N: skipping test (disabled by config)", - rng_quality_names, quality); + DBG1(DBG_LIB, "enabled %N[%s]: skipping test (disabled by config)", + rng_quality_names, quality, plugin_name); return TRUE; } @@ -903,8 +929,8 @@ METHOD(crypto_tester_t, test_rng, bool, rng = create(quality); if (!rng) { - DBG1(DBG_LIB, "disabled %N: creating instance failed", - rng_quality_names, quality); + DBG1(DBG_LIB, "disabled %N[%s]: creating instance failed", + rng_quality_names, quality, plugin_name); failed = TRUE; break; } @@ -933,17 +959,17 @@ METHOD(crypto_tester_t, test_rng, bool, rng->destroy(rng); if (failed) { - DBG1(DBG_LIB, "disabled %N: %s test vector failed", - rng_quality_names, quality, get_name(vector)); + DBG1(DBG_LIB, "disabled %N[%s]: %s test vector failed", + rng_quality_names, quality, plugin_name, get_name(vector)); break; } } enumerator->destroy(enumerator); if (!tested) { - DBG1(DBG_LIB, "%s %N: no test vectors found", + DBG1(DBG_LIB, "%s %N[%s]: no test vectors found", this->required ? ", disabled" : "enabled ", - rng_quality_names, quality); + rng_quality_names, quality, plugin_name); return !this->required; } if (!failed) @@ -951,13 +977,13 @@ METHOD(crypto_tester_t, test_rng, bool, if (speed) { *speed = bench_rng(this, quality, create); - DBG1(DBG_LIB, "enabled %N: passed %u test vectors, %d points", - rng_quality_names, quality, tested, *speed); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors, %d points", + rng_quality_names, quality, plugin_name, tested, *speed); } else { - DBG1(DBG_LIB, "enabled %N: passed %u test vectors", - rng_quality_names, quality, tested); + DBG1(DBG_LIB, "enabled %N[%s]: passed %u test vectors", + rng_quality_names, quality, plugin_name, tested); } } return !failed; diff --git a/src/libstrongswan/crypto/crypto_tester.h b/src/libstrongswan/crypto/crypto_tester.h index cef0b3c18..019c87c39 100644 --- a/src/libstrongswan/crypto/crypto_tester.h +++ b/src/libstrongswan/crypto/crypto_tester.h @@ -143,7 +143,7 @@ struct crypto_tester_t { */ bool (*test_crypter)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, crypter_constructor_t create, - u_int *speed); + u_int *speed, const char *plugin_name); /** * Test an aead algorithm, optionally using a specified key size. @@ -156,7 +156,7 @@ struct crypto_tester_t { */ bool (*test_aead)(crypto_tester_t *this, encryption_algorithm_t alg, size_t key_size, aead_constructor_t create, - u_int *speed); + u_int *speed, const char *plugin_name); /** * Test a signer algorithm. * @@ -166,7 +166,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_signer)(crypto_tester_t *this, integrity_algorithm_t alg, - signer_constructor_t create, u_int *speed); + signer_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a hasher algorithm. * @@ -176,7 +177,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_hasher)(crypto_tester_t *this, hash_algorithm_t alg, - hasher_constructor_t create, u_int *speed); + hasher_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a PRF algorithm. * @@ -186,7 +188,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_prf)(crypto_tester_t *this, pseudo_random_function_t alg, - prf_constructor_t create, u_int *speed); + prf_constructor_t create, + u_int *speed, const char *plugin_name); /** * Test a RNG implementation. * @@ -196,7 +199,8 @@ struct crypto_tester_t { * @return TRUE if test passed */ bool (*test_rng)(crypto_tester_t *this, rng_quality_t quality, - rng_constructor_t create, u_int *speed); + rng_constructor_t create, + u_int *speed, const char *plugin_name); /** * Add a test vector to test a crypter. * diff --git a/src/libstrongswan/eap/eap.h b/src/libstrongswan/eap/eap.h index 1d55747a4..e98a3a211 100644 --- a/src/libstrongswan/eap/eap.h +++ b/src/libstrongswan/eap/eap.h @@ -82,7 +82,7 @@ extern enum_name_t *eap_type_short_names; * Lookup the EAP method type from a string. * * @param name EAP method name (such as "md5", "aka") - * @return method type, 0 if unkown + * @return method type, 0 if unknown */ eap_type_t eap_type_from_string(char *name); diff --git a/src/libstrongswan/enum.c b/src/libstrongswan/enum.c index 258a5b410..5c811bd17 100644 --- a/src/libstrongswan/enum.c +++ b/src/libstrongswan/enum.c @@ -43,7 +43,7 @@ int enum_from_name(enum_name_t *e, char *name) { do { - int i, count = e->last - e->first; + int i, count = e->last - e->first + 1; for (i = 0; i < count; i++) { diff --git a/src/libstrongswan/fetcher/fetcher_manager.c b/src/libstrongswan/fetcher/fetcher_manager.c index c81de032c..b007c8b08 100644 --- a/src/libstrongswan/fetcher/fetcher_manager.c +++ b/src/libstrongswan/fetcher/fetcher_manager.c @@ -92,7 +92,7 @@ static status_t fetch(private_fetcher_manager_t *this, va_start(args, response); while (good) { - opt = va_arg(args, fetcher_option_t); + opt = va_arg(args, int); switch (opt) { case FETCH_REQUEST_DATA: @@ -109,7 +109,7 @@ static status_t fetch(private_fetcher_manager_t *this, good = fetcher->set_option(fetcher, opt, va_arg(args, u_int)); continue; case FETCH_END: - break;; + break; } break; } diff --git a/src/libstrongswan/integrity_checker.c b/src/libstrongswan/integrity_checker.c index c9cad44ae..e962aba70 100644 --- a/src/libstrongswan/integrity_checker.c +++ b/src/libstrongswan/integrity_checker.c @@ -57,11 +57,8 @@ struct private_integrity_checker_t { int checksum_count; }; -/** - * Implementation of integrity_checker_t.build_file - */ -static u_int32_t build_file(private_integrity_checker_t *this, char *file, - size_t *len) +METHOD(integrity_checker_t, build_file, u_int32_t, + private_integrity_checker_t *this, char *file, size_t *len) { u_int32_t checksum; chunk_t contents; @@ -136,11 +133,8 @@ static int callback(struct dl_phdr_info *dlpi, size_t size, Dl_info *dli) return 0; } -/** - * Implementation of integrity_checker_t.build_segment - */ -static u_int32_t build_segment(private_integrity_checker_t *this, void *sym, - size_t *len) +METHOD(integrity_checker_t, build_segment, u_int32_t, + private_integrity_checker_t *this, void *sym, size_t *len) { chunk_t segment; Dl_info dli; @@ -180,11 +174,8 @@ static integrity_checksum_t *find_checksum(private_integrity_checker_t *this, return NULL; } -/** - * Implementation of integrity_checker_t.check_file - */ -static bool check_file(private_integrity_checker_t *this, - char *name, char *file) +METHOD(integrity_checker_t, check_file, bool, + private_integrity_checker_t *this, char *name, char *file) { integrity_checksum_t *cs; u_int32_t sum; @@ -217,11 +208,8 @@ static bool check_file(private_integrity_checker_t *this, return TRUE; } -/** - * Implementation of integrity_checker_t.check_segment - */ -static bool check_segment(private_integrity_checker_t *this, - char *name, void *sym) +METHOD(integrity_checker_t, check_segment, bool, + private_integrity_checker_t *this, char *name, void *sym) { integrity_checksum_t *cs; u_int32_t sum; @@ -254,10 +242,8 @@ static bool check_segment(private_integrity_checker_t *this, return TRUE; } -/** - * Implementation of integrity_checker_t.check - */ -static bool check(private_integrity_checker_t *this, char *name, void *sym) +METHOD(integrity_checker_t, check, bool, + private_integrity_checker_t *this, char *name, void *sym) { Dl_info dli; @@ -277,10 +263,8 @@ static bool check(private_integrity_checker_t *this, char *name, void *sym) return TRUE; } -/** - * Implementation of integrity_checker_t.destroy. - */ -static void destroy(private_integrity_checker_t *this) +METHOD(integrity_checker_t, destroy, void, + private_integrity_checker_t *this) { if (this->handle) { @@ -294,17 +278,19 @@ static void destroy(private_integrity_checker_t *this) */ integrity_checker_t *integrity_checker_create(char *checksum_library) { - private_integrity_checker_t *this = malloc_thing(private_integrity_checker_t); - - this->public.check_file = (bool(*)(integrity_checker_t*, char *name, char *file))check_file; - this->public.build_file = (u_int32_t(*)(integrity_checker_t*, char *file, size_t *len))build_file; - this->public.check_segment = (bool(*)(integrity_checker_t*, char *name, void *sym))check_segment; - this->public.build_segment = (u_int32_t(*)(integrity_checker_t*, void *sym, size_t *len))build_segment; - this->public.check = (bool(*)(integrity_checker_t*, char *name, void *sym))check; - this->public.destroy = (void(*)(integrity_checker_t*))destroy; + private_integrity_checker_t *this; + + INIT(this, + .public = { + .check_file = _check_file, + .build_file = _build_file, + .check_segment = _check_segment, + .build_segment = _build_segment, + .check = _check, + .destroy = _destroy, + }, + ); - this->checksum_count = 0; - this->handle = NULL; if (checksum_library) { this->handle = dlopen(checksum_library, RTLD_LAZY); diff --git a/src/libstrongswan/plugins/aes/Makefile.in b/src/libstrongswan/plugins/aes/Makefile.in index 99a520852..9835cd5b9 100644 --- a/src/libstrongswan/plugins/aes/Makefile.in +++ b/src/libstrongswan/plugins/aes/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/aes/aes_plugin.c b/src/libstrongswan/plugins/aes/aes_plugin.c index 22b47e334..1c060b6c8 100644 --- a/src/libstrongswan/plugins/aes/aes_plugin.c +++ b/src/libstrongswan/plugins/aes/aes_plugin.c @@ -18,6 +18,8 @@ #include #include "aes_crypter.h" +static const char *plugin_name = "aes"; + typedef struct private_aes_plugin_t private_aes_plugin_t; /** @@ -54,7 +56,7 @@ plugin_t *aes_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)aes_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/af_alg/Makefile.am b/src/libstrongswan/plugins/af_alg/Makefile.am new file mode 100644 index 000000000..a33fd30b6 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/Makefile.am @@ -0,0 +1,20 @@ + +INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-af-alg.la +else +plugin_LTLIBRARIES = libstrongswan-af-alg.la +endif + +libstrongswan_af_alg_la_SOURCES = \ + af_alg_plugin.h af_alg_plugin.c \ + af_alg_ops.h af_alg_ops.c \ + af_alg_hasher.h af_alg_hasher.c \ + af_alg_signer.h af_alg_signer.c \ + af_alg_prf.h af_alg_prf.c \ + af_alg_crypter.h af_alg_crypter.c + +libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/af_alg/Makefile.in b/src/libstrongswan/plugins/af_alg/Makefile.in new file mode 100644 index 000000000..aa8df979e --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/Makefile.in @@ -0,0 +1,612 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/af_alg +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_af_alg_la_LIBADD = +am_libstrongswan_af_alg_la_OBJECTS = af_alg_plugin.lo af_alg_ops.lo \ + af_alg_hasher.lo af_alg_signer.lo af_alg_prf.lo \ + af_alg_crypter.lo +libstrongswan_af_alg_la_OBJECTS = \ + $(am_libstrongswan_af_alg_la_OBJECTS) +libstrongswan_af_alg_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_af_alg_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_af_alg_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_af_alg_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_af_alg_la_SOURCES) +DIST_SOURCES = $(libstrongswan_af_alg_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I${linux_headers} -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-af-alg.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-af-alg.la +libstrongswan_af_alg_la_SOURCES = \ + af_alg_plugin.h af_alg_plugin.c \ + af_alg_ops.h af_alg_ops.c \ + af_alg_hasher.h af_alg_hasher.c \ + af_alg_signer.h af_alg_signer.c \ + af_alg_prf.h af_alg_prf.c \ + af_alg_crypter.h af_alg_crypter.c + +libstrongswan_af_alg_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/af_alg/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-af-alg.la: $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_DEPENDENCIES) + $(libstrongswan_af_alg_la_LINK) $(am_libstrongswan_af_alg_la_rpath) $(libstrongswan_af_alg_la_OBJECTS) $(libstrongswan_af_alg_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_crypter.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_hasher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_ops.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_prf.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/af_alg_signer.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.c b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c new file mode 100644 index 000000000..3416ad8d2 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.c @@ -0,0 +1,237 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_crypter.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_crypter_t private_af_alg_crypter_t; + +/** + * Private data of af_alg_crypter_t + */ +struct private_af_alg_crypter_t { + + /** + * Public part of this class. + */ + af_alg_crypter_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the truncated signature + */ + size_t block_size; + + /** + * Size of the keymat + */ + size_t keymat_size; + + /** + * Size of initialization vector + */ + size_t iv_size; +}; + +/** + * Algorithm database + */ +static struct { + encryption_algorithm_t id; + char *name; + size_t block_size; + /* key size of the algorithm */ + size_t key_size; + /* size of the keying material (key + nonce for ctr mode) */ + size_t keymat_size; + size_t iv_size; +} algs[] = { + {ENCR_DES, "cbc(des)", 8, 8, 8, 8, }, + {ENCR_3DES, "cbc(des3_ede)", 8, 24, 24, 8, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 16, 16, 16, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 24, 24, 16, }, + {ENCR_AES_CBC, "cbc(aes)", 16, 32, 32, 16, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 16, 20, 8, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 24, 28, 8, }, + {ENCR_AES_CTR, "rfc3686(ctr(aes))", 1, 32, 36, 8, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 16, 16, 16, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 24, 24, 16, }, + {ENCR_CAMELLIA_CBC, "cbc(camellia)", 16, 32, 32, 16, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 16, 20, 8, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 24, 28, 8, }, + {ENCR_CAMELLIA_CTR, "rfc3686(ctr(camellia))", 1, 32, 36, 8, }, + {ENCR_CAST, "cbc(cast5)", 8, 16, 16, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 16, 16, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 24, 24, 8, }, + {ENCR_BLOWFISH, "cbc(blowfish)", 8, 32, 32, 8, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 16, 16, 16, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 24, 24, 16, }, + {ENCR_SERPENT_CBC, "cbc(serpent)", 16, 32, 32, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 16, 16, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 24, 24, 16, }, + {ENCR_TWOFISH_CBC, "cbc(twofish)", 16, 32, 32, 16, }, +}; + +/** + * See header. + */ +void af_alg_crypter_probe() +{ + encryption_algorithm_t prev = -1; + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + if (prev != algs[i].id) + { + ops = af_alg_ops_create("skcipher", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_crypter(lib->crypto, algs[i].id, af_alg_plugin_name, + (crypter_constructor_t)af_alg_crypter_create); + } + } + prev = algs[i].id; + } +} + +/** + * Get the kernel algorithm string and block/key size for our identifier + */ +static size_t lookup_alg(encryption_algorithm_t algo, char **name, + size_t key_size, size_t *keymat_size, size_t *iv_size) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo && + (key_size == 0 || algs[i].key_size == key_size)) + { + *name = algs[i].name; + *keymat_size = algs[i].keymat_size; + *iv_size = algs[i].iv_size; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(crypter_t, decrypt, void, + private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) +{ + if (dst) + { + *dst = chunk_alloc(data.len); + this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, dst->ptr); + } + else + { + this->ops->crypt(this->ops, ALG_OP_DECRYPT, iv, data, data.ptr); + } +} + +METHOD(crypter_t, encrypt, void, + private_af_alg_crypter_t *this, chunk_t data, chunk_t iv, chunk_t *dst) +{ + if (dst) + { + *dst = chunk_alloc(data.len); + this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, dst->ptr); + } + else + { + this->ops->crypt(this->ops, ALG_OP_ENCRYPT, iv, data, data.ptr); + } +} + +METHOD(crypter_t, get_block_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->block_size; +} + +METHOD(crypter_t, get_iv_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->iv_size; +} + +METHOD(crypter_t, get_key_size, size_t, + private_af_alg_crypter_t *this) +{ + return this->keymat_size; +} + +METHOD(crypter_t, set_key, void, + private_af_alg_crypter_t *this, chunk_t key) +{ + this->ops->set_key(this->ops, key); +} + +METHOD(crypter_t, destroy, void, + private_af_alg_crypter_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo, + size_t key_size) +{ + private_af_alg_crypter_t *this; + size_t block_size, keymat_size, iv_size; + char *name; + + block_size = lookup_alg(algo, &name, key_size, &keymat_size, &iv_size); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .crypter = { + .encrypt = _encrypt, + .decrypt = _decrypt, + .get_block_size = _get_block_size, + .get_iv_size = _get_iv_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .block_size = block_size, + .keymat_size = keymat_size, + .iv_size = iv_size, + .ops = af_alg_ops_create("skcipher", name), + ); + + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_crypter.h b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h new file mode 100644 index 000000000..711d2fc35 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_crypter.h @@ -0,0 +1,54 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_crypter af_alg_crypter + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_CRYPTER_H_ +#define AF_ALG_CRYPTER_H_ + +typedef struct af_alg_crypter_t af_alg_crypter_t; + +#include + +/** + * Implementation of signers using AF_ALG. + */ +struct af_alg_crypter_t { + + /** + * The crypter_t interface. + */ + crypter_t crypter; +}; + +/** + * Constructor to create af_alg_crypter_t. + * + * @param algo algorithm to implement + * @param key_size key size in bytes + * @return af_alg_crypter_t, NULL if not supported + */ +af_alg_crypter_t *af_alg_crypter_create(encryption_algorithm_t algo, + size_t key_size); + +/** + * Probe algorithms and register af_alg_crypter_create(). + */ +void af_alg_crypter_probe(); + +#endif /** AF_ALG_CRYPTER_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.c b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c new file mode 100644 index 000000000..7c6297d44 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.c @@ -0,0 +1,170 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_hasher.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_hasher_t private_af_alg_hasher_t; + +/** + * Private data of af_alg_hasher_t + */ +struct private_af_alg_hasher_t { + + /** + * Public part of this class. + */ + af_alg_hasher_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the hash + */ + size_t size; +}; + +/** + * Algorithm database + */ +static struct { + hash_algorithm_t id; + char *name; + size_t size; +} algs[] = { + {HASH_SHA1, "sha1", HASH_SIZE_SHA1 }, + {HASH_MD5, "md5", HASH_SIZE_MD5 }, + {HASH_SHA224, "sha224", HASH_SIZE_SHA224 }, + {HASH_SHA256, "sha256", HASH_SIZE_SHA256 }, + {HASH_SHA384, "sha384", HASH_SIZE_SHA384 }, + {HASH_SHA512, "sha512", HASH_SIZE_SHA512 }, + {HASH_MD4, "md4", HASH_SIZE_MD4 }, +}; + +/** + * See header. + */ +void af_alg_hasher_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_hasher(lib->crypto, algs[i].id, af_alg_plugin_name, + (hasher_constructor_t)af_alg_hasher_create); + } + } +} + +/** + * Get the kernel algorithm string and hash size for our identifier + */ +static size_t lookup_alg(hash_algorithm_t algo, char **name) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + return algs[i].size; + } + } + return 0; +} + +METHOD(hasher_t, get_hash_size, size_t, + private_af_alg_hasher_t *this) +{ + return this->size; +} + +METHOD(hasher_t, reset, void, + private_af_alg_hasher_t *this) +{ + this->ops->reset(this->ops); +} + +METHOD(hasher_t, get_hash, void, + private_af_alg_hasher_t *this, chunk_t chunk, u_int8_t *hash) +{ + this->ops->hash(this->ops, chunk, hash, this->size); +} + +METHOD(hasher_t, allocate_hash, void, + private_af_alg_hasher_t *this, chunk_t chunk, chunk_t *hash) +{ + if (hash) + { + *hash = chunk_alloc(get_hash_size(this)); + get_hash(this, chunk, hash->ptr); + } + else + { + get_hash(this, chunk, NULL); + } +} + +METHOD(hasher_t, destroy, void, + private_af_alg_hasher_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo) +{ + private_af_alg_hasher_t *this; + char *name; + size_t size; + + size = lookup_alg(algo, &name); + if (!size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .hasher = { + .get_hash = _get_hash, + .allocate_hash = _allocate_hash, + .get_hash_size = _get_hash_size, + .reset = _reset, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .size = size, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_hasher.h b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h new file mode 100644 index 000000000..e0833e23a --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_hasher.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_hasher af_alg_hasher + * @{ @ingroup af_alg + */ + +#ifndef af_alg_HASHER_H_ +#define af_alg_HASHER_H_ + +typedef struct af_alg_hasher_t af_alg_hasher_t; + +#include + +/** + * Implementation of hashers using AF_ALG. + */ +struct af_alg_hasher_t { + + /** + * Implements hasher_t interface. + */ + hasher_t hasher; +}; + +/** + * Constructor to create af_alg_hasher_t. + * + * @param algo algorithm + * @return af_alg_hasher_t, NULL if not supported + */ +af_alg_hasher_t *af_alg_hasher_create(hash_algorithm_t algo); + +/** + * Probe algorithms and register af_alg_hasher_create(). + */ +void af_alg_hasher_probe(); + +#endif /** af_alg_HASHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.c b/src/libstrongswan/plugins/af_alg/af_alg_ops.c new file mode 100644 index 000000000..7bf1d90db --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.c @@ -0,0 +1,226 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_ops.h" + +#include +#include +#include + +#include + +const char *af_alg_plugin_name = "af-alg"; + +typedef struct private_af_alg_ops_t private_af_alg_ops_t; + +/** + * Private data of an af_alg_ops_t object. + */ +struct private_af_alg_ops_t { + + /** + * Public af_alg_ops_t interface. + */ + af_alg_ops_t public; + + /** + * Transform FD + */ + int tfm; + + /** + * Operation FD + */ + int op; +}; + +METHOD(af_alg_ops_t, reset, void, + private_af_alg_ops_t *this) +{ + if (this->op != -1) + { + close(this->op); + this->op = -1; + } +} + +METHOD(af_alg_ops_t, hash, void, + private_af_alg_ops_t *this, chunk_t data, char *out, size_t outlen) +{ + ssize_t len; + + while (this->op == -1) + { + this->op = accept(this->tfm, NULL, 0); + if (this->op == -1) + { + DBG1(DBG_LIB, "opening AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + } + do + { + len = send(this->op, data.ptr, data.len, out ? 0 : MSG_MORE); + if (len == -1) + { + DBG1(DBG_LIB, "writing to AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + else + { + data = chunk_skip(data, len); + } + } + while (data.len); + + if (out) + { + while (read(this->op, out, outlen) != outlen) + { + DBG1(DBG_LIB, "reading AF_ALG hasher failed: %s", strerror(errno)); + sleep(1); + } + reset(this); + } +} + +METHOD(af_alg_ops_t, crypt, void, + private_af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data, + char *out) +{ + struct msghdr msg = {}; + struct cmsghdr *cmsg; + struct af_alg_iv *ivm; + struct iovec iov; + char buf[CMSG_SPACE(sizeof(type)) + + CMSG_SPACE(offsetof(struct af_alg_iv, iv) + iv.len)]; + ssize_t len; + int op; + + while ((op = accept(this->tfm, NULL, 0)) == -1) + { + DBG1(DBG_LIB, "accepting AF_ALG crypter failed: %s", strerror(errno)); + sleep(1); + } + + memset(buf, 0, sizeof(buf)); + + msg.msg_control = buf; + msg.msg_controllen = sizeof(buf); + + cmsg = CMSG_FIRSTHDR(&msg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_OP; + cmsg->cmsg_len = CMSG_LEN(sizeof(type)); + *(u_int32_t*)CMSG_DATA(cmsg) = type; + + cmsg = CMSG_NXTHDR(&msg, cmsg); + cmsg->cmsg_level = SOL_ALG; + cmsg->cmsg_type = ALG_SET_IV; + cmsg->cmsg_len = CMSG_LEN(offsetof(struct af_alg_iv, iv) + iv.len); + ivm = (void*)CMSG_DATA(cmsg); + ivm->ivlen = iv.len; + memcpy(ivm->iv, iv.ptr, iv.len); + + msg.msg_iov = &iov; + msg.msg_iovlen = 1; + + while (data.len) + { + iov.iov_base = data.ptr; + iov.iov_len = data.len; + + len = sendmsg(op, &msg, 0); + if (len == -1) + { + DBG1(DBG_LIB, "writing to AF_ALG crypter failed: %s", + strerror(errno)); + sleep(1); + continue; + } + if (read(op, out, len) != len) + { + DBG1(DBG_LIB, "reading from AF_ALG crypter failed: %s", + strerror(errno)); + } + data = chunk_skip(data, len); + /* no IV for subsequent data chunks */ + msg.msg_controllen = 0; + } + close(op); +} + +METHOD(af_alg_ops_t, set_key, void, + private_af_alg_ops_t *this, chunk_t key) +{ + if (setsockopt(this->tfm, SOL_ALG, ALG_SET_KEY, key.ptr, key.len) == -1) + { + DBG1(DBG_LIB, "setting AF_ALG key failed: %s", strerror(errno)); + } +} + +METHOD(af_alg_ops_t, destroy, void, + private_af_alg_ops_t *this) +{ + close(this->tfm); + if (this->op != -1) + { + close(this->op); + } + free(this); +} + +/** + * See header + */ +af_alg_ops_t *af_alg_ops_create(char *type, char *alg) +{ + private_af_alg_ops_t *this; + struct sockaddr_alg sa = { + .salg_family = AF_ALG, + }; + + strncpy(sa.salg_type, type, sizeof(sa.salg_type)); + strncpy(sa.salg_name, alg, sizeof(sa.salg_name)); + + INIT(this, + .public = { + .hash = _hash, + .reset = _reset, + .crypt = _crypt, + .set_key = _set_key, + .destroy = _destroy, + }, + .tfm = socket(AF_ALG, SOCK_SEQPACKET, 0), + .op = -1, + ); + if (this->tfm == -1) + { + DBG1(DBG_LIB, "opening AF_ALG socket failed: %s", strerror(errno)); + free(this); + return NULL; + } + if (bind(this->tfm, (struct sockaddr*)&sa, sizeof(sa)) == -1) + { + if (errno != ENOENT) + { /* fail silently if algorithm not supported */ + DBG1(DBG_LIB, "binding AF_ALG socket for '%s' failed: %s", + sa.salg_name, strerror(errno)); + } + destroy(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_ops.h b/src/libstrongswan/plugins/af_alg/af_alg_ops.h new file mode 100644 index 000000000..b7d642c00 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_ops.h @@ -0,0 +1,92 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** +* @defgroup af_alg_ops af_alg_ops + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_OPS_H_ +#define AF_ALG_OPS_H_ + +#include + +#include + +#ifndef AF_ALG +#define AF_ALG 38 +#endif /* AF_ALG */ + +#ifndef SOL_ALG +#define SOL_ALG 279 +#endif /* SOL_ALG */ + +extern const char *af_alg_plugin_name; + +typedef struct af_alg_ops_t af_alg_ops_t; + +/** + * Helper to run AF_ALG operations. + */ +struct af_alg_ops_t { + + /** + * Hash a chunk of data. + * + * @param data data to hash + * @param out buffer to write hash to, NULL for append mode + * @param outlen number of bytes to read into out + */ + void (*hash)(af_alg_ops_t *this, chunk_t data, char *out, size_t outlen); + + /** + * Reset hasher state. + */ + void (*reset)(af_alg_ops_t *this); + + /** + * En-/Decrypt a chunk of data. + * + * @param type crypto operation (ALG_OP_DECRYPT/ALG_OP_ENCRYPT) + * @param iv iv to use + * @param data data to encrypt/decrypt + * @param out buffer write processed data to + */ + void (*crypt)(af_alg_ops_t *this, u_int32_t type, chunk_t iv, chunk_t data, + char *out); + + /** + * Set the key for en-/decryption or HMAC/XCBC operations. + * + * @param key key to set for transform + */ + void (*set_key)(af_alg_ops_t *this, chunk_t key); + + /** + * Destroy a af_alg_ops_t. + */ + void (*destroy)(af_alg_ops_t *this); +}; + +/** + * Create a af_alg_ops instance. + * + * @param type algorithm type (hash, skcipher) + * @param alg algorithm name + * @return TRUE if AF_ALG socket bound successfully + */ +af_alg_ops_t *af_alg_ops_create(char *type, char *alg); + +#endif /** AF_ALG_OPS_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.c b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c new file mode 100644 index 000000000..54e39f1a0 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.c @@ -0,0 +1,74 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_plugin.h" + +#include + +#include "af_alg_hasher.h" +#include "af_alg_signer.h" +#include "af_alg_prf.h" +#include "af_alg_crypter.h" + +typedef struct private_af_alg_plugin_t private_af_alg_plugin_t; + +/** + * private data of af_alg_plugin + */ +struct private_af_alg_plugin_t { + + /** + * public functions + */ + af_alg_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_af_alg_plugin_t *this) +{ + lib->crypto->remove_hasher(lib->crypto, + (hasher_constructor_t)af_alg_hasher_create); + lib->crypto->remove_signer(lib->crypto, + (signer_constructor_t)af_alg_signer_create); + lib->crypto->remove_prf(lib->crypto, + (prf_constructor_t)af_alg_prf_create); + lib->crypto->remove_crypter(lib->crypto, + (crypter_constructor_t)af_alg_crypter_create); + + free(this); +} + +/* + * see header file + */ +plugin_t *af_alg_plugin_create() +{ + private_af_alg_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + af_alg_hasher_probe(); + af_alg_signer_probe(); + af_alg_prf_probe(); + af_alg_crypter_probe(); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_plugin.h b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h new file mode 100644 index 000000000..18c069831 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg af_alg + * @ingroup plugins + * + * @defgroup af_alg_plugin af_alg_plugin + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_PLUGIN_H_ +#define AF_ALG_PLUGIN_H_ + +#include + +typedef struct af_alg_plugin_t af_alg_plugin_t; + +/** + * Plugin providing the AF_ALG interface to the Linux Crypto API. + */ +struct af_alg_plugin_t { + + /** + * Implements plugin interface. + */ + plugin_t plugin; +}; + +#endif /** AF_ALG_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.c b/src/libstrongswan/plugins/af_alg/af_alg_prf.c new file mode 100644 index 000000000..575906bae --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.c @@ -0,0 +1,211 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_prf.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_prf_t private_af_alg_prf_t; + +/** + * Private data of a af_alg_prf_t object. + */ +struct private_af_alg_prf_t { + + /** + * Public af_alg_prf_t interface. + */ + af_alg_prf_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the PRF output + */ + size_t block_size; + + /** + * Default key size + */ + size_t key_size; + + /** + * Using an XCBC algorithm? + */ + bool xcbc; +}; + +/** + * Algorithm database + */ +static struct { + pseudo_random_function_t id; + char *name; + size_t block_size; + bool xcbc; +} algs[] = { + {PRF_HMAC_SHA1, "hmac(sha1)", 20, FALSE, }, + {PRF_HMAC_SHA2_256, "hmac(sha256)", 32, FALSE, }, + {PRF_HMAC_MD5, "hmac(md5)", 16, FALSE, }, + {PRF_HMAC_SHA2_384, "hmac(sha384)", 48, FALSE, }, + {PRF_HMAC_SHA2_512, "hmac(sha512)", 64, FALSE, }, + {PRF_AES128_XCBC, "xcbc(aes)", 16, TRUE, }, + {PRF_CAMELLIA128_XCBC, "xcbc(camellia)", 16, TRUE, }, +}; + +/** + * See header. + */ +void af_alg_prf_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_prf(lib->crypto, algs[i].id, af_alg_plugin_name, + (prf_constructor_t)af_alg_prf_create); + } + } +} + +/** + * Get the kernel algorithm string and block size for our identifier + */ +static size_t lookup_alg(integrity_algorithm_t algo, char **name, bool *xcbc) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + *xcbc = algs[i].xcbc; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(prf_t, get_bytes, void, + private_af_alg_prf_t *this, chunk_t seed, u_int8_t *buffer) +{ + this->ops->hash(this->ops, seed, buffer, this->block_size); +} + +METHOD(prf_t, allocate_bytes, void, + private_af_alg_prf_t *this, chunk_t seed, chunk_t *chunk) +{ + if (chunk) + { + *chunk = chunk_alloc(this->block_size); + get_bytes(this, seed, chunk->ptr); + } + else + { + get_bytes(this, seed, NULL); + } +} + +METHOD(prf_t, get_block_size, size_t, + private_af_alg_prf_t *this) +{ + return this->block_size; +} + +METHOD(prf_t, get_key_size, size_t, + private_af_alg_prf_t *this) +{ + return this->block_size; +} + +METHOD(prf_t, set_key, void, + private_af_alg_prf_t *this, chunk_t key) +{ + char buf[this->block_size]; + + if (this->xcbc) + { + /* The kernel currently does not support variable length XCBC keys, + * do RFC4434 key padding/reduction manually. */ + if (key.len < this->block_size) + { + memset(buf, 0, this->block_size); + memcpy(buf, key.ptr, key.len); + key = chunk_from_thing(buf); + } + else if (key.len > this->block_size) + { + memset(buf, 0, this->block_size); + this->ops->set_key(this->ops, chunk_from_thing(buf)); + this->ops->hash(this->ops, key, buf, this->block_size); + key = chunk_from_thing(buf); + } + } + this->ops->set_key(this->ops, key); +} + +METHOD(prf_t, destroy, void, + private_af_alg_prf_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header. + */ +af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo) +{ + private_af_alg_prf_t *this; + size_t block_size; + bool xcbc; + char *name; + + block_size = lookup_alg(algo, &name, &xcbc); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .prf = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .block_size = block_size, + .xcbc = xcbc, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_prf.h b/src/libstrongswan/plugins/af_alg/af_alg_prf.h new file mode 100644 index 000000000..a3dea5649 --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_prf.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_prf af_alg_prf + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_PRF_H_ +#define AF_ALG_PRF_H_ + +typedef struct af_alg_prf_t af_alg_prf_t; + +#include + +/** + * Implementation of PRFs using AF_ALG. + */ +struct af_alg_prf_t { + + /** + * Implements prf_t interface. + */ + prf_t prf; +}; + +/** + * Creates a new af_alg_prf_t object. + * + * @param algo algorithm to implement + * @return af_alg_prf_t object, NULL if hash not supported + */ +af_alg_prf_t *af_alg_prf_create(pseudo_random_function_t algo); + +/** + * Probe algorithms and register af_alg_prf_create(). + */ +void af_alg_prf_probe(); + +#endif /** AF_ALG_PRF_H_ @}*/ diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.c b/src/libstrongswan/plugins/af_alg/af_alg_signer.c new file mode 100644 index 000000000..3d6f907bf --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.c @@ -0,0 +1,206 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "af_alg_signer.h" +#include "af_alg_ops.h" + +typedef struct private_af_alg_signer_t private_af_alg_signer_t; + +/** + * Private data structure with signing context. + */ +struct private_af_alg_signer_t { + + /** + * Public interface of af_alg_signer_t. + */ + af_alg_signer_t public; + + /** + * AF_ALG operations + */ + af_alg_ops_t *ops; + + /** + * Size of the truncated signature + */ + size_t block_size; + + /** + * Default key size + */ + size_t key_size; +}; + +/** + * Algorithm database + */ +static struct { + integrity_algorithm_t id; + char *name; + size_t block_size; + size_t key_size; +} algs[] = { + {AUTH_HMAC_SHA1_96, "hmac(sha1)", 12, 20, }, + {AUTH_HMAC_SHA1_128, "hmac(sha1)", 16, 20, }, + {AUTH_HMAC_SHA1_160, "hmac(sha1)", 20, 20, }, + {AUTH_HMAC_SHA2_256_96, "hmac(sha256)", 12, 32, }, + {AUTH_HMAC_SHA2_256_128, "hmac(sha256)", 16, 32, }, + {AUTH_HMAC_MD5_96, "hmac(md5)", 12, 16, }, + {AUTH_HMAC_MD5_128, "hmac(md5)", 16, 16, }, + {AUTH_HMAC_SHA2_256_256, "hmac(sha384)", 32, 32, }, + {AUTH_HMAC_SHA2_384_192, "hmac(sha384)", 24, 48, }, + {AUTH_HMAC_SHA2_384_384, "hmac(sha384)", 48, 48, }, + {AUTH_HMAC_SHA2_512_256, "hmac(sha512)", 32, 64, }, + {AUTH_AES_XCBC_96, "xcbc(aes)", 12, 16, }, + {AUTH_CAMELLIA_XCBC_96, "xcbc(camellia)", 12, 16, }, +}; + +/** + * See header. + */ +void af_alg_signer_probe() +{ + af_alg_ops_t *ops; + int i; + + for (i = 0; i < countof(algs); i++) + { + ops = af_alg_ops_create("hash", algs[i].name); + if (ops) + { + ops->destroy(ops); + lib->crypto->add_signer(lib->crypto, algs[i].id, af_alg_plugin_name, + (signer_constructor_t)af_alg_signer_create); + } + } +} + +/** + * Get the kernel algorithm string and block/key size for our identifier + */ +static size_t lookup_alg(integrity_algorithm_t algo, char **name, + size_t *key_size) +{ + int i; + + for (i = 0; i < countof(algs); i++) + { + if (algs[i].id == algo) + { + *name = algs[i].name; + *key_size = algs[i].key_size; + return algs[i].block_size; + } + } + return 0; +} + +METHOD(signer_t, get_signature, void, + private_af_alg_signer_t *this, chunk_t data, u_int8_t *buffer) +{ + this->ops->hash(this->ops, data, buffer, this->block_size); +} + +METHOD(signer_t, allocate_signature, void, + private_af_alg_signer_t *this, chunk_t data, chunk_t *chunk) +{ + if (chunk) + { + *chunk = chunk_alloc(this->block_size); + get_signature(this, data, chunk->ptr); + } + else + { + get_signature(this, data, NULL); + } +} + +METHOD(signer_t, verify_signature, bool, + private_af_alg_signer_t *this, chunk_t data, chunk_t signature) +{ + char sig[this->block_size]; + + if (signature.len != this->block_size) + { + return FALSE; + } + get_signature(this, data, sig); + return memeq(signature.ptr, sig, signature.len); +} + +METHOD(signer_t, get_key_size, size_t, + private_af_alg_signer_t *this) +{ + return this->key_size; +} + +METHOD(signer_t, get_block_size, size_t, + private_af_alg_signer_t *this) +{ + return this->block_size; +} + +METHOD(signer_t, set_key, void, + private_af_alg_signer_t *this, chunk_t key) +{ + this->ops->set_key(this->ops, key); +} + +METHOD(signer_t, destroy, void, + private_af_alg_signer_t *this) +{ + this->ops->destroy(this->ops); + free(this); +} + +/* + * Described in header + */ +af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo) +{ + private_af_alg_signer_t *this; + size_t block_size, key_size; + char *name; + + block_size = lookup_alg(algo, &name, &key_size); + if (!block_size) + { /* not supported by kernel */ + return NULL; + } + + INIT(this, + .public = { + .signer = { + .get_signature = _get_signature, + .allocate_signature = _allocate_signature, + .verify_signature = _verify_signature, + .get_key_size = _get_key_size, + .get_block_size = _get_block_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + .ops = af_alg_ops_create("hash", name), + .block_size = block_size, + .key_size = key_size, + ); + if (!this->ops) + { + free(this); + return NULL; + } + return &this->public; +} diff --git a/src/libstrongswan/plugins/af_alg/af_alg_signer.h b/src/libstrongswan/plugins/af_alg/af_alg_signer.h new file mode 100644 index 000000000..b1d90707f --- /dev/null +++ b/src/libstrongswan/plugins/af_alg/af_alg_signer.h @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup af_alg_signer af_alg_signer + * @{ @ingroup af_alg + */ + +#ifndef AF_ALG_SIGNER_H_ +#define AF_ALG_SIGNER_H_ + +typedef struct af_alg_signer_t af_alg_signer_t; + +#include + +/** + * Implementation of signers using AF_ALG. + */ +struct af_alg_signer_t { + + /** + * Implements signer_t interface. + */ + signer_t signer; +}; + +/** + * Creates a new af_alg_signer_t. + * + * @param algo algorithm to implement + * @return af_alg_signer_t, NULL if not supported + */ +af_alg_signer_t *af_alg_signer_create(integrity_algorithm_t algo); + +/** + * Probe algorithms and register af_alg_signer_create(). + */ +void af_alg_signer_probe(); + +#endif /** AF_ALG_SIGNER_H_ @}*/ diff --git a/src/libstrongswan/plugins/agent/Makefile.in b/src/libstrongswan/plugins/agent/Makefile.in index 9f65f4ffb..1a3533f03 100644 --- a/src/libstrongswan/plugins/agent/Makefile.in +++ b/src/libstrongswan/plugins/agent/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/Makefile.in b/src/libstrongswan/plugins/blowfish/Makefile.in index d310843ac..251722f60 100644 --- a/src/libstrongswan/plugins/blowfish/Makefile.in +++ b/src/libstrongswan/plugins/blowfish/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c index 6ab093d7b..5232eca28 100644 --- a/src/libstrongswan/plugins/blowfish/blowfish_plugin.c +++ b/src/libstrongswan/plugins/blowfish/blowfish_plugin.c @@ -19,6 +19,8 @@ #include #include "blowfish_crypter.h" +static const char *plugin_name = "blowfish"; + typedef struct private_blowfish_plugin_t private_blowfish_plugin_t; /** @@ -55,7 +57,7 @@ plugin_t *blowfish_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)blowfish_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/ccm/Makefile.in b/src/libstrongswan/plugins/ccm/Makefile.in index 017d75c48..371e5b2f4 100644 --- a/src/libstrongswan/plugins/ccm/Makefile.in +++ b/src/libstrongswan/plugins/ccm/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ccm/ccm_plugin.c b/src/libstrongswan/plugins/ccm/ccm_plugin.c index 5fc3b14d7..a4c89b548 100644 --- a/src/libstrongswan/plugins/ccm/ccm_plugin.c +++ b/src/libstrongswan/plugins/ccm/ccm_plugin.c @@ -19,6 +19,8 @@ #include "ccm_aead.h" +static const char *plugin_name = "ccm"; + typedef struct private_ccm_plugin_t private_ccm_plugin_t; /** @@ -47,23 +49,34 @@ METHOD(plugin_t, destroy, void, plugin_t *ccm_plugin_create() { private_ccm_plugin_t *this; + crypter_t *crypter; INIT(this, .public.plugin.destroy = _destroy, ); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, - (aead_constructor_t)ccm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, - (aead_constructor_t)ccm_aead_create); + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV8, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV12, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_CCM_ICV16, plugin_name, + (aead_constructor_t)ccm_aead_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV8, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV12, plugin_name, + (aead_constructor_t)ccm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_CAMELLIA_CCM_ICV16, plugin_name, + (aead_constructor_t)ccm_aead_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/constraints/Makefile.am b/src/libstrongswan/plugins/constraints/Makefile.am new file mode 100644 index 000000000..d80d39a2d --- /dev/null +++ b/src/libstrongswan/plugins/constraints/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-constraints.la +else +plugin_LTLIBRARIES = libstrongswan-constraints.la +endif + +libstrongswan_constraints_la_SOURCES = \ + constraints_plugin.h constraints_plugin.c \ + constraints_validator.h constraints_validator.c + +libstrongswan_constraints_la_LDFLAGS = -module -avoid-version diff --git a/src/libstrongswan/plugins/constraints/Makefile.in b/src/libstrongswan/plugins/constraints/Makefile.in new file mode 100644 index 000000000..382bfef98 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/Makefile.in @@ -0,0 +1,604 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/constraints +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +libstrongswan_constraints_la_LIBADD = +am_libstrongswan_constraints_la_OBJECTS = constraints_plugin.lo \ + constraints_validator.lo +libstrongswan_constraints_la_OBJECTS = \ + $(am_libstrongswan_constraints_la_OBJECTS) +libstrongswan_constraints_la_LINK = $(LIBTOOL) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(libstrongswan_constraints_la_LDFLAGS) \ + $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_constraints_la_rpath = -rpath \ +@MONOLITHIC_FALSE@ $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_constraints_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_constraints_la_SOURCES) +DIST_SOURCES = $(libstrongswan_constraints_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-constraints.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-constraints.la +libstrongswan_constraints_la_SOURCES = \ + constraints_plugin.h constraints_plugin.c \ + constraints_validator.h constraints_validator.c + +libstrongswan_constraints_la_LDFLAGS = -module -avoid-version +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/constraints/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-constraints.la: $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_DEPENDENCIES) + $(libstrongswan_constraints_la_LINK) $(am_libstrongswan_constraints_la_rpath) $(libstrongswan_constraints_la_OBJECTS) $(libstrongswan_constraints_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_plugin.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/constraints_validator.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.c b/src/libstrongswan/plugins/constraints/constraints_plugin.c new file mode 100644 index 000000000..1c3f0c835 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_plugin.c @@ -0,0 +1,65 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "constraints_plugin.h" + +#include +#include "constraints_validator.h" + +typedef struct private_constraints_plugin_t private_constraints_plugin_t; + +/** + * private data of constraints_plugin + */ +struct private_constraints_plugin_t { + + /** + * public functions + */ + constraints_plugin_t public; + + /** + * Validator implementation instance. + */ + constraints_validator_t *validator; +}; + +METHOD(plugin_t, destroy, void, + private_constraints_plugin_t *this) +{ + lib->credmgr->remove_validator(lib->credmgr, &this->validator->validator); + this->validator->destroy(this->validator); + free(this); +} + +/* + * see header file + */ +plugin_t *constraints_plugin_create() +{ + private_constraints_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + .validator = constraints_validator_create(), + ); + lib->credmgr->add_validator(lib->credmgr, &this->validator->validator); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/constraints/constraints_plugin.h b/src/libstrongswan/plugins/constraints/constraints_plugin.h new file mode 100644 index 000000000..7042a4d92 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup constraints constraints + * @ingroup plugins + * + * @defgroup constraints_plugin constraints_plugin + * @{ @ingroup constraints + */ + +#ifndef CONSTRAINTS_PLUGIN_H_ +#define CONSTRAINTS_PLUGIN_H_ + +#include + +typedef struct constraints_plugin_t constraints_plugin_t; + +/** + * Advanced X509 constraint checking. + */ +struct constraints_plugin_t { + + /** + * Implements plugin_t. interface. + */ + plugin_t plugin; +}; + +#endif /** CONSTRAINTS_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c new file mode 100644 index 000000000..b54d813df --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -0,0 +1,578 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "constraints_validator.h" + +#include +#include +#include +#include + +typedef struct private_constraints_validator_t private_constraints_validator_t; + +/** + * Private data of an constraints_validator_t object. + */ +struct private_constraints_validator_t { + + /** + * Public constraints_validator_t interface. + */ + constraints_validator_t public; +}; + +/** + * Check pathlen constraint of issuer certificate + */ +static bool check_pathlen(x509_t *issuer, int pathlen) +{ + u_int pathlen_constraint; + + pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && + pathlen > pathlen_constraint) + { + DBG1(DBG_CFG, "path length of %d violates constraint of %d", + pathlen, pathlen_constraint); + return FALSE; + } + return TRUE; +} + +/** + * Check if a FQDN/RFC822 constraint matches (suffix match) + */ +static bool suffix_matches(identification_t *constraint, identification_t *id) +{ + chunk_t c, i; + + c = constraint->get_encoding(constraint); + i = id->get_encoding(id); + + return i.len >= c.len && chunk_equals(c, chunk_skip(i, i.len - c.len)); +} + +/** + * Check if a DN constraint matches (RDN prefix match) + */ +static bool dn_matches(identification_t *constraint, identification_t *id) +{ + enumerator_t *ec, *ei; + id_part_t pc, pi; + chunk_t cc, ci; + bool match = TRUE; + + ec = constraint->create_part_enumerator(constraint); + ei = id->create_part_enumerator(id); + while (ec->enumerate(ec, &pc, &cc)) + { + if (!ei->enumerate(ei, &pi, &ci) || + pi != pc || !chunk_equals(cc, ci)) + { + match = FALSE; + break; + } + } + ec->destroy(ec); + ei->destroy(ei); + + return match; +} + +/** + * Check if a certificate matches to a NameConstraint + */ +static bool name_constraint_matches(identification_t *constraint, + certificate_t *cert, bool permitted) +{ + x509_t *x509 = (x509_t*)cert; + enumerator_t *enumerator; + identification_t *id; + id_type_t type; + bool matches = permitted; + + type = constraint->get_type(constraint); + if (type == ID_DER_ASN1_DN) + { + matches = dn_matches(constraint, cert->get_subject(cert)); + if (matches != permitted) + { + return matches; + } + } + + enumerator = x509->create_subjectAltName_enumerator(x509); + while (enumerator->enumerate(enumerator, &id)) + { + if (id->get_type(id) == type) + { + switch (type) + { + case ID_FQDN: + case ID_RFC822_ADDR: + matches = suffix_matches(constraint, id); + break; + case ID_DER_ASN1_DN: + matches = dn_matches(constraint, id); + break; + default: + DBG1(DBG_CFG, "%N NameConstraint matching not implemented", + id_type_names, type); + matches = FALSE; + break; + } + } + if (matches != permitted) + { + break; + } + } + enumerator->destroy(enumerator); + + return matches; +} + +/** + * Check if a permitted or excluded NameConstraint has been inherited to sub-CA + */ +static bool name_constraint_inherited(identification_t *constraint, + x509_t *x509, bool permitted) +{ + enumerator_t *enumerator; + identification_t *id; + bool inherited = FALSE; + id_type_t type; + + if (!(x509->get_flags(x509) & X509_CA)) + { /* not a sub-CA, not required */ + return TRUE; + } + + type = constraint->get_type(constraint); + enumerator = x509->create_name_constraint_enumerator(x509, permitted); + while (enumerator->enumerate(enumerator, &id)) + { + if (id->get_type(id) == type) + { + switch (type) + { + case ID_FQDN: + case ID_RFC822_ADDR: + if (permitted) + { /* permitted constraint can be narrowed */ + inherited = suffix_matches(constraint, id); + } + else + { /* excluded constraint can be widened */ + inherited = suffix_matches(id, constraint); + } + break; + case ID_DER_ASN1_DN: + if (permitted) + { + inherited = dn_matches(constraint, id); + } + else + { + inherited = dn_matches(id, constraint); + } + break; + default: + DBG1(DBG_CFG, "%N NameConstraint matching not implemented", + id_type_names, type); + inherited = FALSE; + break; + } + } + if (inherited) + { + break; + } + } + enumerator->destroy(enumerator); + return inherited; +} + +/** + * Check name constraints + */ +static bool check_name_constraints(certificate_t *subject, x509_t *issuer) +{ + enumerator_t *enumerator; + identification_t *constraint; + + enumerator = issuer->create_name_constraint_enumerator(issuer, TRUE); + while (enumerator->enumerate(enumerator, &constraint)) + { + if (!name_constraint_matches(constraint, subject, TRUE)) + { + DBG1(DBG_CFG, "certificate '%Y' does not match permitted name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + if (!name_constraint_inherited(constraint, (x509_t*)subject, TRUE)) + { + DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit permitted name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + enumerator = issuer->create_name_constraint_enumerator(issuer, FALSE); + while (enumerator->enumerate(enumerator, &constraint)) + { + if (name_constraint_matches(constraint, subject, FALSE)) + { + DBG1(DBG_CFG, "certificate '%Y' matches excluded name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + if (!name_constraint_inherited(constraint, (x509_t*)subject, FALSE)) + { + DBG1(DBG_CFG, "intermediate CA '%Y' does not inherit excluded name " + "constraint '%Y'", subject->get_subject(subject), constraint); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + return TRUE; +} + +/** + * Special OID for anyPolicy + */ +static chunk_t any_policy = chunk_from_chars(0x55,0x1d,0x20,0x00); + +/** + * Check if an issuer certificate has a given policy OID + */ +static bool has_policy(x509_t *issuer, chunk_t oid) +{ + x509_policy_mapping_t *mapping; + x509_cert_policy_t *policy; + enumerator_t *enumerator; + + enumerator = issuer->create_cert_policy_enumerator(issuer); + while (enumerator->enumerate(enumerator, &policy)) + { + if (chunk_equals(oid, policy->oid) || + chunk_equals(any_policy, policy->oid)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + + /* fall back to a mapped policy */ + enumerator = issuer->create_policy_mapping_enumerator(issuer); + while (enumerator->enumerate(enumerator, &mapping)) + { + if (chunk_equals(mapping->subject, oid)) + { + enumerator->destroy(enumerator); + return TRUE; + } + } + enumerator->destroy(enumerator); + return FALSE; +} + +/** + * Check certificatePolicies. + */ +static bool check_policy(x509_t *subject, x509_t *issuer, bool check, + auth_cfg_t *auth) +{ + certificate_t *cert = (certificate_t*)subject; + x509_policy_mapping_t *mapping; + x509_cert_policy_t *policy; + enumerator_t *enumerator; + char *oid; + + /* verify if policyMappings in subject are valid */ + enumerator = subject->create_policy_mapping_enumerator(subject); + while (enumerator->enumerate(enumerator, &mapping)) + { + if (!has_policy(issuer, mapping->issuer)) + { + oid = asn1_oid_to_string(mapping->issuer); + DBG1(DBG_CFG, "certificate '%Y' maps policy from %s, but issuer " + "misses it", cert->get_subject(cert), oid); + free(oid); + enumerator->destroy(enumerator); + return FALSE; + } + } + enumerator->destroy(enumerator); + + if (check) + { + enumerator = subject->create_cert_policy_enumerator(subject); + while (enumerator->enumerate(enumerator, &policy)) + { + if (!has_policy(issuer, policy->oid)) + { + oid = asn1_oid_to_string(policy->oid); + DBG1(DBG_CFG, "policy %s missing in issuing certificate '%Y'", + oid, cert->get_issuer(cert)); + free(oid); + enumerator->destroy(enumerator); + return FALSE; + } + if (auth) + { + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + auth->add(auth, AUTH_RULE_CERT_POLICY, oid); + } + } + } + enumerator->destroy(enumerator); + } + + return TRUE; +} + +/** + * Check len certificates in trustchain for inherited policies + */ +static bool has_policy_chain(linked_list_t *chain, x509_t *subject, int len) +{ + enumerator_t *enumerator; + x509_t *issuer; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &issuer)) + { + if (!check_policy(subject, issuer, TRUE, NULL)) + { + valid = FALSE; + break; + } + subject = issuer; + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check len certificates in trustchain to have no policyMappings + */ +static bool has_no_policy_mapping(linked_list_t *chain, int len) +{ + enumerator_t *enumerator, *mappings; + x509_policy_mapping_t *mapping; + certificate_t *cert; + x509_t *x509; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &x509)) + { + mappings = x509->create_policy_mapping_enumerator(x509); + valid = !mappings->enumerate(mappings, &mapping); + mappings->destroy(mappings); + if (!valid) + { + cert = (certificate_t*)x509; + DBG1(DBG_CFG, "found policyMapping in certificate '%Y', but " + "inhibitPolicyMapping in effect", cert->get_subject(cert)); + break; + } + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check len certificates in trustchain to have no anyPolicies + */ +static bool has_no_any_policy(linked_list_t *chain, int len) +{ + enumerator_t *enumerator, *policies; + x509_cert_policy_t *policy; + certificate_t *cert; + x509_t *x509; + bool valid = TRUE; + + enumerator = chain->create_enumerator(chain); + while (len-- > 0 && enumerator->enumerate(enumerator, &x509)) + { + policies = x509->create_cert_policy_enumerator(x509); + while (policies->enumerate(policies, &policy)) + { + if (chunk_equals(policy->oid, any_policy)) + { + cert = (certificate_t*)x509; + DBG1(DBG_CFG, "found anyPolicy in certificate '%Y', but " + "inhibitAnyPolicy in effect", cert->get_subject(cert)); + valid = FALSE; + break; + } + } + policies->destroy(policies); + } + enumerator->destroy(enumerator); + return valid; +} + +/** + * Check requireExplicitPolicy and inhibitPolicyMapping constraints + */ +static bool check_policy_constraints(x509_t *issuer, u_int pathlen, + auth_cfg_t *auth) +{ + certificate_t *subject; + bool valid = TRUE; + + subject = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (subject) + { + if (subject->get_type(subject) == CERT_X509) + { + enumerator_t *enumerator; + linked_list_t *chain; + certificate_t *cert; + auth_rule_t rule; + x509_t *x509; + int len = 0; + u_int expl, inh; + + /* prepare trustchain to validate */ + chain = linked_list_create(); + enumerator = auth->create_enumerator(auth); + while (enumerator->enumerate(enumerator, &rule, &cert)) + { + if (rule == AUTH_RULE_IM_CERT && + cert->get_type(cert) == CERT_X509) + { + chain->insert_last(chain, cert); + } + } + enumerator->destroy(enumerator); + chain->insert_last(chain, issuer); + + /* search for requireExplicitPolicy constraints */ + enumerator = chain->create_enumerator(chain); + while (enumerator->enumerate(enumerator, &x509)) + { + expl = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + if (expl != X509_NO_CONSTRAINT) + { + if (!has_policy_chain(chain, (x509_t*)subject, len - expl)) + { + valid = FALSE; + break; + } + } + len++; + } + enumerator->destroy(enumerator); + + /* search for inhibitPolicyMapping/inhibitAnyPolicy constraints */ + len = 0; + chain->insert_first(chain, subject); + enumerator = chain->create_enumerator(chain); + while (enumerator->enumerate(enumerator, &x509)) + { + inh = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + if (inh != X509_NO_CONSTRAINT) + { + if (!has_no_policy_mapping(chain, len - inh)) + { + valid = FALSE; + break; + } + } + inh = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + if (inh != X509_NO_CONSTRAINT) + { + if (!has_no_any_policy(chain, len - inh)) + { + valid = FALSE; + break; + } + } + len++; + } + enumerator->destroy(enumerator); + + chain->destroy(chain); + } + } + return valid; +} + +METHOD(cert_validator_t, validate, bool, + private_constraints_validator_t *this, certificate_t *subject, + certificate_t *issuer, bool online, u_int pathlen, bool anchor, + auth_cfg_t *auth) +{ + if (issuer->get_type(issuer) == CERT_X509 && + subject->get_type(subject) == CERT_X509) + { + if (!check_pathlen((x509_t*)issuer, pathlen)) + { + return FALSE; + } + if (!check_name_constraints(subject, (x509_t*)issuer)) + { + return FALSE; + } + if (!check_policy((x509_t*)subject, (x509_t*)issuer, !pathlen, auth)) + { + return FALSE; + } + if (anchor) + { + if (!check_policy_constraints((x509_t*)issuer, pathlen, auth)) + { + return FALSE; + } + } + } + return TRUE; +} + +METHOD(constraints_validator_t, destroy, void, + private_constraints_validator_t *this) +{ + free(this); +} + +/** + * See header + */ +constraints_validator_t *constraints_validator_create() +{ + private_constraints_validator_t *this; + + INIT(this, + .public = { + .validator.validate = _validate, + .destroy = _destroy, + }, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.h b/src/libstrongswan/plugins/constraints/constraints_validator.h new file mode 100644 index 000000000..44582d6c8 --- /dev/null +++ b/src/libstrongswan/plugins/constraints/constraints_validator.h @@ -0,0 +1,49 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup constraints_validator constraints_validator + * @{ @ingroup constraints + */ + +#ifndef CONSTRAINTS_VALIDATOR_H_ +#define CONSTRAINTS_VALIDATOR_H_ + +#include + +typedef struct constraints_validator_t constraints_validator_t; + +/** + * Certificate validator doing advanced X509 constraint checking. + */ +struct constraints_validator_t { + + /** + * Implements cert_validator_t interface. + */ + cert_validator_t validator; + + /** + * Destroy a constraints_validator_t. + */ + void (*destroy)(constraints_validator_t *this); +}; + +/** + * Create a constraints_validator instance. + */ +constraints_validator_t *constraints_validator_create(); + +#endif /** CONSTRAINTS_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/plugins/ctr/Makefile.in b/src/libstrongswan/plugins/ctr/Makefile.in index b51f57113..2f6be07e2 100644 --- a/src/libstrongswan/plugins/ctr/Makefile.in +++ b/src/libstrongswan/plugins/ctr/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ctr/ctr_plugin.c b/src/libstrongswan/plugins/ctr/ctr_plugin.c index 5e47f23ec..9f1bf957f 100644 --- a/src/libstrongswan/plugins/ctr/ctr_plugin.c +++ b/src/libstrongswan/plugins/ctr/ctr_plugin.c @@ -19,6 +19,8 @@ #include "ctr_ipsec_crypter.h" +static const char *plugin_name = "ctr"; + typedef struct private_ctr_plugin_t private_ctr_plugin_t; /** @@ -47,6 +49,7 @@ METHOD(plugin_t, destroy, void, plugin_t *ctr_plugin_create() { private_ctr_plugin_t *this; + crypter_t *crypter; INIT(this, .public = { @@ -56,10 +59,19 @@ plugin_t *ctr_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, - (crypter_constructor_t)ctr_ipsec_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, - (crypter_constructor_t)ctr_ipsec_crypter_create); - + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name, + (crypter_constructor_t)ctr_ipsec_crypter_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name, + (crypter_constructor_t)ctr_ipsec_crypter_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/curl/Makefile.in b/src/libstrongswan/plugins/curl/Makefile.in index 9cc99063c..e61c73041 100644 --- a/src/libstrongswan/plugins/curl/Makefile.in +++ b/src/libstrongswan/plugins/curl/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/curl/curl_fetcher.c b/src/libstrongswan/plugins/curl/curl_fetcher.c index 4835f6461..82e24e810 100644 --- a/src/libstrongswan/plugins/curl/curl_fetcher.c +++ b/src/libstrongswan/plugins/curl/curl_fetcher.c @@ -104,6 +104,7 @@ METHOD(fetcher_t, fetch, status_t, METHOD(fetcher_t, set_option, bool, private_curl_fetcher_t *this, fetcher_option_t option, ...) { + bool supported = TRUE; va_list args; va_start(args, option); @@ -115,7 +116,7 @@ METHOD(fetcher_t, set_option, bool, curl_easy_setopt(this->curl, CURLOPT_POSTFIELDS, (char*)data.ptr); curl_easy_setopt(this->curl, CURLOPT_POSTFIELDSIZE, data.len); - return TRUE; + break; } case FETCH_REQUEST_TYPE: { @@ -124,30 +125,33 @@ METHOD(fetcher_t, set_option, bool, snprintf(header, BUF_LEN, "Content-Type: %s", request_type); this->headers = curl_slist_append(this->headers, header); - return TRUE; + break; } case FETCH_REQUEST_HEADER: { char *header = va_arg(args, char*); this->headers = curl_slist_append(this->headers, header); - return TRUE; + break; } case FETCH_HTTP_VERSION_1_0: { curl_easy_setopt(this->curl, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_0); - return TRUE; + break; } case FETCH_TIMEOUT: { curl_easy_setopt(this->curl, CURLOPT_CONNECTTIMEOUT, va_arg(args, u_int)); - return TRUE; + break; } default: - return FALSE; + supported = FALSE; + break; } + va_end(args); + return supported; } METHOD(fetcher_t, destroy, void, diff --git a/src/libstrongswan/plugins/curl/curl_plugin.c b/src/libstrongswan/plugins/curl/curl_plugin.c index e00fcfc03..387da03aa 100644 --- a/src/libstrongswan/plugins/curl/curl_plugin.c +++ b/src/libstrongswan/plugins/curl/curl_plugin.c @@ -34,10 +34,8 @@ struct private_curl_plugin_t { curl_plugin_t public; }; -/** - * Implementation of curl_plugin_t.curltroy - */ -static void destroy(private_curl_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_curl_plugin_t *this) { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)curl_fetcher_create); @@ -51,9 +49,15 @@ static void destroy(private_curl_plugin_t *this) plugin_t *curl_plugin_create() { CURLcode res; - private_curl_plugin_t *this = malloc_thing(private_curl_plugin_t); + private_curl_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); res = curl_global_init(CURL_GLOBAL_NOTHING); if (res == CURLE_OK) diff --git a/src/libstrongswan/plugins/des/Makefile.in b/src/libstrongswan/plugins/des/Makefile.in index 0e8fa7315..e45988ca9 100644 --- a/src/libstrongswan/plugins/des/Makefile.in +++ b/src/libstrongswan/plugins/des/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/des/des_plugin.c b/src/libstrongswan/plugins/des/des_plugin.c index 43b457ce2..d420d789e 100644 --- a/src/libstrongswan/plugins/des/des_plugin.c +++ b/src/libstrongswan/plugins/des/des_plugin.c @@ -18,6 +18,8 @@ #include #include "des_crypter.h" +static const char *plugin_name = "des"; + typedef struct private_des_plugin_t private_des_plugin_t; /** @@ -54,11 +56,11 @@ plugin_t *des_plugin_create() }, ); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)des_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)des_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)des_crypter_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/dnskey/Makefile.in b/src/libstrongswan/plugins/dnskey/Makefile.in index 7f4529211..d1dce4679 100644 --- a/src/libstrongswan/plugins/dnskey/Makefile.in +++ b/src/libstrongswan/plugins/dnskey/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c index bc0ee30ae..d11b149df 100644 --- a/src/libstrongswan/plugins/dnskey/dnskey_plugin.c +++ b/src/libstrongswan/plugins/dnskey/dnskey_plugin.c @@ -31,10 +31,8 @@ struct private_dnskey_plugin_t { dnskey_plugin_t public; }; -/** - * Implementation of dnskey_plugin_t.dnskeytroy - */ -static void destroy(private_dnskey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_dnskey_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)dnskey_public_key_load); @@ -46,10 +44,15 @@ static void destroy(private_dnskey_plugin_t *this) */ plugin_t *dnskey_plugin_create() { - private_dnskey_plugin_t *this = malloc_thing(private_dnskey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_dnskey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)dnskey_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/fips_prf/Makefile.in b/src/libstrongswan/plugins/fips_prf/Makefile.in index 7e2a1ccdf..ab1ed6d00 100644 --- a/src/libstrongswan/plugins/fips_prf/Makefile.in +++ b/src/libstrongswan/plugins/fips_prf/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf.c b/src/libstrongswan/plugins/fips_prf/fips_prf.c index ad03fa585..ee71f6efd 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf.c @@ -106,7 +106,8 @@ static void chunk_mod(size_t length, chunk_t chunk, u_int8_t buffer[]) * 0xcb, 0x0f, 0x6c, 0x55, 0xba, 0xbb, 0x13, 0x78, * 0x8e, 0x20, 0xd7, 0x37, 0xa3, 0x27, 0x51, 0x16 */ -static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) +METHOD(prf_t, get_bytes, void, + private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) { int i; u_int8_t xval[this->b]; @@ -139,34 +140,26 @@ static void get_bytes(private_fips_prf_t *this, chunk_t seed, u_int8_t w[]) /* 3.3 done already, mod q not used */ } -/** - * Implementation of prf_t.get_block_size. - */ -static size_t get_block_size(private_fips_prf_t *this) +METHOD(prf_t, get_block_size, size_t, + private_fips_prf_t *this) { return 2 * this->b; } -/** - * Implementation of prf_t.allocate_bytes. - */ -static void allocate_bytes(private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) +METHOD(prf_t, allocate_bytes, void, + private_fips_prf_t *this, chunk_t seed, chunk_t *chunk) { *chunk = chunk_alloc(get_block_size(this)); get_bytes(this, seed, chunk->ptr); } -/** - * Implementation of prf_t.get_key_size. - */ -static size_t get_key_size(private_fips_prf_t *this) +METHOD(prf_t, get_key_size, size_t, + private_fips_prf_t *this) { return this->b; } -/** - * Implementation of prf_t.set_key. - */ -static void set_key(private_fips_prf_t *this, chunk_t key) +METHOD(prf_t, set_key, void, + private_fips_prf_t *this, chunk_t key) { /* save key as "key mod 2^b" */ chunk_mod(this->b, key, this->key); @@ -198,10 +191,8 @@ void g_sha1(private_fips_prf_t *this, chunk_t c, u_int8_t res[]) this->keyed_prf->get_bytes(this->keyed_prf, c, res); } -/** - * Implementation of prf_t.destroy. - */ -static void destroy(private_fips_prf_t *this) +METHOD(prf_t, destroy, void, + private_fips_prf_t *this) { this->keyed_prf->destroy(this->keyed_prf); free(this->key); @@ -213,14 +204,20 @@ static void destroy(private_fips_prf_t *this) */ fips_prf_t *fips_prf_create(pseudo_random_function_t algo) { - private_fips_prf_t *this = malloc_thing(private_fips_prf_t); - - this->public.prf_interface.get_bytes = (void (*) (prf_t *,chunk_t,u_int8_t*))get_bytes; - this->public.prf_interface.allocate_bytes = (void (*) (prf_t*,chunk_t,chunk_t*))allocate_bytes; - this->public.prf_interface.get_block_size = (size_t (*) (prf_t*))get_block_size; - this->public.prf_interface.get_key_size = (size_t (*) (prf_t*))get_key_size; - this->public.prf_interface.set_key = (void (*) (prf_t *,chunk_t))set_key; - this->public.prf_interface.destroy = (void (*) (prf_t *))destroy; + private_fips_prf_t *this; + + INIT(this, + .public = { + .prf_interface = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .get_block_size = _get_block_size, + .get_key_size = _get_key_size, + .set_key = _set_key, + .destroy = _destroy, + }, + }, + ); switch (algo) { diff --git a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c index f41265637..3cce6ad91 100644 --- a/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c +++ b/src/libstrongswan/plugins/fips_prf/fips_prf_plugin.c @@ -18,6 +18,8 @@ #include #include "fips_prf.h" +static const char *plugin_name = "fips-prf"; + typedef struct private_fips_prf_plugin_t private_fips_prf_plugin_t; /** @@ -31,10 +33,8 @@ struct private_fips_prf_plugin_t { fips_prf_plugin_t public; }; -/** - * Implementation of fips_prf_plugin_t.destroy - */ -static void destroy(private_fips_prf_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_fips_prf_plugin_t *this) { lib->crypto->remove_prf(lib->crypto, (prf_constructor_t)fips_prf_create); @@ -46,12 +46,24 @@ static void destroy(private_fips_prf_plugin_t *this) */ plugin_t *fips_prf_plugin_create() { - private_fips_prf_plugin_t *this = malloc_thing(private_fips_prf_plugin_t); + private_fips_prf_plugin_t *this; + prf_t *prf; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, - (prf_constructor_t)fips_prf_create); + prf = lib->crypto->create_prf(lib->crypto, PRF_KEYED_SHA1); + if (prf) + { + prf->destroy(prf); + lib->crypto->add_prf(lib->crypto, PRF_FIPS_SHA1_160, plugin_name, + (prf_constructor_t)fips_prf_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcm/Makefile.in b/src/libstrongswan/plugins/gcm/Makefile.in index a4de9ea77..9e0b49776 100644 --- a/src/libstrongswan/plugins/gcm/Makefile.in +++ b/src/libstrongswan/plugins/gcm/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcm/gcm_plugin.c b/src/libstrongswan/plugins/gcm/gcm_plugin.c index 061001b30..a438fb073 100644 --- a/src/libstrongswan/plugins/gcm/gcm_plugin.c +++ b/src/libstrongswan/plugins/gcm/gcm_plugin.c @@ -19,6 +19,8 @@ #include "gcm_aead.h" +static const char *plugin_name = "gcm"; + typedef struct private_gcm_plugin_t private_gcm_plugin_t; /** @@ -47,17 +49,23 @@ METHOD(plugin_t, destroy, void, plugin_t *gcm_plugin_create() { private_gcm_plugin_t *this; + crypter_t *crypter; INIT(this, .public.plugin.destroy = _destroy, ); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, - (aead_constructor_t)gcm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, - (aead_constructor_t)gcm_aead_create); - lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, - (aead_constructor_t)gcm_aead_create); + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 0); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV8, plugin_name, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV12, plugin_name, + (aead_constructor_t)gcm_aead_create); + lib->crypto->add_aead(lib->crypto, ENCR_AES_GCM_ICV16, plugin_name, + (aead_constructor_t)gcm_aead_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/gcrypt/Makefile.in b/src/libstrongswan/plugins/gcrypt/Makefile.in index 00c49c487..1bcada7dc 100644 --- a/src/libstrongswan/plugins/gcrypt/Makefile.in +++ b/src/libstrongswan/plugins/gcrypt/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c index 590add5c8..a53fed448 100644 --- a/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c +++ b/src/libstrongswan/plugins/gcrypt/gcrypt_plugin.c @@ -29,6 +29,8 @@ #include #include +static const char *plugin_name = "gcrypt"; + typedef struct private_gcrypt_plugin_t private_gcrypt_plugin_t; /** @@ -148,79 +150,79 @@ plugin_t *gcrypt_plugin_create() ); /* hashers */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)gcrypt_hasher_create); /* crypters */ - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CTR, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); #ifdef HAVE_GCRY_CIPHER_CAMELLIA - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CTR, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); #endif /* HAVE_GCRY_CIPHER_CAMELLIA */ - lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_SERPENT_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_TWOFISH_CBC, plugin_name, (crypter_constructor_t)gcrypt_crypter_create); /* random numbers */ - lib->crypto->add_rng(lib->crypto, RNG_WEAK, + lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name, (rng_constructor_t)gcrypt_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)gcrypt_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)gcrypt_rng_create); /* diffie hellman groups, using modp */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)gcrypt_dh_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)gcrypt_dh_create_custom); /* RSA */ diff --git a/src/libstrongswan/plugins/gmp/Makefile.in b/src/libstrongswan/plugins/gmp/Makefile.in index b4ec1ed8d..f73bfb406 100644 --- a/src/libstrongswan/plugins/gmp/Makefile.in +++ b/src/libstrongswan/plugins/gmp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/gmp/gmp_plugin.c b/src/libstrongswan/plugins/gmp/gmp_plugin.c index 9b4fad3da..e9bfbcc28 100644 --- a/src/libstrongswan/plugins/gmp/gmp_plugin.c +++ b/src/libstrongswan/plugins/gmp/gmp_plugin.c @@ -20,6 +20,8 @@ #include "gmp_rsa_private_key.h" #include "gmp_rsa_public_key.h" +static const char *plugin_name = "gmp"; + typedef struct private_gmp_plugin_t private_gmp_plugin_t; /** @@ -64,30 +66,30 @@ plugin_t *gmp_plugin_create() }, ); - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)gmp_diffie_hellman_create_custom); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, diff --git a/src/libstrongswan/plugins/hmac/Makefile.in b/src/libstrongswan/plugins/hmac/Makefile.in index 42a7d3747..72cc23b72 100644 --- a/src/libstrongswan/plugins/hmac/Makefile.in +++ b/src/libstrongswan/plugins/hmac/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/hmac/hmac_plugin.c b/src/libstrongswan/plugins/hmac/hmac_plugin.c index 73df4dc6c..76d6157ae 100644 --- a/src/libstrongswan/plugins/hmac/hmac_plugin.c +++ b/src/libstrongswan/plugins/hmac/hmac_plugin.c @@ -19,6 +19,8 @@ #include "hmac_signer.h" #include "hmac_prf.h" +static const char *plugin_name = "hmac"; + typedef struct private_hmac_plugin_t private_hmac_plugin_t; /** @@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void, plugin_t *hmac_plugin_create() { private_hmac_plugin_t *this; + hasher_t *hasher; INIT(this, .public = { @@ -57,37 +60,62 @@ plugin_t *hmac_plugin_create() }, ); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, - (prf_constructor_t)hmac_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, - (prf_constructor_t)hmac_prf_create); + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA1, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA256); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_256, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, plugin_name, + (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_96, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA1_160, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_256_256, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, - (signer_constructor_t)hmac_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, - (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_MD5); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_MD5, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_96, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_MD5_128, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA384); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_384, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_192, plugin_name, + (signer_constructor_t)hmac_signer_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_384_384, plugin_name, + (signer_constructor_t)hmac_signer_create); + } + hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA512); + if (hasher) + { + hasher->destroy(hasher); + lib->crypto->add_prf(lib->crypto, PRF_HMAC_SHA2_512, plugin_name, + (prf_constructor_t)hmac_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_HMAC_SHA2_512_256, plugin_name, + (signer_constructor_t)hmac_signer_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/plugins/ldap/Makefile.in b/src/libstrongswan/plugins/ldap/Makefile.in index 65a135e76..7235784e2 100644 --- a/src/libstrongswan/plugins/ldap/Makefile.in +++ b/src/libstrongswan/plugins/ldap/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/ldap/ldap_fetcher.c b/src/libstrongswan/plugins/ldap/ldap_fetcher.c index 59e655cd5..e6c592217 100644 --- a/src/libstrongswan/plugins/ldap/ldap_fetcher.c +++ b/src/libstrongswan/plugins/ldap/ldap_fetcher.c @@ -100,8 +100,8 @@ static bool parse(LDAP *ldap, LDAPMessage *result, chunk_t *response) } -static status_t fetch(private_ldap_fetcher_t *this, char *url, - chunk_t *result, va_list args) +METHOD(fetcher_t, fetch, status_t, + private_ldap_fetcher_t *this, char *url, chunk_t *result) { LDAP *ldap; LDAPURLDesc *lurl; @@ -166,10 +166,8 @@ static status_t fetch(private_ldap_fetcher_t *this, char *url, } -/** - * Implementation of fetcher_t.set_option. - */ -static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, ...) +METHOD(fetcher_t, set_option, bool, + private_ldap_fetcher_t *this, fetcher_option_t option, ...) { va_list args; @@ -186,10 +184,8 @@ static bool set_option(private_ldap_fetcher_t *this, fetcher_option_t option, .. } } -/** - * Implements ldap_fetcher_t.destroy - */ -static void destroy(private_ldap_fetcher_t *this) +METHOD(fetcher_t, destroy, void, + private_ldap_fetcher_t *this) { free(this); } @@ -199,13 +195,18 @@ static void destroy(private_ldap_fetcher_t *this) */ ldap_fetcher_t *ldap_fetcher_create() { - private_ldap_fetcher_t *this = malloc_thing(private_ldap_fetcher_t); - - this->public.interface.fetch = (status_t(*)(fetcher_t*,char*,chunk_t*))fetch; - this->public.interface.set_option = (bool(*)(fetcher_t*, fetcher_option_t option, ...))set_option; - this->public.interface.destroy = (void (*)(fetcher_t*))destroy; - - this->timeout = DEFAULT_TIMEOUT; + private_ldap_fetcher_t *this; + + INIT(this, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, + }, + .timeout = DEFAULT_TIMEOUT, + ); return &this->public; } diff --git a/src/libstrongswan/plugins/ldap/ldap_plugin.c b/src/libstrongswan/plugins/ldap/ldap_plugin.c index 372ac9f93..3682ddd1f 100644 --- a/src/libstrongswan/plugins/ldap/ldap_plugin.c +++ b/src/libstrongswan/plugins/ldap/ldap_plugin.c @@ -31,10 +31,8 @@ struct private_ldap_plugin_t { ldap_plugin_t public; }; -/** - * Implementation of ldap_plugin_t.destroy - */ -static void destroy(private_ldap_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_ldap_plugin_t *this) { lib->fetcher->remove_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create); @@ -46,9 +44,15 @@ static void destroy(private_ldap_plugin_t *this) */ plugin_t *ldap_plugin_create() { - private_ldap_plugin_t *this = malloc_thing(private_ldap_plugin_t); + private_ldap_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->fetcher->add_fetcher(lib->fetcher, (fetcher_constructor_t)ldap_fetcher_create, "ldap://"); diff --git a/src/libstrongswan/plugins/md4/Makefile.in b/src/libstrongswan/plugins/md4/Makefile.in index a78dad97c..ea1a7a69a 100644 --- a/src/libstrongswan/plugins/md4/Makefile.in +++ b/src/libstrongswan/plugins/md4/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md4/md4_plugin.c b/src/libstrongswan/plugins/md4/md4_plugin.c index 38ae0d4bc..cea1a61f3 100644 --- a/src/libstrongswan/plugins/md4/md4_plugin.c +++ b/src/libstrongswan/plugins/md4/md4_plugin.c @@ -18,6 +18,8 @@ #include #include "md4_hasher.h" +static const char *plugin_name = "md4"; + typedef struct private_md4_plugin_t private_md4_plugin_t; /** @@ -31,10 +33,8 @@ struct private_md4_plugin_t { md4_plugin_t public; }; -/** - * Implementation of md4_plugin_t.destroy - */ -static void destroy(private_md4_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_md4_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md4_hasher_create); @@ -46,11 +46,17 @@ static void destroy(private_md4_plugin_t *this) */ plugin_t *md4_plugin_create() { - private_md4_plugin_t *this = malloc_thing(private_md4_plugin_t); + private_md4_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)md4_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/md5/Makefile.in b/src/libstrongswan/plugins/md5/Makefile.in index 6de400e8e..05f101564 100644 --- a/src/libstrongswan/plugins/md5/Makefile.in +++ b/src/libstrongswan/plugins/md5/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/md5/md5_plugin.c b/src/libstrongswan/plugins/md5/md5_plugin.c index cfbf6acea..d11173817 100644 --- a/src/libstrongswan/plugins/md5/md5_plugin.c +++ b/src/libstrongswan/plugins/md5/md5_plugin.c @@ -18,6 +18,8 @@ #include #include "md5_hasher.h" +static const char *plugin_name = "md5"; + typedef struct private_md5_plugin_t private_md5_plugin_t; /** @@ -31,10 +33,8 @@ struct private_md5_plugin_t { md5_plugin_t public; }; -/** - * Implementation of md5_plugin_t.destroy - */ -static void destroy(private_md5_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_md5_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)md5_hasher_create); @@ -46,11 +46,17 @@ static void destroy(private_md5_plugin_t *this) */ plugin_t *md5_plugin_create() { - private_md5_plugin_t *this = malloc_thing(private_md5_plugin_t); + private_md5_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)md5_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/mysql/Makefile.in b/src/libstrongswan/plugins/mysql/Makefile.in index 7d4d42c14..4880415b3 100644 --- a/src/libstrongswan/plugins/mysql/Makefile.in +++ b/src/libstrongswan/plugins/mysql/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/mysql/mysql_database.c b/src/libstrongswan/plugins/mysql/mysql_database.c index 8005b9149..5fbfa0f28 100644 --- a/src/libstrongswan/plugins/mysql/mysql_database.c +++ b/src/libstrongswan/plugins/mysql/mysql_database.c @@ -474,10 +474,8 @@ static bool mysql_enumerator_enumerate(mysql_enumerator_t *this, ...) return TRUE; } -/** - * Implementation of database_t.query. - */ -static enumerator_t* query(private_mysql_database_t *this, char *sql, ...) +METHOD(database_t, query, enumerator_t*, + private_mysql_database_t *this, char *sql, ...) { MYSQL_STMT *stmt; va_list args; @@ -563,10 +561,8 @@ static enumerator_t* query(private_mysql_database_t *this, char *sql, ...) return (enumerator_t*)enumerator; } -/** - * Implementation of database_t.execute. - */ -static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...) +METHOD(database_t, execute, int, + private_mysql_database_t *this, int *rowid, char *sql, ...) { MYSQL_STMT *stmt; va_list args; @@ -594,18 +590,14 @@ static int execute(private_mysql_database_t *this, int *rowid, char *sql, ...) return affected; } -/** - * Implementation of database_t.get_driver - */ -static db_driver_t get_driver(private_mysql_database_t *this) +METHOD(database_t, get_driver,db_driver_t, + private_mysql_database_t *this) { return DB_MYSQL; } -/** - * Implementation of database_t.destroy - */ -static void destroy(private_mysql_database_t *this) +METHOD(database_t, destroy, void, + private_mysql_database_t *this) { this->pool->destroy_function(this->pool, (void*)conn_destroy); this->mutex->destroy(this->mutex); @@ -677,12 +669,16 @@ mysql_database_t *mysql_database_create(char *uri) return NULL; } - this = malloc_thing(private_mysql_database_t); - - this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; - this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; - this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; - this->public.db.destroy = (void(*)(database_t*))destroy; + INIT(this, + .public = { + .db = { + .query = _query, + .execute = _execute, + .get_driver = _get_driver, + .destroy = _destroy, + }, + }, + ); if (!parse_uri(this, uri)) { diff --git a/src/libstrongswan/plugins/mysql/mysql_plugin.c b/src/libstrongswan/plugins/mysql/mysql_plugin.c index a13aa8091..65d8681cb 100644 --- a/src/libstrongswan/plugins/mysql/mysql_plugin.c +++ b/src/libstrongswan/plugins/mysql/mysql_plugin.c @@ -32,10 +32,8 @@ struct private_mysql_plugin_t { mysql_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_mysql_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_mysql_plugin_t *this) { lib->db->remove_database(lib->db, (database_constructor_t)mysql_database_create); @@ -56,8 +54,13 @@ plugin_t *mysql_plugin_create() return NULL; } - this = malloc_thing(private_mysql_plugin_t); - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->db->add_database(lib->db, (database_constructor_t)mysql_database_create); diff --git a/src/libstrongswan/plugins/openssl/Makefile.in b/src/libstrongswan/plugins/openssl/Makefile.in index a32418b16..b43be29f1 100644 --- a/src/libstrongswan/plugins/openssl/Makefile.in +++ b/src/libstrongswan/plugins/openssl/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index b9d97a901..58401faa5 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -382,6 +382,8 @@ static private_openssl_crl_t *create_empty() }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, + .is_delta_crl = (void*)return_false, + .create_delta_crl_uri_enumerator = (void*)enumerator_create_empty, .create_enumerator = _create_enumerator, }, }, @@ -458,7 +460,14 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_crlNumber_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 " + "CRL extension"); + } break; } if (!ok) diff --git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c index 0ab4eda9c..0050572ee 100644 --- a/src/libstrongswan/plugins/openssl/openssl_plugin.c +++ b/src/libstrongswan/plugins/openssl/openssl_plugin.c @@ -41,6 +41,8 @@ #include "openssl_x509.h" #include "openssl_crl.h" +static const char *plugin_name = "openssl"; + typedef struct private_openssl_plugin_t private_openssl_plugin_t; /** @@ -272,85 +274,85 @@ plugin_t *openssl_plugin_create() } /* crypter */ - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_CAMELLIA_CBC, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_3DES, + lib->crypto->add_crypter(lib->crypto, ENCR_3DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_RC5, + lib->crypto->add_crypter(lib->crypto, ENCR_RC5, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, + lib->crypto->add_crypter(lib->crypto, ENCR_IDEA, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_CAST, + lib->crypto->add_crypter(lib->crypto, ENCR_CAST, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, + lib->crypto->add_crypter(lib->crypto, ENCR_BLOWFISH, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES, + lib->crypto->add_crypter(lib->crypto, ENCR_DES, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, + lib->crypto->add_crypter(lib->crypto, ENCR_DES_ECB, plugin_name, (crypter_constructor_t)openssl_crypter_create); - lib->crypto->add_crypter(lib->crypto, ENCR_NULL, + lib->crypto->add_crypter(lib->crypto, ENCR_NULL, plugin_name, (crypter_constructor_t)openssl_crypter_create); /* hasher */ - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD2, + lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD4, + lib->crypto->add_hasher(lib->crypto, HASH_MD4, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)openssl_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)openssl_hasher_create); /* prf */ - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, (prf_constructor_t)openssl_sha1_prf_create); /* (ec) diffie hellman */ - lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, + lib->crypto->add_dh(lib->crypto, MODP_2048_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_224, + lib->crypto->add_dh(lib->crypto, MODP_2048_224, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_2048_256, + lib->crypto->add_dh(lib->crypto, MODP_2048_256, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1536_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); #ifndef OPENSSL_NO_EC - lib->crypto->add_dh(lib->crypto, ECP_256_BIT, + lib->crypto->add_dh(lib->crypto, ECP_256_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_384_BIT, + lib->crypto->add_dh(lib->crypto, ECP_384_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_521_BIT, + lib->crypto->add_dh(lib->crypto, ECP_521_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_224_BIT, + lib->crypto->add_dh(lib->crypto, ECP_224_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, ECP_192_BIT, + lib->crypto->add_dh(lib->crypto, ECP_192_BIT, plugin_name, (dh_constructor_t)openssl_ec_diffie_hellman_create); #endif /* OPENSSL_NO_EC */ - lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, + lib->crypto->add_dh(lib->crypto, MODP_3072_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, + lib->crypto->add_dh(lib->crypto, MODP_4096_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, + lib->crypto->add_dh(lib->crypto, MODP_6144_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, + lib->crypto->add_dh(lib->crypto, MODP_8192_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, + lib->crypto->add_dh(lib->crypto, MODP_1024_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_1024_160, + lib->crypto->add_dh(lib->crypto, MODP_1024_160, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_768_BIT, + lib->crypto->add_dh(lib->crypto, MODP_768_BIT, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); - lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, + lib->crypto->add_dh(lib->crypto, MODP_CUSTOM, plugin_name, (dh_constructor_t)openssl_diffie_hellman_create); /* rsa */ diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index aa39bc93d..f7495b2ae 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -84,7 +84,7 @@ struct private_openssl_x509_t { /** * Pathlen constraint */ - int pathlen; + u_char pathlen; /** * certificate subject @@ -137,7 +137,7 @@ struct private_openssl_x509_t { linked_list_t *issuerAltNames; /** - * List of CRL URIs + * List of CRL URIs, as x509_cdp_t */ linked_list_t *crl_uris; @@ -152,6 +152,16 @@ struct private_openssl_x509_t { refcount_t ref; }; +/** + * Destroy a CRL URI struct + */ +static void crl_uri_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + /** * Convert a GeneralName to an identification_t. */ @@ -240,10 +250,16 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t, return chunk_empty; } -METHOD(x509_t, get_pathLenConstraint, int, - private_openssl_x509_t *this) +METHOD(x509_t, get_constraint, u_int, + private_openssl_x509_t *this, x509_constraint_t type) { - return this->pathlen; + switch (type) + { + case X509_PATH_LEN: + return this->pathlen; + default: + return X509_NO_CONSTRAINT; + } } METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, @@ -264,13 +280,6 @@ METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, - private_openssl_x509_t *this) -{ - /* TODO */ - return enumerator_create_empty(); -} - METHOD(certificate_t, get_type, certificate_type_t, private_openssl_x509_t *this) { @@ -483,7 +492,7 @@ METHOD(certificate_t, destroy, void, offsetof(identification_t, destroy)); this->issuerAltNames->destroy_offset(this->issuerAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, free); + this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); free(this); } @@ -517,18 +526,21 @@ static private_openssl_x509_t *create_empty() .get_serial = _get_serial, .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, .get_authKeyIdentifier = _get_authKeyIdentifier, - .get_pathLenConstraint = _get_pathLenConstraint, + .get_constraint = _get_constraint, .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, .create_crl_uri_enumerator = _create_crl_uri_enumerator, .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, - .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_ipAddrBlock_enumerator = (void*)enumerator_create_empty, + .create_name_constraint_enumerator = (void*)enumerator_create_empty, + .create_cert_policy_enumerator = (void*)enumerator_create_empty, + .create_policy_mapping_enumerator = (void*)enumerator_create_empty, }, }, .subjectAltNames = linked_list_create(), .issuerAltNames = linked_list_create(), .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), - .pathlen = X509_NO_PATH_LEN_CONSTRAINT, + .pathlen = X509_NO_CONSTRAINT, .ref = 1, ); @@ -574,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, X509_EXTENSION *ext) { BASIC_CONSTRAINTS *constraints; + long pathlen; constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext); if (constraints) @@ -584,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this, } if (constraints->pathlen) { - this->pathlen = ASN1_INTEGER_get(constraints->pathlen); + + pathlen = ASN1_INTEGER_get(constraints->pathlen); + this->pathlen = (pathlen >= 0 && pathlen < 128) ? + pathlen : X509_NO_CONSTRAINT; } BASIC_CONSTRAINTS_free(constraints); return TRUE; @@ -600,9 +616,10 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { CRL_DIST_POINTS *cdps; DIST_POINT *cdp; - identification_t *id; + identification_t *id, *issuer; + x509_cdp_t *entry; char *uri; - int i, j, point_num, name_num; + int i, j, k, point_num, name_num, issuer_num; cdps = X509V3_EXT_d2i(ext); if (!cdps) @@ -627,12 +644,38 @@ static bool parse_crlDistributionPoints_ext(private_openssl_x509_t *this, { if (asprintf(&uri, "%Y", id) > 0) { - this->crl_uris->insert_first(this->crl_uris, uri); + if (cdp->CRLissuer) + { + issuer_num = sk_GENERAL_NAME_num(cdp->CRLissuer); + for (k = 0; k < issuer_num; k++) + { + issuer = general_name2id( + sk_GENERAL_NAME_value(cdp->CRLissuer, k)); + if (issuer) + { + INIT(entry, + .uri = strdup(uri), + .issuer = issuer, + ); + this->crl_uris->insert_last( + this->crl_uris, entry); + } + } + free(uri); + } + else + { + INIT(entry, + .uri = uri, + ); + this->crl_uris->insert_last(this->crl_uris, entry); + } } id->destroy(id); } } } + DIST_POINT_free(cdp); } } @@ -765,7 +808,13 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_crlDistributionPoints_ext(this, ext); break; default: - ok = TRUE; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); + if (!ok) + { + DBG1(DBG_LIB, "found unsupported critical X.509 extension"); + } break; } if (!ok) @@ -823,6 +872,13 @@ static bool parse_certificate(private_openssl_x509_t *this) { return FALSE; } + if (X509_get_version(this->x509) < 0 || X509_get_version(this->x509) > 2) + { + DBG1(DBG_LIB, "unsupported x509 version: %d", + X509_get_version(this->x509) + 1); + return FALSE; + } + this->subject = openssl_x509_name2id(X509_get_subject_name(this->x509)); this->issuer = openssl_x509_name2id(X509_get_issuer_name(this->x509)); @@ -866,7 +922,7 @@ static bool parse_certificate(private_openssl_x509_t *this) if (!parse_extensions(this)) { - return TRUE; + return FALSE; } parse_extKeyUsage(this); diff --git a/src/libstrongswan/plugins/padlock/Makefile.in b/src/libstrongswan/plugins/padlock/Makefile.in index 46953f681..7c89d0abd 100644 --- a/src/libstrongswan/plugins/padlock/Makefile.in +++ b/src/libstrongswan/plugins/padlock/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/padlock/padlock_plugin.c b/src/libstrongswan/plugins/padlock/padlock_plugin.c index 027c53c7b..695823acf 100644 --- a/src/libstrongswan/plugins/padlock/padlock_plugin.c +++ b/src/libstrongswan/plugins/padlock/padlock_plugin.c @@ -23,6 +23,8 @@ #include #include +static const char *plugin_name = "padlock"; + typedef struct private_padlock_plugin_t private_padlock_plugin_t; typedef enum padlock_feature_t padlock_feature_t; @@ -161,21 +163,21 @@ plugin_t *padlock_plugin_create() if (this->features & PADLOCK_RNG_ENABLED) { - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)padlock_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)padlock_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_WEAK, + lib->crypto->add_rng(lib->crypto, RNG_WEAK, plugin_name, (rng_constructor_t)padlock_rng_create); } if (this->features & PADLOCK_ACE2_ENABLED) { - lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, + lib->crypto->add_crypter(lib->crypto, ENCR_AES_CBC, plugin_name, (crypter_constructor_t)padlock_aes_crypter_create); } if (this->features & PADLOCK_PHE_ENABLED) { - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)padlock_sha1_hasher_create); } return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pem/Makefile.in b/src/libstrongswan/plugins/pem/Makefile.in index cf5acdd1c..60740eb35 100644 --- a/src/libstrongswan/plugins/pem/Makefile.in +++ b/src/libstrongswan/plugins/pem/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pem/pem_encoder.c b/src/libstrongswan/plugins/pem/pem_encoder.c index e255d6fd0..9c8237e4d 100644 --- a/src/libstrongswan/plugins/pem/pem_encoder.c +++ b/src/libstrongswan/plugins/pem/pem_encoder.c @@ -111,7 +111,7 @@ bool pem_encoder_encode(cred_encoding_type_t type, chunk_t *encoding, } /* compute and allocate maximum size of PEM object */ - pem_chars = 4*(asn1.len + 2)/3; + pem_chars = 4 * ((asn1.len + 2) / 3); pem_lines = (asn1.len + BYTES_PER_LINE - 1) / BYTES_PER_LINE; *encoding = chunk_alloc(5 + 2*(6 + strlen(label) + 6) + 3 + pem_chars + pem_lines); pos = encoding->ptr; diff --git a/src/libstrongswan/plugins/pem/pem_plugin.c b/src/libstrongswan/plugins/pem/pem_plugin.c index 83efb155b..f2415a318 100644 --- a/src/libstrongswan/plugins/pem/pem_plugin.c +++ b/src/libstrongswan/plugins/pem/pem_plugin.c @@ -33,10 +33,8 @@ struct private_pem_plugin_t { pem_plugin_t public; }; -/** - * Implementation of pem_plugin_t.pemtroy - */ -static void destroy(private_pem_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pem_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pem_private_key_load); @@ -52,9 +50,15 @@ static void destroy(private_pem_plugin_t *this) */ plugin_t *pem_plugin_create() { - private_pem_plugin_t *this = malloc_thing(private_pem_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_pem_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); /* register private key PEM decoding builders */ lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_ANY, FALSE, diff --git a/src/libstrongswan/plugins/pgp/Makefile.in b/src/libstrongswan/plugins/pgp/Makefile.in index 0098147a9..ab14f8ced 100644 --- a/src/libstrongswan/plugins/pgp/Makefile.in +++ b/src/libstrongswan/plugins/pgp/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pgp/pgp_plugin.c b/src/libstrongswan/plugins/pgp/pgp_plugin.c index 41e0a5df6..eaf0a1088 100644 --- a/src/libstrongswan/plugins/pgp/pgp_plugin.c +++ b/src/libstrongswan/plugins/pgp/pgp_plugin.c @@ -33,10 +33,8 @@ struct private_pgp_plugin_t { pgp_plugin_t public; }; -/** - * Implementation of pgp_plugin_t.pgptroy - */ -static void destroy(private_pgp_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pgp_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pgp_public_key_load); @@ -56,10 +54,15 @@ static void destroy(private_pgp_plugin_t *this) */ plugin_t *pgp_plugin_create() { - private_pgp_plugin_t *this = malloc_thing(private_pgp_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; - + private_pgp_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pgp_public_key_load); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, FALSE, @@ -68,10 +71,8 @@ plugin_t *pgp_plugin_create() (builder_function_t)pgp_private_key_load); lib->creds->add_builder(lib->creds, CRED_PRIVATE_KEY, KEY_RSA, FALSE, (builder_function_t)pgp_private_key_load); - lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_GPG, FALSE, (builder_function_t)pgp_cert_load); - lib->encoding->add_encoder(lib->encoding, pgp_encoder_encode); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/pkcs1/Makefile.in b/src/libstrongswan/plugins/pkcs1/Makefile.in index 8b41499a7..8ed4a08e9 100644 --- a/src/libstrongswan/plugins/pkcs1/Makefile.in +++ b/src/libstrongswan/plugins/pkcs1/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c index d3afb5c67..33732f8a4 100644 --- a/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c +++ b/src/libstrongswan/plugins/pkcs1/pkcs1_plugin.c @@ -32,10 +32,8 @@ struct private_pkcs1_plugin_t { pkcs1_plugin_t public; }; -/** - * Implementation of pkcs1_plugin_t.pkcs1troy - */ -static void destroy(private_pkcs1_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pkcs1_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pkcs1_public_key_load); @@ -52,9 +50,15 @@ static void destroy(private_pkcs1_plugin_t *this) */ plugin_t *pkcs1_plugin_create() { - private_pkcs1_plugin_t *this = malloc_thing(private_pkcs1_plugin_t); + private_pkcs1_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_PUBLIC_KEY, KEY_ANY, FALSE, (builder_function_t)pkcs1_public_key_load); diff --git a/src/libstrongswan/plugins/pkcs11/Makefile.in b/src/libstrongswan/plugins/pkcs11/Makefile.in index c27310910..6c03b0497 100644 --- a/src/libstrongswan/plugins/pkcs11/Makefile.in +++ b/src/libstrongswan/plugins/pkcs11/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c index 1b1448c6a..a81ec1147 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_creds.c @@ -55,19 +55,20 @@ struct private_pkcs11_creds_t { * Find certificates, optionally trusted */ static void find_certificates(private_pkcs11_creds_t *this, - CK_SESSION_HANDLE session, CK_BBOOL trusted) + CK_SESSION_HANDLE session) { CK_OBJECT_CLASS class = CKO_CERTIFICATE; CK_CERTIFICATE_TYPE type = CKC_X_509; + CK_BBOOL trusted = TRUE; CK_ATTRIBUTE tmpl[] = { {CKA_CLASS, &class, sizeof(class)}, {CKA_CERTIFICATE_TYPE, &type, sizeof(type)}, - {CKA_TRUSTED, &trusted, sizeof(trusted)}, }; CK_OBJECT_HANDLE object; CK_ATTRIBUTE attr[] = { {CKA_VALUE, NULL, 0}, {CKA_LABEL, NULL, 0}, + {CKA_TRUSTED, &trusted, sizeof(trusted)} }; enumerator_t *enumerator; linked_list_t *raw; @@ -75,11 +76,19 @@ static void find_certificates(private_pkcs11_creds_t *this, struct { chunk_t value; chunk_t label; + bool trusted; } *entry; + int count = countof(attr); + /* store result in a temporary list, avoid recursive operation */ raw = linked_list_create(); + /* do not use trusted argument if not supported */ + if (!(this->lib->get_features(this->lib) & PKCS11_TRUSTED_CERTS)) + { + count--; + } enumerator = this->lib->create_object_enumerator(this->lib, - session, tmpl, countof(tmpl), attr, countof(attr)); + session, tmpl, countof(tmpl), attr, count); while (enumerator->enumerate(enumerator, &object)) { entry = malloc(sizeof(*entry)); @@ -87,6 +96,7 @@ static void find_certificates(private_pkcs11_creds_t *this, chunk_create(attr[0].pValue, attr[0].ulValueLen)); entry->label = chunk_clone( chunk_create(attr[1].pValue, attr[1].ulValueLen)); + entry->trusted = trusted; raw->insert_last(raw, entry); } enumerator->destroy(enumerator); @@ -99,10 +109,10 @@ static void find_certificates(private_pkcs11_creds_t *this, if (cert) { DBG1(DBG_CFG, " loaded %strusted cert '%.*s'", - trusted ? "" : "un", entry->label.len, entry->label.ptr); + entry->trusted ? "" : "un", entry->label.len, entry->label.ptr); /* trusted certificates are also returned as untrusted */ this->untrusted->insert_last(this->untrusted, cert); - if (trusted) + if (entry->trusted) { this->trusted->insert_last(this->trusted, cert->get_ref(cert)); } @@ -135,8 +145,7 @@ static bool load_certificates(private_pkcs11_creds_t *this) return FALSE; } - find_certificates(this, session, CK_TRUE); - find_certificates(this, session, CK_FALSE); + find_certificates(this, session); this->lib->f->C_CloseSession(session); return TRUE; diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c index 9fb1b7769..6f7926808 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.c @@ -466,6 +466,11 @@ struct private_pkcs11_library_t { * Name as passed to the constructor */ char *name; + + /** + * Supported feature set + */ + pkcs11_feature_t features; }; METHOD(pkcs11_library_t, get_name, char*, @@ -474,6 +479,12 @@ METHOD(pkcs11_library_t, get_name, char*, return this->name; } +METHOD(pkcs11_library_t, get_features, pkcs11_feature_t, + private_pkcs11_library_t *this) +{ + return this->features; +} + /** * Object enumerator */ @@ -765,20 +776,46 @@ static CK_RV UnlockMutex(CK_VOID_PTR data) return CKR_OK; } +/** + * Check if the library has at least a given cryptoki version + */ +static bool has_version(CK_INFO *info, int major, int minor) +{ + return info->cryptokiVersion.major > major || + (info->cryptokiVersion.major == major && + info->cryptokiVersion.minor >= minor); +} + +/** + * Check for optional PKCS#11 library functionality + */ +static void check_features(private_pkcs11_library_t *this, CK_INFO *info) +{ + if (has_version(info, 2, 20)) + { + this->features |= PKCS11_TRUSTED_CERTS; + this->features |= PKCS11_ALWAYS_AUTH_KEYS; + } +} + /** * Initialize a PKCS#11 library */ -static bool initialize(private_pkcs11_library_t *this, char *name, char *file) +static bool initialize(private_pkcs11_library_t *this, char *name, char *file, + bool os_locking) { CK_C_GetFunctionList pC_GetFunctionList; CK_INFO info; CK_RV rv; - CK_C_INITIALIZE_ARGS args = { + static CK_C_INITIALIZE_ARGS args = { .CreateMutex = CreateMutex, .DestroyMutex = DestroyMutex, .LockMutex = LockMutex, .UnlockMutex = UnlockMutex, }; + static CK_C_INITIALIZE_ARGS args_os = { + .flags = CKF_OS_LOCKING_OK, + }; pC_GetFunctionList = dlsym(this->handle, "C_GetFunctionList"); if (!pC_GetFunctionList) @@ -793,14 +830,19 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file) name, ck_rv_names, rv); return FALSE; } - - rv = this->public.f->C_Initialize(&args); - if (rv == CKR_CANT_LOCK) - { /* try OS locking */ - memset(&args, 0, sizeof(args)); - args.flags = CKF_OS_LOCKING_OK; + if (os_locking) + { + rv = CKR_CANT_LOCK; + } + else + { rv = this->public.f->C_Initialize(&args); } + if (rv == CKR_CANT_LOCK) + { /* fallback to OS locking */ + os_locking = TRUE; + rv = this->public.f->C_Initialize(&args_os); + } if (rv != CKR_OK) { DBG1(DBG_CFG, "C_Initialize() error for '%s': %N", @@ -826,23 +868,26 @@ static bool initialize(private_pkcs11_library_t *this, char *name, char *file) DBG1(DBG_CFG, " %s: %s v%d.%d", info.manufacturerID, info.libraryDescription, info.libraryVersion.major, info.libraryVersion.minor); - if (args.flags & CKF_OS_LOCKING_OK) + if (os_locking) { DBG1(DBG_CFG, " uses OS locking functions"); } + + check_features(this, &info); return TRUE; } /** * See header */ -pkcs11_library_t *pkcs11_library_create(char *name, char *file) +pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_locking) { private_pkcs11_library_t *this; INIT(this, .public = { .get_name = _get_name, + .get_features = _get_features, .create_object_enumerator = _create_object_enumerator, .create_mechanism_enumerator = _create_mechanism_enumerator, .destroy = _destroy, @@ -858,7 +903,7 @@ pkcs11_library_t *pkcs11_library_create(char *name, char *file) return NULL; } - if (!initialize(this, name, file)) + if (!initialize(this, name, file, os_locking)) { dlclose(this->handle); free(this); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h index 1457d24d4..abe023448 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_library.h +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_library.h @@ -21,6 +21,7 @@ #ifndef PKCS11_LIBRARY_H_ #define PKCS11_LIBRARY_H_ +typedef enum pkcs11_feature_t pkcs11_feature_t; typedef struct pkcs11_library_t pkcs11_library_t; #include "pkcs11.h" @@ -28,6 +29,16 @@ typedef struct pkcs11_library_t pkcs11_library_t; #include #include +/** + * Optional PKCS#11 features some libraries support, some not + */ +enum pkcs11_feature_t { + /** CKA_TRUSTED attribute supported for certificate objects */ + PKCS11_TRUSTED_CERTS = (1<<0), + /** CKA_ALWAYS_AUTHENTICATE attribute supported for private keys */ + PKCS11_ALWAYS_AUTH_KEYS = (1<<1), +}; + /** * A loaded and initialized PKCS#11 library. */ @@ -45,6 +56,13 @@ struct pkcs11_library_t { */ char* (*get_name)(pkcs11_library_t *this); + /** + * Get the feature set supported by this library. + * + * @return ORed set of features supported + */ + pkcs11_feature_t (*get_features)(pkcs11_library_t *this); + /** * Create an enumerator over CK_OBJECT_HANDLE using a search template. * @@ -103,8 +121,9 @@ void pkcs11_library_trim(char *str, int len); * * @param name an arbitrary name, for debugging * @param file pkcs11 library file to dlopen() + * @param os_lock enforce OS Locking for this library * @return library abstraction */ -pkcs11_library_t *pkcs11_library_create(char *name, char *file); +pkcs11_library_t *pkcs11_library_create(char *name, char *file, bool os_lock); #endif /** PKCS11_LIBRARY_H_ @}*/ diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c index 0c27600a6..9308e9c25 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_manager.c @@ -373,7 +373,10 @@ pkcs11_manager_t *pkcs11_manager_create(pkcs11_manager_token_event_t cb, free(entry); continue; } - entry->lib = pkcs11_library_create(module, entry->path); + entry->lib = pkcs11_library_create(module, entry->path, + lib->settings->get_bool(lib->settings, + "libstrongswan.plugins.pkcs11.modules.%s.os_locking", + FALSE, module)); if (!entry->lib) { free(entry); diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c index ace405c23..071d2f782 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_plugin.c @@ -26,6 +26,8 @@ #include "pkcs11_public_key.h" #include "pkcs11_hasher.h" +static const char *plugin_name = "pkcs11"; + typedef struct private_pkcs11_plugin_t private_pkcs11_plugin_t; /** @@ -146,17 +148,17 @@ plugin_t *pkcs11_plugin_create() if (lib->settings->get_bool(lib->settings, "libstrongswan.plugins.pkcs11.use_hasher", FALSE)) { - lib->crypto->add_hasher(lib->crypto, HASH_MD2, + lib->crypto->add_hasher(lib->crypto, HASH_MD2, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_MD5, + lib->crypto->add_hasher(lib->crypto, HASH_MD5, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)pkcs11_hasher_create); } diff --git a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c index cabca3f54..b4cc7a805 100644 --- a/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c +++ b/src/libstrongswan/plugins/pkcs11/pkcs11_private_key.c @@ -401,30 +401,36 @@ static bool find_key(private_pkcs11_private_key_t *this, chunk_t keyid) }; CK_OBJECT_HANDLE object; CK_KEY_TYPE type; - CK_BBOOL reauth; + CK_BBOOL reauth = FALSE; CK_ATTRIBUTE attr[] = { {CKA_KEY_TYPE, &type, sizeof(type)}, - {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, {CKA_MODULUS, NULL, 0}, {CKA_PUBLIC_EXPONENT, NULL, 0}, + {CKA_ALWAYS_AUTHENTICATE, &reauth, sizeof(reauth)}, }; enumerator_t *enumerator; chunk_t modulus, pubexp; + int count = countof(attr); + /* do not use CKA_ALWAYS_AUTHENTICATE if not supported */ + if (!(this->lib->get_features(this->lib) & PKCS11_ALWAYS_AUTH_KEYS)) + { + count--; + } enumerator = this->lib->create_object_enumerator(this->lib, - this->session, tmpl, countof(tmpl), attr, countof(attr)); + this->session, tmpl, countof(tmpl), attr, count); if (enumerator->enumerate(enumerator, &object)) { switch (type) { case CKK_RSA: - if (attr[2].ulValueLen == -1 || attr[3].ulValueLen == -1) + if (attr[1].ulValueLen == -1 || attr[2].ulValueLen == -1) { DBG1(DBG_CFG, "reading modulus/exponent from PKCS#1 failed"); break; } - modulus = chunk_create(attr[2].pValue, attr[2].ulValueLen); - pubexp = chunk_create(attr[3].pValue, attr[3].ulValueLen); + modulus = chunk_create(attr[1].pValue, attr[1].ulValueLen); + pubexp = chunk_create(attr[2].pValue, attr[2].ulValueLen); this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_RSA, BUILD_RSA_MODULUS, modulus, BUILD_RSA_PUB_EXP, pubexp, BUILD_END); diff --git a/src/libstrongswan/plugins/plugin_loader.c b/src/libstrongswan/plugins/plugin_loader.c index e1427bf15..473db5ccf 100644 --- a/src/libstrongswan/plugins/plugin_loader.c +++ b/src/libstrongswan/plugins/plugin_loader.c @@ -50,62 +50,77 @@ struct private_plugin_loader_t { linked_list_t *names; }; -#ifdef MONOLITHIC /** - * load a single plugin in monolithic mode + * create a plugin + * returns: NOT_FOUND, if the constructor was not found + * FAILED, if the plugin could not be constructed */ -static plugin_t* load_plugin(private_plugin_loader_t *this, - char *path, char *name) +static status_t create_plugin(private_plugin_loader_t *this, void *handle, + char *name, bool integrity, plugin_t **plugin) { char create[128]; - plugin_t *plugin; plugin_constructor_t constructor; if (snprintf(create, sizeof(create), "%s_plugin_create", name) >= sizeof(create)) { - return NULL; + return FAILED; } translate(create, "-", "_"); - constructor = dlsym(RTLD_DEFAULT, create); + constructor = dlsym(handle, create); if (constructor == NULL) { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, + DBG2(DBG_LIB, "plugin '%s': failed to load - %s not found", name, create); - return NULL; + return NOT_FOUND; } - plugin = constructor(); - if (plugin == NULL) + if (integrity && lib->integrity) + { + if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + { + DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name); + return FAILED; + } + DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests", + name); + } + *plugin = constructor(); + if (*plugin == NULL) { DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, create); - return NULL; + return FAILED; } DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); - - return plugin; + return SUCCESS; } -#else + /** * load a single plugin */ static plugin_t* load_plugin(private_plugin_loader_t *this, char *path, char *name) { - char create[128]; char file[PATH_MAX]; void *handle; plugin_t *plugin; - plugin_constructor_t constructor; + + switch (create_plugin(this, RTLD_DEFAULT, name, FALSE, &plugin)) + { + case SUCCESS: + return plugin; + case NOT_FOUND: + /* try to load the plugin from a file */ + break; + default: + return NULL; + } if (snprintf(file, sizeof(file), "%s/libstrongswan-%s.so", path, - name) >= sizeof(file) || - snprintf(create, sizeof(create), "%s_plugin_create", - name) >= sizeof(create)) + name) >= sizeof(file)) { return NULL; } - translate(create, "-", "_"); if (lib->integrity) { if (!lib->integrity->check_file(lib->integrity, name, file)) @@ -121,40 +136,37 @@ static plugin_t* load_plugin(private_plugin_loader_t *this, DBG1(DBG_LIB, "plugin '%s' failed to load: %s", name, dlerror()); return NULL; } - constructor = dlsym(handle, create); - if (constructor == NULL) + if (create_plugin(this, handle, name, TRUE, &plugin) != SUCCESS) { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s not found", name, - create); dlclose(handle); return NULL; } - if (lib->integrity) + /* we do not store or free dlopen() handles, leak_detective requires + * the modules to keep loaded until leak report */ + return plugin; +} + +/** + * Check if a plugin is already loaded + */ +static bool plugin_loaded(private_plugin_loader_t *this, char *name) +{ + enumerator_t *enumerator; + bool found = FALSE; + char *current; + + enumerator = this->names->create_enumerator(this->names); + while (enumerator->enumerate(enumerator, ¤t)) { - if (!lib->integrity->check_segment(lib->integrity, name, constructor)) + if (streq(name, current)) { - DBG1(DBG_LIB, "plugin '%s': failed segment integrity test", name); - dlclose(handle); - return NULL; + found = TRUE; + break; } - DBG1(DBG_LIB, "plugin '%s': passed file and segment integrity tests", - name); } - plugin = constructor(); - if (plugin == NULL) - { - DBG1(DBG_LIB, "plugin '%s': failed to load - %s returned NULL", name, - create); - dlclose(handle); - return NULL; - } - DBG2(DBG_LIB, "plugin '%s': loaded successfully", name); - - /* we do not store or free dlopen() handles, leak_detective requires - * the modules to keep loaded until leak report */ - return plugin; + enumerator->destroy(enumerator); + return found; } -#endif /** * Implementation of plugin_loader_t.load_plugins. @@ -165,12 +177,10 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) char *token; bool critical_failed = FALSE; -#ifndef MONOLITHIC if (path == NULL) { path = PLUGINDIR; } -#endif enumerator = enumerator_create_token(list, " ", " "); while (!critical_failed && enumerator->enumerate(enumerator, &token)) @@ -186,6 +196,11 @@ static bool load(private_plugin_loader_t *this, char *path, char *list) critical = TRUE; token[len-1] = '\0'; } + if (plugin_loaded(this, token)) + { + free(token); + continue; + } plugin = load_plugin(this, path, token); if (plugin) { diff --git a/src/libstrongswan/plugins/pubkey/Makefile.in b/src/libstrongswan/plugins/pubkey/Makefile.in index 495223855..46349f9ba 100644 --- a/src/libstrongswan/plugins/pubkey/Makefile.in +++ b/src/libstrongswan/plugins/pubkey/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c index 6f41ada2a..cc12217a4 100644 --- a/src/libstrongswan/plugins/pubkey/pubkey_plugin.c +++ b/src/libstrongswan/plugins/pubkey/pubkey_plugin.c @@ -31,10 +31,8 @@ struct private_pubkey_plugin_t { pubkey_plugin_t public; }; -/** - * Implementation of pubkey_plugin_t.pubkeytroy - */ -static void destroy(private_pubkey_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_pubkey_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)pubkey_cert_wrap); @@ -46,9 +44,15 @@ static void destroy(private_pubkey_plugin_t *this) */ plugin_t *pubkey_plugin_create() { - private_pubkey_plugin_t *this = malloc_thing(private_pubkey_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_pubkey_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_TRUSTED_PUBKEY, FALSE, (builder_function_t)pubkey_cert_wrap); diff --git a/src/libstrongswan/plugins/random/Makefile.in b/src/libstrongswan/plugins/random/Makefile.in index efd24c761..21f8aff11 100644 --- a/src/libstrongswan/plugins/random/Makefile.in +++ b/src/libstrongswan/plugins/random/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/random/random_plugin.c b/src/libstrongswan/plugins/random/random_plugin.c index 39678ba71..cc5cb0a3c 100644 --- a/src/libstrongswan/plugins/random/random_plugin.c +++ b/src/libstrongswan/plugins/random/random_plugin.c @@ -18,6 +18,8 @@ #include #include "random_rng.h" +static const char *plugin_name = "random"; + typedef struct private_random_plugin_t private_random_plugin_t; /** @@ -31,10 +33,8 @@ struct private_random_plugin_t { random_plugin_t public; }; -/** - * Implementation of random_plugin_t.gmptroy - */ -static void destroy(private_random_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_random_plugin_t *this) { lib->crypto->remove_rng(lib->crypto, (rng_constructor_t)random_rng_create); @@ -46,13 +46,19 @@ static void destroy(private_random_plugin_t *this) */ plugin_t *random_plugin_create() { - private_random_plugin_t *this = malloc_thing(private_random_plugin_t); + private_random_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_rng(lib->crypto, RNG_STRONG, + lib->crypto->add_rng(lib->crypto, RNG_STRONG, plugin_name, (rng_constructor_t)random_rng_create); - lib->crypto->add_rng(lib->crypto, RNG_TRUE, + lib->crypto->add_rng(lib->crypto, RNG_TRUE, plugin_name, (rng_constructor_t)random_rng_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/random/random_rng.c b/src/libstrongswan/plugins/random/random_rng.c index b09f3f57a..1d99a63d5 100644 --- a/src/libstrongswan/plugins/random/random_rng.c +++ b/src/libstrongswan/plugins/random/random_rng.c @@ -55,11 +55,8 @@ struct private_random_rng_t { char *file; }; -/** - * Implementation of random_rng_t.get_bytes. - */ -static void get_bytes(private_random_rng_t *this, size_t bytes, - u_int8_t *buffer) +METHOD(rng_t, get_bytes, void, + private_random_rng_t *this, size_t bytes, u_int8_t *buffer) { size_t done; ssize_t got; @@ -81,20 +78,15 @@ static void get_bytes(private_random_rng_t *this, size_t bytes, } } -/** - * Implementation of random_rng_t.allocate_bytes. - */ -static void allocate_bytes(private_random_rng_t *this, size_t bytes, - chunk_t *chunk) +METHOD(rng_t, allocate_bytes, void, + private_random_rng_t *this, size_t bytes, chunk_t *chunk) { *chunk = chunk_alloc(bytes); get_bytes(this, chunk->len, chunk->ptr); } -/** - * Implementation of random_rng_t.destroy. - */ -static void destroy(private_random_rng_t *this) +METHOD(rng_t, destroy, void, + private_random_rng_t *this) { close(this->dev); free(this); @@ -105,12 +97,17 @@ static void destroy(private_random_rng_t *this) */ random_rng_t *random_rng_create(rng_quality_t quality) { - private_random_rng_t *this = malloc_thing(private_random_rng_t); - - /* public functions */ - this->public.rng.get_bytes = (void (*) (rng_t *, size_t, u_int8_t*)) get_bytes; - this->public.rng.allocate_bytes = (void (*) (rng_t *, size_t, chunk_t*)) allocate_bytes; - this->public.rng.destroy = (void (*) (rng_t *))destroy; + private_random_rng_t *this; + + INIT(this, + .public = { + .rng = { + .get_bytes = _get_bytes, + .allocate_bytes = _allocate_bytes, + .destroy = _destroy, + }, + }, + ); if (quality == RNG_TRUE) { diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in index 16a9d21c5..4ed4b9694 100644 --- a/src/libstrongswan/plugins/revocation/Makefile.in +++ b/src/libstrongswan/plugins/revocation/Makefile.in @@ -223,9 +223,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -264,6 +262,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 29d2bc128..def169275 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -93,12 +93,13 @@ static certificate_t *fetch_ocsp(char *url, certificate_t *subject, /** * check the signature of an OCSP response */ -static bool verify_ocsp(ocsp_response_t *response) +static bool verify_ocsp(ocsp_response_t *response, auth_cfg_t *auth) { certificate_t *issuer, *subject; identification_t *responder; ocsp_response_wrapper_t *wrapper; enumerator_t *enumerator; + auth_cfg_t *current; bool verified = FALSE; wrapper = ocsp_response_wrapper_create((ocsp_response_t*)response); @@ -108,12 +109,16 @@ static bool verify_ocsp(ocsp_response_t *response) responder = subject->get_issuer(subject); enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, responder, FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, subject, issuer)) { DBG1(DBG_CFG, " ocsp response correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -129,7 +134,8 @@ static bool verify_ocsp(ocsp_response_t *response) * Get the better of two OCSP responses, and check for usable OCSP info */ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) + x509_t *subject, x509_t *issuer, cert_validation_t *valid, + auth_cfg_t *auth, bool cache) { ocsp_response_t *response; time_t revocation, this_update, next_update, valid_until; @@ -139,7 +145,7 @@ static certificate_t *get_better_ocsp(certificate_t *cand, certificate_t *best, response = (ocsp_response_t*)cand; /* check ocsp signature */ - if (!verify_ocsp(response)) + if (!verify_ocsp(response, auth)) { DBG1(DBG_CFG, "ocsp response verification failed"); cand->destroy(cand); @@ -220,7 +226,8 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, while (enumerator->enumerate(enumerator, ¤t)) { current->get_ref(current); - best = get_better_ocsp(current, best, subject, issuer, &valid, FALSE); + best = get_better_ocsp(current, best, subject, issuer, + &valid, auth, FALSE); if (best && valid != VALIDATION_STALE) { DBG1(DBG_CFG, " using cached ocsp response"); @@ -247,7 +254,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -269,7 +276,7 @@ static cert_validation_t check_ocsp(x509_t *subject, x509_t *issuer, if (current) { best = get_better_ocsp(current, best, subject, issuer, - &valid, TRUE); + &valid, auth, TRUE); if (best && valid != VALIDATION_STALE) { break; @@ -323,20 +330,25 @@ static certificate_t* fetch_crl(char *url) /** * check the signature of an CRL */ -static bool verify_crl(certificate_t *crl) +static bool verify_crl(certificate_t *crl, auth_cfg_t *auth) { certificate_t *issuer; enumerator_t *enumerator; bool verified = FALSE; + auth_cfg_t *current; enumerator = lib->credmgr->create_trusted_enumerator(lib->credmgr, KEY_ANY, crl->get_issuer(crl), FALSE); - while (enumerator->enumerate(enumerator, &issuer, NULL)) + while (enumerator->enumerate(enumerator, &issuer, ¤t)) { if (lib->credmgr->issued_by(lib->credmgr, crl, issuer)) { DBG1(DBG_CFG, " crl correctly signed by \"%Y\"", issuer->get_subject(issuer)); + if (auth) + { + auth->merge(auth, current, FALSE); + } verified = TRUE; break; } @@ -350,23 +362,41 @@ static bool verify_crl(certificate_t *crl) * Get the better of two CRLs, and check for usable CRL info */ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, - x509_t *subject, x509_t *issuer, cert_validation_t *valid, bool cache) + x509_t *subject, cert_validation_t *valid, auth_cfg_t *auth, + bool cache, crl_t *base) { enumerator_t *enumerator; time_t revocation, valid_until; crl_reason_t reason; chunk_t serial; - crl_t *crl; + crl_t *crl = (crl_t*)cand; + + if (base) + { + if (!crl->is_delta_crl(crl, &serial) || + !chunk_equals(serial, base->get_serial(base))) + { + cand->destroy(cand); + return best; + } + } + else + { + if (crl->is_delta_crl(crl, NULL)) + { + cand->destroy(cand); + return best; + } + } /* check CRL signature */ - if (!verify_crl(cand)) + if (!verify_crl(cand, auth)) { DBG1(DBG_CFG, "crl response verification failed"); cand->destroy(cand); return best; } - crl = (crl_t*)cand; enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { @@ -411,79 +441,191 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, } /** - * validate a x509 certificate using CRL + * Find or fetch a certificate for a given crlIssuer */ -static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, - auth_cfg_t *auth) +static cert_validation_t find_crl(x509_t *subject, identification_t *issuer, + auth_cfg_t *auth, crl_t *base, + certificate_t **best, bool *uri_found) { cert_validation_t valid = VALIDATION_SKIPPED; - identification_t *keyid = NULL; - certificate_t *best = NULL; + enumerator_t *enumerator; certificate_t *current; - public_key_t *public; + char *uri; + + /* find a cached (delta) crl */ + enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, + CERT_X509_CRL, KEY_ANY, issuer, FALSE); + while (enumerator->enumerate(enumerator, ¤t)) + { + current->get_ref(current); + *best = get_better_crl(current, *best, subject, &valid, + auth, FALSE, base); + if (*best && valid != VALIDATION_STALE) + { + DBG1(DBG_CFG, " using cached crl"); + break; + } + } + enumerator->destroy(enumerator); + + /* fallback to fetching crls from credential sets cdps */ + if (!base && valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + { + enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, + CERT_X509_CRL, issuer); + while (enumerator->enumerate(enumerator, &uri)) + { + *uri_found = TRUE; + current = fetch_crl(uri); + if (current) + { + if (!current->has_issuer(current, issuer)) + { + DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match CRL " + "issuer '%Y'", current->get_issuer(current), issuer); + current->destroy(current); + continue; + } + *best = get_better_crl(current, *best, subject, + &valid, auth, TRUE, base); + if (*best && valid != VALIDATION_STALE) + { + break; + } + } + } + enumerator->destroy(enumerator); + } + return valid; +} + +/** + * Look for a delta CRL for a given base CRL + */ +static cert_validation_t check_delta_crl(x509_t *subject, x509_t *issuer, + crl_t *base, cert_validation_t base_valid, auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL, *current; enumerator_t *enumerator; + identification_t *id; + x509_cdp_t *cdp; chunk_t chunk; - char *uri = NULL; + bool uri; - /* derive the authorityKeyIdentifier from the issuer's public key */ - current = &issuer->interface; - public = current->get_public_key(current); - if (public && public->get_fingerprint(public, KEYID_PUBKEY_SHA1, &chunk)) + /* find cached delta CRL via subjectKeyIdentifier */ + chunk = issuer->get_subjectKeyIdentifier(issuer); + if (chunk.len) { - keyid = identification_create_from_encoding(ID_KEY_ID, chunk); + id = identification_create_from_encoding(ID_KEY_ID, chunk); + valid = find_crl(subject, id, auth, base, &best, &uri); + id->destroy(id); + } - /* find a cached crl by authorityKeyIdentifier */ - enumerator = lib->credmgr->create_cert_enumerator(lib->credmgr, - CERT_X509_CRL, KEY_ANY, keyid, FALSE); - while (enumerator->enumerate(enumerator, ¤t)) + /* find delta CRL by CRLIssuer */ + enumerator = subject->create_crl_uri_enumerator(subject); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + if (cdp->issuer) { - current->get_ref(current); - best = get_better_crl(current, best, subject, issuer, - &valid, FALSE); + valid = find_crl(subject, cdp->issuer, auth, base, &best, &uri); + } + } + enumerator->destroy(enumerator); + + /* fetch from URIs found in Freshest CRL extension */ + enumerator = base->create_delta_crl_uri_enumerator(base); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + current = fetch_crl(cdp->uri); + if (current) + { + if (cdp->issuer && !current->has_issuer(current, cdp->issuer)) + { + DBG1(DBG_CFG, "issuer of fetched delta CRL '%Y' does not match " + "certificates CRL issuer '%Y'", + current->get_issuer(current), cdp->issuer); + current->destroy(current); + continue; + } + best = get_better_crl(current, best, subject, &valid, + auth, TRUE, base); if (best && valid != VALIDATION_STALE) { - DBG1(DBG_CFG, " using cached crl"); break; } } - enumerator->destroy(enumerator); + } + enumerator->destroy(enumerator); + + if (best) + { + best->destroy(best); + return valid; + } + return base_valid; +} + + +/** + * validate a x509 certificate using CRL + */ +static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, + auth_cfg_t *auth) +{ + cert_validation_t valid = VALIDATION_SKIPPED; + certificate_t *best = NULL; + identification_t *id; + x509_cdp_t *cdp; + bool uri_found = FALSE; + certificate_t *current; + enumerator_t *enumerator; + chunk_t chunk; + + /* use issuers subjectKeyIdentifier to find a cached CRL / fetch from CDP */ + chunk = issuer->get_subjectKeyIdentifier(issuer); + if (chunk.len) + { + id = identification_create_from_encoding(ID_KEY_ID, chunk); + valid = find_crl(subject, id, auth, NULL, &best, &uri_found); + id->destroy(id); + } - /* fallback to fetching crls from credential sets cdps */ - if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) + /* find a cached CRL or fetch via configured CDP via CRLIssuer */ + enumerator = subject->create_crl_uri_enumerator(subject); + while (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED && + enumerator->enumerate(enumerator, &cdp)) + { + if (cdp->issuer) { - enumerator = lib->credmgr->create_cdp_enumerator(lib->credmgr, - CERT_X509_CRL, keyid); - while (enumerator->enumerate(enumerator, &uri)) - { - current = fetch_crl(uri); - if (current) - { - best = get_better_crl(current, best, subject, issuer, - &valid, TRUE); - if (best && valid != VALIDATION_STALE) - { - break; - } - } - } - enumerator->destroy(enumerator); + valid = find_crl(subject, cdp->issuer, auth, NULL, + &best, &uri_found); } - keyid->destroy(keyid); } - DESTROY_IF(public); + enumerator->destroy(enumerator); - /* fallback to fetching crls from cdps from subject's certificate */ + /* fallback to fetching CRLs from CDPs found in subjects certificate */ if (valid != VALIDATION_GOOD && valid != VALIDATION_REVOKED) { enumerator = subject->create_crl_uri_enumerator(subject); - - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &cdp)) { - current = fetch_crl(uri); + uri_found = TRUE; + current = fetch_crl(cdp->uri); if (current) { - best = get_better_crl(current, best, subject, issuer, - &valid, TRUE); + if (cdp->issuer && !current->has_issuer(current, cdp->issuer)) + { + DBG1(DBG_CFG, "issuer of fetched CRL '%Y' does not match " + "certificates CRL issuer '%Y'", + current->get_issuer(current), cdp->issuer); + current->destroy(current); + continue; + } + best = get_better_crl(current, best, subject, &valid, + auth, TRUE, NULL); if (best && valid != VALIDATION_STALE) { break; @@ -493,8 +635,14 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, enumerator->destroy(enumerator); } + /* look for delta CRLs */ + if (best && (valid == VALIDATION_GOOD || valid == VALIDATION_STALE)) + { + valid = check_delta_crl(subject, issuer, (crl_t*)best, valid, auth); + } + /* an uri was found, but no result. switch validation state to failed */ - if (valid == VALIDATION_SKIPPED && uri) + if (valid == VALIDATION_SKIPPED && uri_found) { valid = VALIDATION_FAILED; } @@ -517,7 +665,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, METHOD(cert_validator_t, validate, bool, private_revocation_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, u_int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509 && @@ -525,7 +674,8 @@ METHOD(cert_validator_t, validate, bool, { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); - switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth)) + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); @@ -543,7 +693,8 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); break; } - switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth)) + switch (check_crl((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) { case VALIDATION_GOOD: DBG1(DBG_CFG, "certificate status is good"); diff --git a/src/libstrongswan/plugins/sha1/Makefile.in b/src/libstrongswan/plugins/sha1/Makefile.in index 1036bedfc..3d96f4339 100644 --- a/src/libstrongswan/plugins/sha1/Makefile.in +++ b/src/libstrongswan/plugins/sha1/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha1/sha1_plugin.c b/src/libstrongswan/plugins/sha1/sha1_plugin.c index 7b9cf878f..dda2cbc1a 100644 --- a/src/libstrongswan/plugins/sha1/sha1_plugin.c +++ b/src/libstrongswan/plugins/sha1/sha1_plugin.c @@ -19,6 +19,8 @@ #include "sha1_hasher.h" #include "sha1_prf.h" +static const char *plugin_name = "sha1"; + typedef struct private_sha1_plugin_t private_sha1_plugin_t; /** @@ -32,10 +34,8 @@ struct private_sha1_plugin_t { sha1_plugin_t public; }; -/** - * Implementation of sha1_plugin_t.destroy - */ -static void destroy(private_sha1_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sha1_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha1_hasher_create); @@ -49,13 +49,19 @@ static void destroy(private_sha1_plugin_t *this) */ plugin_t *sha1_plugin_create() { - private_sha1_plugin_t *this = malloc_thing(private_sha1_plugin_t); + private_sha1_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_SHA1, + lib->crypto->add_hasher(lib->crypto, HASH_SHA1, plugin_name, (hasher_constructor_t)sha1_hasher_create); - lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, + lib->crypto->add_prf(lib->crypto, PRF_KEYED_SHA1, plugin_name, (prf_constructor_t)sha1_prf_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/sha2/Makefile.in b/src/libstrongswan/plugins/sha2/Makefile.in index 579e6f9b0..fcbfa0c44 100644 --- a/src/libstrongswan/plugins/sha2/Makefile.in +++ b/src/libstrongswan/plugins/sha2/Makefile.in @@ -219,9 +219,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -260,6 +258,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sha2/sha2_plugin.c b/src/libstrongswan/plugins/sha2/sha2_plugin.c index 810d9922a..a5937dbb2 100644 --- a/src/libstrongswan/plugins/sha2/sha2_plugin.c +++ b/src/libstrongswan/plugins/sha2/sha2_plugin.c @@ -18,6 +18,8 @@ #include #include "sha2_hasher.h" +static const char *plugin_name = "sha2"; + typedef struct private_sha2_plugin_t private_sha2_plugin_t; /** @@ -31,10 +33,8 @@ struct private_sha2_plugin_t { sha2_plugin_t public; }; -/** - * Implementation of sha2_plugin_t.destroy - */ -static void destroy(private_sha2_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sha2_plugin_t *this) { lib->crypto->remove_hasher(lib->crypto, (hasher_constructor_t)sha2_hasher_create); @@ -46,17 +46,23 @@ static void destroy(private_sha2_plugin_t *this) */ plugin_t *sha2_plugin_create() { - private_sha2_plugin_t *this = malloc_thing(private_sha2_plugin_t); + private_sha2_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); - lib->crypto->add_hasher(lib->crypto, HASH_SHA224, + lib->crypto->add_hasher(lib->crypto, HASH_SHA224, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA256, + lib->crypto->add_hasher(lib->crypto, HASH_SHA256, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA384, + lib->crypto->add_hasher(lib->crypto, HASH_SHA384, plugin_name, (hasher_constructor_t)sha2_hasher_create); - lib->crypto->add_hasher(lib->crypto, HASH_SHA512, + lib->crypto->add_hasher(lib->crypto, HASH_SHA512, plugin_name, (hasher_constructor_t)sha2_hasher_create); return &this->public.plugin; diff --git a/src/libstrongswan/plugins/soup/Makefile.am b/src/libstrongswan/plugins/soup/Makefile.am new file mode 100644 index 000000000..9006f1b7c --- /dev/null +++ b/src/libstrongswan/plugins/soup/Makefile.am @@ -0,0 +1,16 @@ + +INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS} + +AM_CFLAGS = -rdynamic + +if MONOLITHIC +noinst_LTLIBRARIES = libstrongswan-soup.la +else +plugin_LTLIBRARIES = libstrongswan-soup.la +endif + +libstrongswan_soup_la_SOURCES = \ + soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h + +libstrongswan_soup_la_LDFLAGS = -module -avoid-version +libstrongswan_soup_la_LIBADD = ${soup_LIBS} diff --git a/src/libstrongswan/plugins/soup/Makefile.in b/src/libstrongswan/plugins/soup/Makefile.in new file mode 100644 index 000000000..35d175f95 --- /dev/null +++ b/src/libstrongswan/plugins/soup/Makefile.in @@ -0,0 +1,601 @@ +# Makefile.in generated by automake 1.11.1 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = src/libstrongswan/plugins/soup +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ + $(top_srcdir)/m4/config/ltoptions.m4 \ + $(top_srcdir)/m4/config/ltsugar.m4 \ + $(top_srcdir)/m4/config/ltversion.m4 \ + $(top_srcdir)/m4/config/lt~obsolete.m4 \ + $(top_srcdir)/m4/macros/with.m4 \ + $(top_srcdir)/m4/macros/enable-disable.m4 \ + $(top_srcdir)/m4/macros/add-plugin.m4 \ + $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__installdirs = "$(DESTDIR)$(plugindir)" +LTLIBRARIES = $(noinst_LTLIBRARIES) $(plugin_LTLIBRARIES) +am__DEPENDENCIES_1 = +libstrongswan_soup_la_DEPENDENCIES = $(am__DEPENDENCIES_1) +am_libstrongswan_soup_la_OBJECTS = soup_plugin.lo soup_fetcher.lo +libstrongswan_soup_la_OBJECTS = $(am_libstrongswan_soup_la_OBJECTS) +libstrongswan_soup_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libstrongswan_soup_la_LDFLAGS) $(LDFLAGS) -o $@ +@MONOLITHIC_FALSE@am_libstrongswan_soup_la_rpath = -rpath $(plugindir) +@MONOLITHIC_TRUE@am_libstrongswan_soup_la_rpath = +DEFAULT_INCLUDES = -I.@am__isrc@ +depcomp = $(SHELL) $(top_srcdir)/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = $(libstrongswan_soup_la_SOURCES) +DIST_SOURCES = $(libstrongswan_soup_la_SOURCES) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +ALLOCA = @ALLOCA@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BTLIB = @BTLIB@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLIB = @DLLIB@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +MYSQLCFLAG = @MYSQLCFLAG@ +MYSQLCONFIG = @MYSQLCONFIG@ +MYSQLLIB = @MYSQLLIB@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PERL = @PERL@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +PTHREADLIB = @PTHREADLIB@ +RANLIB = @RANLIB@ +RTLIB = @RTLIB@ +RUBY = @RUBY@ +RUBYINCLUDE = @RUBYINCLUDE@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +SOCKLIB = @SOCKLIB@ +STRIP = @STRIP@ +VERSION = @VERSION@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +c_plugins = @c_plugins@ +datadir = @datadir@ +datarootdir = @datarootdir@ +dbusservicedir = @dbusservicedir@ +default_pkcs11 = @default_pkcs11@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +gtk_CFLAGS = @gtk_CFLAGS@ +gtk_LIBS = @gtk_LIBS@ +h_plugins = @h_plugins@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +ipsecdir = @ipsecdir@ +ipsecgroup = @ipsecgroup@ +ipsecuser = @ipsecuser@ +libcharon_plugins = @libcharon_plugins@ +libdir = @libdir@ +libexecdir = @libexecdir@ +linux_headers = @linux_headers@ +localedir = @localedir@ +localstatedir = @localstatedir@ +lt_ECHO = @lt_ECHO@ +maemo_CFLAGS = @maemo_CFLAGS@ +maemo_LIBS = @maemo_LIBS@ +manager_plugins = @manager_plugins@ +mandir = @mandir@ +medsrv_plugins = @medsrv_plugins@ +mkdir_p = @mkdir_p@ +nm_CFLAGS = @nm_CFLAGS@ +nm_LIBS = @nm_LIBS@ +nm_ca_dir = @nm_ca_dir@ +oldincludedir = @oldincludedir@ +openac_plugins = @openac_plugins@ +p_plugins = @p_plugins@ +pdfdir = @pdfdir@ +piddir = @piddir@ +pki_plugins = @pki_plugins@ +plugindir = @plugindir@ +pluto_plugins = @pluto_plugins@ +pool_plugins = @pool_plugins@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +random_device = @random_device@ +resolv_conf = @resolv_conf@ +routing_table = @routing_table@ +routing_table_prio = @routing_table_prio@ +s_plugins = @s_plugins@ +sbindir = @sbindir@ +scepclient_plugins = @scepclient_plugins@ +scripts_plugins = @scripts_plugins@ +sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ +srcdir = @srcdir@ +strongswan_conf = @strongswan_conf@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +urandom_device = @urandom_device@ +xml_CFLAGS = @xml_CFLAGS@ +xml_LIBS = @xml_LIBS@ +INCLUDES = -I$(top_srcdir)/src/libstrongswan ${soup_CFLAGS} +AM_CFLAGS = -rdynamic +@MONOLITHIC_TRUE@noinst_LTLIBRARIES = libstrongswan-soup.la +@MONOLITHIC_FALSE@plugin_LTLIBRARIES = libstrongswan-soup.la +libstrongswan_soup_la_SOURCES = \ + soup_plugin.h soup_plugin.c soup_fetcher.c soup_fetcher.h + +libstrongswan_soup_la_LDFLAGS = -module -avoid-version +libstrongswan_soup_la_LIBADD = ${soup_LIBS} +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .o .obj +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu src/libstrongswan/plugins/soup/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +clean-noinstLTLIBRARIES: + -test -z "$(noinst_LTLIBRARIES)" || rm -f $(noinst_LTLIBRARIES) + @list='$(noinst_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +install-pluginLTLIBRARIES: $(plugin_LTLIBRARIES) + @$(NORMAL_INSTALL) + test -z "$(plugindir)" || $(MKDIR_P) "$(DESTDIR)$(plugindir)" + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(plugindir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(plugindir)"; \ + } + +uninstall-pluginLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(plugin_LTLIBRARIES)'; test -n "$(plugindir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(plugindir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(plugindir)/$$f"; \ + done + +clean-pluginLTLIBRARIES: + -test -z "$(plugin_LTLIBRARIES)" || rm -f $(plugin_LTLIBRARIES) + @list='$(plugin_LTLIBRARIES)'; for p in $$list; do \ + dir="`echo $$p | sed -e 's|/[^/]*$$||'`"; \ + test "$$dir" != "$$p" || dir=.; \ + echo "rm -f \"$${dir}/so_locations\""; \ + rm -f "$${dir}/so_locations"; \ + done +libstrongswan-soup.la: $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_DEPENDENCIES) + $(libstrongswan_soup_la_LINK) $(am_libstrongswan_soup_la_rpath) $(libstrongswan_soup_la_OBJECTS) $(libstrongswan_soup_la_LIBADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_fetcher.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/soup_plugin.Plo@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + set x; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in files) print i; }; }'`; \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(LTLIBRARIES) +installdirs: + for dir in "$(DESTDIR)$(plugindir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstLTLIBRARIES \ + clean-pluginLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-pluginLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-pluginLTLIBRARIES + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS all all-am check check-am clean clean-generic \ + clean-libtool clean-noinstLTLIBRARIES clean-pluginLTLIBRARIES \ + ctags distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-pdf install-pdf-am \ + install-pluginLTLIBRARIES install-ps install-ps-am \ + install-strip installcheck installcheck-am installdirs \ + maintainer-clean maintainer-clean-generic mostlyclean \ + mostlyclean-compile mostlyclean-generic mostlyclean-libtool \ + pdf pdf-am ps ps-am tags uninstall uninstall-am \ + uninstall-pluginLTLIBRARIES + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.c b/src/libstrongswan/plugins/soup/soup_fetcher.c new file mode 100644 index 000000000..fd97631bd --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_fetcher.c @@ -0,0 +1,159 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "soup_fetcher.h" + +#include + +#include +#include + +#define DEFAULT_TIMEOUT 10 + +typedef struct private_soup_fetcher_t private_soup_fetcher_t; + +/** + * private data of a soup_fetcher_t object. + */ +struct private_soup_fetcher_t { + + /** + * Public data + */ + soup_fetcher_t public; + + /** + * HTTP request method + */ + const char *method; + + /** + * Request content type + */ + char *type; + + /** + * Request data + */ + chunk_t data; + + /** + * Request timeout + */ + u_int timeout; + + /** + * HTTP request version + */ + SoupHTTPVersion version; +}; + +METHOD(fetcher_t, fetch, status_t, + private_soup_fetcher_t *this, char *uri, chunk_t *result) +{ + SoupSession *session; + SoupMessage *message; + status_t status = FAILED; + + message = soup_message_new(this->method, uri); + if (!message) + { + return NOT_SUPPORTED; + } + if (this->type) + { + soup_message_set_request(message, this->type, SOUP_MEMORY_STATIC, + this->data.ptr, this->data.len); + } + soup_message_set_http_version(message, this->version); + session = soup_session_sync_new(); + g_object_set(G_OBJECT(session), + SOUP_SESSION_TIMEOUT, (guint)this->timeout, NULL); + + DBG2(DBG_LIB, "sending http request to '%s'...", uri); + soup_session_send_message(session, message); + if (SOUP_STATUS_IS_SUCCESSFUL(message->status_code)) + { + *result = chunk_clone(chunk_create((u_char*)message->response_body->data, + message->response_body->length)); + status = SUCCESS; + } + else + { + DBG1(DBG_LIB, "HTTP request failed, code %d", message->status_code); + } + g_object_unref(G_OBJECT(message)); + g_object_unref(G_OBJECT(session)); + return status; +} + +METHOD(fetcher_t, set_option, bool, + private_soup_fetcher_t *this, fetcher_option_t option, ...) +{ + bool supported = TRUE; + va_list args; + + va_start(args, option); + switch (option) + { + case FETCH_REQUEST_DATA: + this->method = SOUP_METHOD_POST; + this->data = va_arg(args, chunk_t); + break; + case FETCH_REQUEST_TYPE: + this->type = va_arg(args, char*); + break; + case FETCH_HTTP_VERSION_1_0: + this->version = SOUP_HTTP_1_0; + break; + case FETCH_TIMEOUT: + this->timeout = va_arg(args, u_int); + break; + default: + supported = FALSE; + break; + } + va_end(args); + return supported; +} + +METHOD(fetcher_t, destroy, void, + private_soup_fetcher_t *this) +{ + free(this); +} + +/* + * Described in header. + */ +soup_fetcher_t *soup_fetcher_create() +{ + private_soup_fetcher_t *this; + + INIT(this, + .public = { + .interface = { + .fetch = _fetch, + .set_option = _set_option, + .destroy = _destroy, + }, + }, + .method = SOUP_METHOD_GET, + .version = SOUP_HTTP_1_1, + .timeout = DEFAULT_TIMEOUT, + ); + + return &this->public; +} diff --git a/src/libstrongswan/plugins/soup/soup_fetcher.h b/src/libstrongswan/plugins/soup/soup_fetcher.h new file mode 100644 index 000000000..9b2579515 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_fetcher.h @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup soup_fetcher soup_fetcher + * @{ @ingroup soup_p + */ + +#ifndef SOUP_FETCHER_H_ +#define SOUP_FETCHER_H_ + +#include + +typedef struct soup_fetcher_t soup_fetcher_t; + +/** + * Fetcher implementation for HTTP using libsoup. + */ +struct soup_fetcher_t { + + /** + * Implements fetcher interface. + */ + fetcher_t interface; +}; + +/** + * Create a soup_fetcher instance. + */ +soup_fetcher_t *soup_fetcher_create(); + +#endif /** SOUP_FETCHER_H_ @}*/ diff --git a/src/libstrongswan/plugins/soup/soup_plugin.c b/src/libstrongswan/plugins/soup/soup_plugin.c new file mode 100644 index 000000000..970e32472 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_plugin.c @@ -0,0 +1,72 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +#include "soup_plugin.h" +#include "soup_fetcher.h" + +#include +#include + +#include + +typedef struct private_soup_plugin_t private_soup_plugin_t; + +/** + * private data of soup_plugin + */ +struct private_soup_plugin_t { + + /** + * public functions + */ + soup_plugin_t public; +}; + +METHOD(plugin_t, destroy, void, + private_soup_plugin_t *this) +{ + lib->fetcher->remove_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create); + free(this); +} + +/* + * see header file + */ +plugin_t *soup_plugin_create() +{ + private_soup_plugin_t *this; + + g_type_init(); + if (!g_thread_get_initialized()) + { + g_thread_init(NULL); + } + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); + + lib->fetcher->add_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create, "http://"); + lib->fetcher->add_fetcher(lib->fetcher, + (fetcher_constructor_t)soup_fetcher_create, "https://"); + + return &this->public.plugin; +} diff --git a/src/libstrongswan/plugins/soup/soup_plugin.h b/src/libstrongswan/plugins/soup/soup_plugin.h new file mode 100644 index 000000000..2dfa1d243 --- /dev/null +++ b/src/libstrongswan/plugins/soup/soup_plugin.h @@ -0,0 +1,42 @@ +/* + * Copyright (C) 2010 Martin Willi + * Copyright (C) 2010 revosec AG + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See . + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + */ + +/** + * @defgroup soup_p soup + * @ingroup plugins + * + * @defgroup soup_plugin soup_plugin + * @{ @ingroup soup_p + */ + +#ifndef SOUP_PLUGIN_H_ +#define SOUP_PLUGIN_H_ + +#include + +typedef struct soup_plugin_t soup_plugin_t; + +/** + * Plugin implementing fetcher interface for HTTP using libsoup. + */ +struct soup_plugin_t { + + /** + * Implements plugin interface + */ + plugin_t plugin; +}; + +#endif /** SOUP_PLUGIN_H_ @}*/ diff --git a/src/libstrongswan/plugins/sqlite/Makefile.in b/src/libstrongswan/plugins/sqlite/Makefile.in index 9c9b57f98..ae015d1a8 100644 --- a/src/libstrongswan/plugins/sqlite/Makefile.in +++ b/src/libstrongswan/plugins/sqlite/Makefile.in @@ -222,9 +222,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -263,6 +261,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/sqlite/sqlite_database.c b/src/libstrongswan/plugins/sqlite/sqlite_database.c index 3e20dbb51..f9e06199e 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_database.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_database.c @@ -213,10 +213,8 @@ static bool sqlite_enumerator_enumerate(sqlite_enumerator_t *this, ...) return TRUE; } -/** - * Implementation of database_t.query. - */ -static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...) +METHOD(database_t, query, enumerator_t*, + private_sqlite_database_t *this, char *sql, ...) { sqlite3_stmt *stmt; va_list args; @@ -248,10 +246,8 @@ static enumerator_t* query(private_sqlite_database_t *this, char *sql, ...) return (enumerator_t*)enumerator; } -/** - * Implementation of database_t.execute. - */ -static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...) +METHOD(database_t, execute, int, + private_sqlite_database_t *this, int *rowid, char *sql, ...) { sqlite3_stmt *stmt; int affected = -1; @@ -283,10 +279,8 @@ static int execute(private_sqlite_database_t *this, int *rowid, char *sql, ...) return affected; } -/** - * Implementation of database_t.get_driver - */ -static db_driver_t get_driver(private_sqlite_database_t *this) +METHOD(database_t, get_driver, db_driver_t, + private_sqlite_database_t *this) { return DB_SQLITE; } @@ -302,10 +296,8 @@ static int busy_handler(private_sqlite_database_t *this, int count) return 1; } -/** - * Implementation of database_t.destroy - */ -static void destroy(private_sqlite_database_t *this) +METHOD(database_t, destroy, void, + private_sqlite_database_t *this) { sqlite3_close(this->db); this->mutex->destroy(this->mutex); @@ -329,20 +321,23 @@ sqlite_database_t *sqlite_database_create(char *uri) } file = uri + 9; - this = malloc_thing(private_sqlite_database_t); - - this->public.db.query = (enumerator_t* (*)(database_t *this, char *sql, ...))query; - this->public.db.execute = (int (*)(database_t *this, int *rowid, char *sql, ...))execute; - this->public.db.get_driver = (db_driver_t(*)(database_t*))get_driver; - this->public.db.destroy = (void(*)(database_t*))destroy; - - this->mutex = mutex_create(MUTEX_TYPE_RECURSIVE); + INIT(this, + .public = { + .db = { + .query = _query, + .execute = _execute, + .get_driver = _get_driver, + .destroy = _destroy, + }, + }, + .mutex = mutex_create(MUTEX_TYPE_RECURSIVE), + ); if (sqlite3_open(file, &this->db) != SQLITE_OK) { DBG1(DBG_LIB, "opening SQLite database '%s' failed: %s", file, sqlite3_errmsg(this->db)); - destroy(this); + _destroy(this); return NULL; } diff --git a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c index 332d82318..e0b8e6ce1 100644 --- a/src/libstrongswan/plugins/sqlite/sqlite_plugin.c +++ b/src/libstrongswan/plugins/sqlite/sqlite_plugin.c @@ -31,10 +31,8 @@ struct private_sqlite_plugin_t { sqlite_plugin_t public; }; -/** - * Implementation of plugin_t.destroy - */ -static void destroy(private_sqlite_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_sqlite_plugin_t *this) { lib->db->remove_database(lib->db, (database_constructor_t)sqlite_database_create); @@ -46,9 +44,15 @@ static void destroy(private_sqlite_plugin_t *this) */ plugin_t *sqlite_plugin_create() { - private_sqlite_plugin_t *this = malloc_thing(private_sqlite_plugin_t); - - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + private_sqlite_plugin_t *this; + + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->db->add_database(lib->db, (database_constructor_t)sqlite_database_create); diff --git a/src/libstrongswan/plugins/test_vectors/Makefile.in b/src/libstrongswan/plugins/test_vectors/Makefile.in index 9be3f825a..9dccb05e3 100644 --- a/src/libstrongswan/plugins/test_vectors/Makefile.in +++ b/src/libstrongswan/plugins/test_vectors/Makefile.in @@ -227,9 +227,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -268,6 +266,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c index f3a254d8d..176bc438d 100644 --- a/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c +++ b/src/libstrongswan/plugins/test_vectors/test_vectors_plugin.c @@ -104,10 +104,8 @@ struct private_test_vectors_plugin_t { test_vectors_plugin_t public; }; -/** - * Implementation of test_vectors_plugin_t.test_vectorstroy - */ -static void destroy(private_test_vectors_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_test_vectors_plugin_t *this) { free(this); } @@ -117,10 +115,16 @@ static void destroy(private_test_vectors_plugin_t *this) */ plugin_t *test_vectors_plugin_create() { - private_test_vectors_plugin_t *this = malloc_thing(private_test_vectors_plugin_t); + private_test_vectors_plugin_t *this; int i; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); for (i = 0; i < countof(crypter); i++) { diff --git a/src/libstrongswan/plugins/x509/Makefile.in b/src/libstrongswan/plugins/x509/Makefile.in index b1cc2f168..57deab98e 100644 --- a/src/libstrongswan/plugins/x509/Makefile.in +++ b/src/libstrongswan/plugins/x509/Makefile.in @@ -221,9 +221,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -262,6 +260,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 559090aa0..526dbe8c6 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -117,7 +117,7 @@ struct private_x509_cert_t { linked_list_t *subjectAltNames; /** - * List of crlDistributionPoints as allocated char* + * List of crlDistributionPoints as x509_cdp_t* */ linked_list_t *crl_uris; @@ -131,6 +131,26 @@ struct private_x509_cert_t { */ linked_list_t *ipAddrBlocks; + /** + * List of permitted name constraints + */ + linked_list_t *permitted_names; + + /** + * List of exluced name constraints + */ + linked_list_t *excluded_names; + + /** + * List of certificatePolicies, as x509_cert_policy_t + */ + linked_list_t *cert_policies; + + /** + * List of policyMappings, as x509_policy_mapping_t + */ + linked_list_t *policy_mappings; + /** * certificate's embedded public key */ @@ -154,7 +174,22 @@ struct private_x509_cert_t { /** * Path Length Constraint */ - int pathLenConstraint; + u_char pathLenConstraint; + + /** + * requireExplicitPolicy Constraint + */ + u_char require_explicit; + + /** + * inhibitPolicyMapping Constraint + */ + u_char inhibit_mapping; + + /** + * inhibitAnyPolicy Constraint + */ + u_char inhibit_any; /** * x509 constraints and other flags @@ -186,6 +221,53 @@ static const chunk_t ASN1_subjectAltName_oid = chunk_from_chars( 0x06, 0x03, 0x55, 0x1D, 0x11 ); +/** + * Destroy a CertificateDistributionPoint + */ +static void crl_uri_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + +/** + * Destroy a CertificatePolicy + */ +static void cert_policy_destroy(x509_cert_policy_t *this) +{ + free(this->oid.ptr); + free(this->cps_uri); + free(this->unotice_text); + free(this); +} + +/** + * Free policy mapping + */ +static void policy_mapping_destroy(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} + +/** + * Parse a length constraint from an unwrapped integer + */ +static u_int parse_constraint(chunk_t object) +{ + switch (object.len) + { + case 0: + return 0; + case 1: + return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0]; + default: + return X509_NO_CONSTRAINT; + } +} + /** * ASN.1 definition of a basicConstraints extension */ @@ -228,15 +310,7 @@ static void parse_basicConstraints(chunk_t blob, int level0, case BASIC_CONSTRAINTS_PATH_LEN: if (isCA) { - if (object.len == 0) - { - this->pathLenConstraint = 0; - } - else if (object.len == 1) - { - this->pathLenConstraint = *object.ptr; - } - /* we ignore path length constraints > 127 */ + this->pathLenConstraint = parse_constraint(object); } break; default: @@ -574,7 +648,7 @@ static void parse_authorityInfoAccess(chunk_t blob, int level0, } break; default: - /* unkown accessMethod, ignoring */ + /* unknown accessMethod, ignoring */ break; } break; @@ -588,6 +662,60 @@ end: parser->destroy(parser); } +/** + * Extract KeyUsage flags + */ +static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this) +{ + enum { + KU_DIGITAL_SIGNATURE = 0, + KU_NON_REPUDIATION = 1, + KU_KEY_ENCIPHERMENT = 2, + KU_DATA_ENCIPHERMENT = 3, + KU_KEY_AGREEMENT = 4, + KU_KEY_CERT_SIGN = 5, + KU_CRL_SIGN = 6, + KU_ENCIPHER_ONLY = 7, + KU_DECIPHER_ONLY = 8, + }; + + if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len) + { + int bit, byte, unused = blob.ptr[0]; + + blob = chunk_skip(blob, 1); + for (byte = 0; byte < blob.len; byte++) + { + for (bit = 0; bit < 8; bit++) + { + if (byte == blob.len - 1 && bit > (7 - unused)) + { + break; + } + if (blob.ptr[byte] & 1 << (7 - bit)) + { + switch (byte * 8 + bit) + { + case KU_CRL_SIGN: + this->flags |= X509_CRL_SIGN; + break; + case KU_KEY_CERT_SIGN: + /* we use the caBasicConstraint, MUST be set */ + case KU_DIGITAL_SIGNATURE: + case KU_NON_REPUDIATION: + case KU_KEY_ENCIPHERMENT: + case KU_DATA_ENCIPHERMENT: + case KU_KEY_AGREEMENT: + case KU_ENCIPHER_ONLY: + case KU_DECIPHER_ONLY: + break; + } + } + } + } + } +} + /** * ASN.1 definition of a extendedKeyUsage extension */ @@ -600,7 +728,7 @@ static const asn1Object_t extendedKeyUsageObjects[] = { #define EXT_KEY_USAGE_PURPOSE_ID 1 /** - * Extracts extendedKeyUsage OIDs - currently only OCSP_SIGING is returned + * Extracts extendedKeyUsage OIDs */ static void parse_extendedKeyUsage(chunk_t blob, int level0, private_x509_cert_t *this) @@ -649,51 +777,328 @@ static const asn1Object_t crlDistributionPointsObjects[] = { { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ - { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_BODY }, /* 10 */ + { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ { 0, "exit", ASN1_EOC, ASN1_EXIT } }; +#define CRL_DIST_POINTS 1 #define CRL_DIST_POINTS_FULLNAME 3 +#define CRL_DIST_POINTS_ISSUER 10 + +/** + * Add entry to the list of each pairing of URI and Issuer + */ +static void add_cdps(linked_list_t *list, linked_list_t *uris, + linked_list_t *issuers) +{ + identification_t *issuer, *id; + enumerator_t *enumerator; + x509_cdp_t *cdp; + char *uri; + + while (uris->remove_last(uris, (void**)&id) == SUCCESS) + { + if (asprintf(&uri, "%Y", id) > 0) + { + if (issuers->get_count(issuers)) + { + enumerator = issuers->create_enumerator(issuers); + while (enumerator->enumerate(enumerator, &issuer)) + { + INIT(cdp, + .uri = strdup(uri), + .issuer = issuer->clone(issuer), + ); + list->insert_last(list, cdp); + } + enumerator->destroy(enumerator); + free(uri); + } + else + { + INIT(cdp, + .uri = uri, + ); + list->insert_last(list, cdp); + } + } + id->destroy(id); + } + while (issuers->remove_last(issuers, (void**)&id) == SUCCESS) + { + id->destroy(id); + } +} /** * Extracts one or several crlDistributionPoints into a list */ -static void parse_crlDistributionPoints(chunk_t blob, int level0, - private_x509_cert_t *this) +void x509_parse_crlDistributionPoints(chunk_t blob, int level0, + linked_list_t *list) { + linked_list_t *uris, *issuers; asn1_parser_t *parser; chunk_t object; int objectID; - linked_list_t *list = linked_list_create(); + uris = linked_list_create(); + issuers = linked_list_create(); parser = asn1_parser_create(crlDistributionPointsObjects, blob); parser->set_top_level(parser, level0); while (parser->iterate(parser, &objectID, &object)) { - if (objectID == CRL_DIST_POINTS_FULLNAME) + switch (objectID) { - identification_t *id; + case CRL_DIST_POINTS: + add_cdps(list, uris, issuers); + break; + case CRL_DIST_POINTS_FULLNAME: + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, uris); + break; + case CRL_DIST_POINTS_ISSUER: + x509_parse_generalNames(object, parser->get_level(parser) + 1, + TRUE, issuers); + break; + default: + break; + } + } + parser->destroy(parser); - /* append extracted generalNames to existing chained list */ - x509_parse_generalNames(object, parser->get_level(parser)+1, - TRUE, list); + add_cdps(list, uris, issuers); - while (list->remove_last(list, (void**)&id) == SUCCESS) - { - char *uri; + uris->destroy(uris); + issuers->destroy(issuers); +} + +/** + * ASN.1 definition of nameConstraints + */ +static const asn1Object_t nameConstraintsObjects[] = { + { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define NAME_CONSTRAINT_PERMITTED 2 +#define NAME_CONSTRAINT_EXCLUDED 5 + +/** + * Parse permitted/excluded nameConstraints + */ +static void parse_nameConstraints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + identification_t *id; + chunk_t object; + int objectID; + + parser = asn1_parser_create(nameConstraintsObjects, blob); + parser->set_top_level(parser, level0); - if (asprintf(&uri, "%Y", id) > 0) + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case NAME_CONSTRAINT_PERMITTED: + id = parse_generalName(object, parser->get_level(parser) + 1); + if (id) { - this->crl_uris->insert_last(this->crl_uris, uri); + this->permitted_names->insert_last(this->permitted_names, id); } - id->destroy(id); - } + break; + case NAME_CONSTRAINT_EXCLUDED: + id = parse_generalName(object, parser->get_level(parser) + 1); + if (id) + { + this->excluded_names->insert_last(this->excluded_names, id); + } + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a certificatePolicies extension + */ +static const asn1Object_t certificatePoliciesObject[] = { + { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "qualifier", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 3 */ + { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ + { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ + { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ + { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ + { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */ + { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */ + { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */ + { 2, "end opt", ASN1_EOC, ASN1_END }, /* 12 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define CERT_POLICY_ID 2 +#define CERT_POLICY_QUALIFIER_ID 5 +#define CERT_POLICY_CPS_URI 6 +#define CERT_POLICY_EXPLICIT_TEXT 9 + +/** + * Parse certificatePolicies + */ +static void parse_certificatePolicies(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + x509_cert_policy_t *policy = NULL; + asn1_parser_t *parser; + chunk_t object; + int objectID, qualifier = OID_UNKNOWN; + + parser = asn1_parser_create(certificatePoliciesObject, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case CERT_POLICY_ID: + INIT(policy, + .oid = chunk_clone(object), + ); + this->cert_policies->insert_last(this->cert_policies, policy); + break; + case CERT_POLICY_QUALIFIER_ID: + qualifier = asn1_known_oid(object); + break; + case CERT_POLICY_CPS_URI: + if (policy && !policy->cps_uri && object.len && + qualifier == OID_POLICY_QUALIFIER_CPS && + chunk_printable(object, NULL, 0)) + { + policy->cps_uri = strndup(object.ptr, object.len); + } + break; + case CERT_POLICY_EXPLICIT_TEXT: + /* TODO */ + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a policyMappings extension + */ +static const asn1Object_t policyMappingsObjects[] = { + { 0, "policyMappings", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ + { 1, "policyMapping", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ + { 2, "issuerPolicy", ASN1_OID, ASN1_BODY }, /* 2 */ + { 2, "subjectPolicy", ASN1_OID, ASN1_BODY }, /* 3 */ + { 0, "end loop", ASN1_EOC, ASN1_END }, /* 4 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define POLICY_MAPPING 1 +#define POLICY_MAPPING_ISSUER 2 +#define POLICY_MAPPING_SUBJECT 3 + +/** + * Parse policyMappings + */ +static void parse_policyMappings(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + x509_policy_mapping_t *map = NULL; + asn1_parser_t *parser; + chunk_t object; + int objectID; + + parser = asn1_parser_create(policyMappingsObjects, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case POLICY_MAPPING: + INIT(map); + this->policy_mappings->insert_last(this->policy_mappings, map); + break; + case POLICY_MAPPING_ISSUER: + if (map && !map->issuer.len) + { + map->issuer = chunk_clone(object); + } + break; + case POLICY_MAPPING_SUBJECT: + if (map && !map->subject.len) + { + map->subject = chunk_clone(object); + } + break; + default: + break; + } + } + parser->destroy(parser); +} + +/** + * ASN.1 definition of a policyConstraints extension + */ +static const asn1Object_t policyConstraintsObjects[] = { + { 0, "policyConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "requireExplicitPolicy", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_NONE }, /* 1 */ + { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 2 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "inhibitPolicyMapping", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_NONE }, /* 4 */ + { 2, "SkipCerts", ASN1_INTEGER, ASN1_BODY }, /* 5 */ + { 1, "end opt", ASN1_EOC, ASN1_END }, /* 6 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } +}; +#define POLICY_CONSTRAINT_EXPLICIT 2 +#define POLICY_CONSTRAINT_INHIBIT 5 + +/** + * Parse policyConstraints + */ +static void parse_policyConstraints(chunk_t blob, int level0, + private_x509_cert_t *this) +{ + asn1_parser_t *parser; + chunk_t object; + int objectID; + + parser = asn1_parser_create(policyConstraintsObjects, blob); + parser->set_top_level(parser, level0); + + while (parser->iterate(parser, &objectID, &object)) + { + switch (objectID) + { + case POLICY_CONSTRAINT_EXPLICIT: + this->require_explicit = parse_constraint(object); + break; + case POLICY_CONSTRAINT_INHIBIT: + this->inhibit_mapping = parse_constraint(object); + break; + default: + break; } } parser->destroy(parser); - list->destroy(list); } /** @@ -887,11 +1292,6 @@ static const asn1Object_t certObjects[] = { #define X509_OBJ_ALGORITHM 24 #define X509_OBJ_SIGNATURE 25 -/** - * forward declaration - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer); - /** * Parses an X.509v3 certificate */ @@ -992,7 +1392,8 @@ static bool parse_certificate(private_x509_cert_t *this) parse_basicConstraints(object, level, this); break; case OID_CRL_DISTRIBUTION_POINTS: - parse_crlDistributionPoints(object, level, this); + x509_parse_crlDistributionPoints(object, level, + this->crl_uris); break; case OID_AUTHORITY_KEY_ID: this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, @@ -1002,7 +1403,7 @@ static bool parse_certificate(private_x509_cert_t *this) parse_authorityInfoAccess(object, level, this); break; case OID_KEY_USAGE: - /* TODO parse the flags */ + parse_keyUsage(object, this); break; case OID_EXTENDED_KEY_USAGE: parse_extendedKeyUsage(object, level, this); @@ -1010,6 +1411,26 @@ static bool parse_certificate(private_x509_cert_t *this) case OID_IP_ADDR_BLOCKS: parse_ipAddrBlocks(object, level, this); break; + case OID_NAME_CONSTRAINTS: + parse_nameConstraints(object, level, this); + break; + case OID_CERTIFICATE_POLICIES: + parse_certificatePolicies(object, level, this); + break; + case OID_POLICY_MAPPINGS: + parse_policyMappings(object, level, this); + break; + case OID_POLICY_CONSTRAINTS: + parse_policyConstraints(object, level, this); + break; + case OID_INHIBIT_ANY_POLICY: + if (!asn1_parse_simple_object(&object, ASN1_INTEGER, + level, "inhibitAnyPolicy")) + { + goto end; + } + this->inhibit_any = parse_constraint(object); + break; case OID_NS_REVOCATION_URL: case OID_NS_CA_REVOCATION_URL: case OID_NS_CA_POLICY_URL: @@ -1022,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.x509.enforce_critical", FALSE)) + "libstrongswan.x509.enforce_critical", TRUE)) { - DBG1(DBG_LIB, "critical %s extension not supported", + DBG1(DBG_LIB, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; @@ -1057,7 +1478,9 @@ end: hasher_t *hasher; /* check if the certificate is self-signed */ - if (issued_by(this, &this->public.interface.interface)) + if (this->public.interface.interface.issued_by( + &this->public.interface.interface, + &this->public.interface.interface)) { this->flags |= X509_SELF_SIGNED; } @@ -1074,34 +1497,26 @@ end: return success; } -/** - * Implementation of certificate_t.get_type - */ -static certificate_type_t get_type(private_x509_cert_t *this) +METHOD(certificate_t, get_type, certificate_type_t, + private_x509_cert_t *this) { return CERT_X509; } -/** - * Implementation of certificate_t.get_subject - */ -static identification_t* get_subject(private_x509_cert_t *this) +METHOD(certificate_t, get_subject, identification_t*, + private_x509_cert_t *this) { return this->subject; } -/** - * Implementation of certificate_t.get_issuer - */ -static identification_t* get_issuer(private_x509_cert_t *this) +METHOD(certificate_t, get_issuer, identification_t*, + private_x509_cert_t *this) { return this->issuer; } -/** - * Implementation of certificate_t.has_subject. - */ -static id_match_t has_subject(private_x509_cert_t *this, identification_t *subject) +METHOD(certificate_t, has_subject, id_match_t, + private_x509_cert_t *this, identification_t *subject) { identification_t *current; enumerator_t *enumerator; @@ -1142,19 +1557,15 @@ static id_match_t has_subject(private_x509_cert_t *this, identification_t *subje return best; } -/** - * Implementation of certificate_t.has_issuer. - */ -static id_match_t has_issuer(private_x509_cert_t *this, identification_t *issuer) +METHOD(certificate_t, has_issuer, id_match_t, + private_x509_cert_t *this, identification_t *issuer) { /* issuerAltNames currently not supported */ return this->issuer->matches(this->issuer, issuer); } -/** - * Implementation of certificate_t.issued_by. - */ -static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) +METHOD(certificate_t, issued_by, bool, + private_x509_cert_t *this, certificate_t *issuer) { public_key_t *key; signature_scheme_t scheme; @@ -1201,37 +1612,23 @@ static bool issued_by(private_x509_cert_t *this, certificate_t *issuer) return valid; } -/** - * Implementation of certificate_t.get_public_key - */ -static public_key_t* get_public_key(private_x509_cert_t *this) +METHOD(certificate_t, get_public_key, public_key_t*, + private_x509_cert_t *this) { this->public_key->get_ref(this->public_key); return this->public_key; } -/** - * Implementation of certificate_t.get_ref - */ -static private_x509_cert_t* get_ref(private_x509_cert_t *this) +METHOD(certificate_t, get_ref, certificate_t*, + private_x509_cert_t *this) { ref_get(&this->ref); - return this; + return &this->public.interface.interface; } -/** - * Implementation of x509_cert_t.get_flags. - */ -static x509_flag_t get_flags(private_x509_cert_t *this) -{ - return this->flags; -} - -/** - * Implementation of x509_cert_t.get_validity. - */ -static bool get_validity(private_x509_cert_t *this, time_t *when, - time_t *not_before, time_t *not_after) +METHOD(certificate_t, get_validity, bool, + private_x509_cert_t *this, time_t *when, time_t *not_before, + time_t *not_after) { time_t t = when ? *when : time(NULL); @@ -1246,11 +1643,8 @@ static bool get_validity(private_x509_cert_t *this, time_t *when, return (t >= this->notBefore && t <= this->notAfter); } -/** - * Implementation of certificate_t.get_encoding. - */ -static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, - chunk_t *encoding) +METHOD(certificate_t, get_encoding, bool, + private_x509_cert_t *this, cred_encoding_type_t type, chunk_t *encoding) { if (type == CERT_ASN1_DER) { @@ -1261,10 +1655,8 @@ static bool get_encoding(private_x509_cert_t *this, cred_encoding_type_t type, CRED_PART_X509_ASN1_DER, this->encoding, CRED_PART_END); } -/** - * Implementation of certificate_t.equals. - */ -static bool equals(private_x509_cert_t *this, certificate_t *other) +METHOD(certificate_t, equals, bool, + private_x509_cert_t *this, certificate_t *other) { chunk_t encoding; bool equal; @@ -1290,18 +1682,20 @@ static bool equals(private_x509_cert_t *this, certificate_t *other) return equal; } -/** - * Implementation of x509_t.get_serial. - */ -static chunk_t get_serial(private_x509_cert_t *this) +METHOD(x509_t, get_flags, x509_flag_t, + private_x509_cert_t *this) +{ + return this->flags; +} + +METHOD(x509_t, get_serial, chunk_t, + private_x509_cert_t *this) { return this->serialNumber; } -/** - * Implementation of x509_t.get_subjectKeyIdentifier. - */ -static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) +METHOD(x509_t, get_subjectKeyIdentifier, chunk_t, + private_x509_cert_t *this) { if (this->subjectKeyIdentifier.ptr) { @@ -1323,66 +1717,95 @@ static chunk_t get_subjectKeyIdentifier(private_x509_cert_t *this) } } -/** - * Implementation of x509_t.get_authKeyIdentifier. - */ -static chunk_t get_authKeyIdentifier(private_x509_cert_t *this) +METHOD(x509_t, get_authKeyIdentifier, chunk_t, + private_x509_cert_t *this) { return this->authKeyIdentifier; } -/** - * Implementation of x509_t.get_pathLenConstraint. - */ -static int get_pathLenConstraint(private_x509_cert_t *this) +METHOD(x509_t, get_constraint, u_int, + private_x509_cert_t *this, x509_constraint_t type) { - return this->pathLenConstraint; + switch (type) + { + case X509_PATH_LEN: + return this->pathLenConstraint; + case X509_REQUIRE_EXPLICIT_POLICY: + return this->require_explicit; + case X509_INHIBIT_POLICY_MAPPING: + return this->inhibit_mapping; + case X509_INHIBIT_ANY_POLICY: + return this->inhibit_any; + default: + return X509_NO_CONSTRAINT; + } } -/** - * Implementation of x509_cert_t.create_subjectAltName_enumerator. - */ -static enumerator_t* create_subjectAltName_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_subjectAltName_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->subjectAltNames->create_enumerator(this->subjectAltNames); } -/** - * Implementation of x509_cert_t.create_ocsp_uri_enumerator. - */ -static enumerator_t* create_ocsp_uri_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_ocsp_uri_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->ocsp_uris->create_enumerator(this->ocsp_uris); } -/** - * Implementation of x509_cert_t.create_crl_uri_enumerator. - */ -static enumerator_t* create_crl_uri_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_crl_uri_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->crl_uris->create_enumerator(this->crl_uris); } -/** - * Implementation of x509_cert_t.create_ipAddrBlock_enumerator. - */ -static enumerator_t* create_ipAddrBlock_enumerator(private_x509_cert_t *this) +METHOD(x509_t, create_ipAddrBlock_enumerator, enumerator_t*, + private_x509_cert_t *this) { return this->ipAddrBlocks->create_enumerator(this->ipAddrBlocks); } -/** - * Implementation of certificate_t.destroy. - */ -static void destroy(private_x509_cert_t *this) +METHOD(x509_t, create_name_constraint_enumerator, enumerator_t*, + private_x509_cert_t *this, bool perm) +{ + if (perm) + { + return this->permitted_names->create_enumerator(this->permitted_names); + } + return this->excluded_names->create_enumerator(this->excluded_names); +} + +METHOD(x509_t, create_cert_policy_enumerator, enumerator_t*, + private_x509_cert_t *this) +{ + return this->cert_policies->create_enumerator(this->cert_policies); +} + +METHOD(x509_t, create_policy_mapping_enumerator, enumerator_t*, + private_x509_cert_t *this) +{ + return this->policy_mappings->create_enumerator(this->policy_mappings); +} + +METHOD(certificate_t, destroy, void, + private_x509_cert_t *this) { if (ref_put(&this->ref)) { this->subjectAltNames->destroy_offset(this->subjectAltNames, offsetof(identification_t, destroy)); - this->crl_uris->destroy_function(this->crl_uris, free); + this->crl_uris->destroy_function(this->crl_uris, (void*)crl_uri_destroy); this->ocsp_uris->destroy_function(this->ocsp_uris, free); - this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, offsetof(traffic_selector_t, destroy)); + this->ipAddrBlocks->destroy_offset(this->ipAddrBlocks, + offsetof(traffic_selector_t, destroy)); + this->permitted_names->destroy_offset(this->permitted_names, + offsetof(identification_t, destroy)); + this->excluded_names->destroy_offset(this->excluded_names, + offsetof(identification_t, destroy)); + this->cert_policies->destroy_function(this->cert_policies, + (void*)cert_policy_destroy); + this->policy_mappings->destroy_function(this->policy_mappings, + (void*)policy_mapping_destroy); DESTROY_IF(this->issuer); DESTROY_IF(this->subject); DESTROY_IF(this->public_key); @@ -1404,63 +1827,93 @@ static void destroy(private_x509_cert_t *this) */ static private_x509_cert_t* create_empty(void) { - private_x509_cert_t *this = malloc_thing(private_x509_cert_t); - - this->public.interface.interface.get_type = (certificate_type_t (*) (certificate_t*))get_type; - this->public.interface.interface.get_subject = (identification_t* (*) (certificate_t*))get_subject; - this->public.interface.interface.get_issuer = (identification_t* (*) (certificate_t*))get_issuer; - this->public.interface.interface.has_subject = (id_match_t (*) (certificate_t*, identification_t*))has_subject; - this->public.interface.interface.has_issuer = (id_match_t (*) (certificate_t*, identification_t*))has_issuer; - this->public.interface.interface.issued_by = (bool (*) (certificate_t*, certificate_t*))issued_by; - this->public.interface.interface.get_public_key = (public_key_t* (*) (certificate_t*))get_public_key; - this->public.interface.interface.get_validity = (bool (*) (certificate_t*, time_t*, time_t*, time_t*))get_validity; - this->public.interface.interface.get_encoding = (bool (*) (certificate_t*,cred_encoding_type_t,chunk_t*))get_encoding; - this->public.interface.interface.equals = (bool (*)(certificate_t*, certificate_t*))equals; - this->public.interface.interface.get_ref = (certificate_t* (*)(certificate_t*))get_ref; - this->public.interface.interface.destroy = (void (*)(certificate_t*))destroy; - this->public.interface.get_flags = (x509_flag_t (*)(x509_t*))get_flags; - this->public.interface.get_serial = (chunk_t (*)(x509_t*))get_serial; - this->public.interface.get_subjectKeyIdentifier = (chunk_t (*)(x509_t*))get_subjectKeyIdentifier; - this->public.interface.get_authKeyIdentifier = (chunk_t (*)(x509_t*))get_authKeyIdentifier; - this->public.interface.get_pathLenConstraint = (int (*)(x509_t*))get_pathLenConstraint; - this->public.interface.create_subjectAltName_enumerator = (enumerator_t* (*)(x509_t*))create_subjectAltName_enumerator; - this->public.interface.create_crl_uri_enumerator = (enumerator_t* (*)(x509_t*))create_crl_uri_enumerator; - this->public.interface.create_ocsp_uri_enumerator = (enumerator_t* (*)(x509_t*))create_ocsp_uri_enumerator; - this->public.interface.create_ipAddrBlock_enumerator = (enumerator_t* (*)(x509_t*))create_ipAddrBlock_enumerator; - - this->encoding = chunk_empty; - this->encoding_hash = chunk_empty; - this->tbsCertificate = chunk_empty; - this->version = 1; - this->serialNumber = chunk_empty; - this->notBefore = 0; - this->notAfter = 0; - this->public_key = NULL; - this->subject = NULL; - this->issuer = NULL; - this->subjectAltNames = linked_list_create(); - this->crl_uris = linked_list_create(); - this->ocsp_uris = linked_list_create(); - this->ipAddrBlocks = linked_list_create(); - this->subjectKeyIdentifier = chunk_empty; - this->authKeyIdentifier = chunk_empty; - this->authKeySerialNumber = chunk_empty; - this->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; - this->algorithm = 0; - this->signature = chunk_empty; - this->flags = 0; - this->ref = 1; - this->parsed = FALSE; - + private_x509_cert_t *this; + + INIT(this, + .public = { + .interface = { + .interface = { + .get_type = _get_type, + .get_subject = _get_subject, + .get_issuer = _get_issuer, + .has_subject = _has_subject, + .has_issuer = _has_issuer, + .issued_by = _issued_by, + .get_public_key = _get_public_key, + .get_validity = _get_validity, + .get_encoding = _get_encoding, + .equals = _equals, + .get_ref = _get_ref, + .destroy = _destroy, + }, + .get_flags = _get_flags, + .get_serial = _get_serial, + .get_subjectKeyIdentifier = _get_subjectKeyIdentifier, + .get_authKeyIdentifier = _get_authKeyIdentifier, + .get_constraint = _get_constraint, + .create_subjectAltName_enumerator = _create_subjectAltName_enumerator, + .create_crl_uri_enumerator = _create_crl_uri_enumerator, + .create_ocsp_uri_enumerator = _create_ocsp_uri_enumerator, + .create_ipAddrBlock_enumerator = _create_ipAddrBlock_enumerator, + .create_name_constraint_enumerator = _create_name_constraint_enumerator, + .create_cert_policy_enumerator = _create_cert_policy_enumerator, + .create_policy_mapping_enumerator = _create_policy_mapping_enumerator, + }, + }, + .version = 1, + .subjectAltNames = linked_list_create(), + .crl_uris = linked_list_create(), + .ocsp_uris = linked_list_create(), + .ipAddrBlocks = linked_list_create(), + .permitted_names = linked_list_create(), + .excluded_names = linked_list_create(), + .cert_policies = linked_list_create(), + .policy_mappings = linked_list_create(), + .pathLenConstraint = X509_NO_CONSTRAINT, + .require_explicit = X509_NO_CONSTRAINT, + .inhibit_mapping = X509_NO_CONSTRAINT, + .inhibit_any = X509_NO_CONSTRAINT, + .ref = 1, + ); return this; } +/** + * Build a generalName from an id + */ +chunk_t build_generalName(identification_t *id) +{ + int context; + + switch (id->get_type(id)) + { + case ID_RFC822_ADDR: + context = ASN1_CONTEXT_S_1; + break; + case ID_FQDN: + context = ASN1_CONTEXT_S_2; + break; + case ID_DER_ASN1_DN: + context = ASN1_CONTEXT_C_4; + break; + case ID_IPV4_ADDR: + case ID_IPV6_ADDR: + context = ASN1_CONTEXT_S_7; + break; + default: + DBG1(DBG_LIB, "encoding %N as generalName not supported", + id_type_names, id->get_type(id)); + return chunk_empty; + } + return asn1_wrap(context, "c", id->get_encoding(id)); +} + /** * Encode a linked list of subjectAltNames */ chunk_t x509_build_subjectAltNames(linked_list_t *list) { - chunk_t subjectAltNames = chunk_empty; + chunk_t subjectAltNames = chunk_empty, name; enumerator_t *enumerator; identification_t *id; @@ -1472,29 +1925,7 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) enumerator = list->create_enumerator(list); while (enumerator->enumerate(enumerator, &id)) { - int context; - chunk_t name; - - switch (id->get_type(id)) - { - case ID_RFC822_ADDR: - context = ASN1_CONTEXT_S_1; - break; - case ID_FQDN: - context = ASN1_CONTEXT_S_2; - break; - case ID_IPV4_ADDR: - case ID_IPV6_ADDR: - context = ASN1_CONTEXT_S_7; - break; - default: - DBG1(DBG_LIB, "encoding %N as subjectAltName not supported", - id_type_names, id->get_type(id)); - enumerator->destroy(enumerator); - free(subjectAltNames.ptr); - return chunk_empty; - } - name = asn1_wrap(context, "c", id->get_encoding(id)); + name = build_generalName(id); subjectAltNames = chunk_cat("mm", subjectAltNames, name); } enumerator->destroy(enumerator); @@ -1507,6 +1938,47 @@ chunk_t x509_build_subjectAltNames(linked_list_t *list) ); } +/** + * Encode CRL distribution points extension from a x509_cdp_t list + */ +chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn) +{ + chunk_t crlDistributionPoints = chunk_empty; + enumerator_t *enumerator; + x509_cdp_t *cdp; + + if (list->get_count(list) == 0) + { + return chunk_empty; + } + + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &cdp)) + { + chunk_t distributionPoint, crlIssuer = chunk_empty; + + if (cdp->issuer) + { + crlIssuer = asn1_wrap(ASN1_CONTEXT_C_2, "m", + build_generalName(cdp->issuer)); + } + distributionPoint = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_wrap(ASN1_CONTEXT_S_6, "c", + chunk_create(cdp->uri, strlen(cdp->uri))))), + crlIssuer); + crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, + distributionPoint); + } + enumerator->destroy(enumerator); + + return asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(extn), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); +} + /** * Generate and sign a new certificate */ @@ -1515,12 +1987,13 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty; chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty; - chunk_t ocspSigning = chunk_empty; - chunk_t basicConstraints = chunk_empty; - chunk_t keyUsage = chunk_empty; - chunk_t subjectAltNames = chunk_empty; + chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty; + chunk_t basicConstraints = chunk_empty, nameConstraints = chunk_empty; + chunk_t keyUsage = chunk_empty, keyUsageBits = chunk_empty; + chunk_t subjectAltNames = chunk_empty, policyMappings = chunk_empty; chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty; chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty; + chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty; identification_t *issuer, *subject; chunk_t key_info; signature_scheme_t scheme; @@ -1574,29 +2047,8 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, /* encode subjectAltNames */ subjectAltNames = x509_build_subjectAltNames(cert->subjectAltNames); - /* encode CRL distribution points extension */ - enumerator = cert->crl_uris->create_enumerator(cert->crl_uris); - while (enumerator->enumerate(enumerator, &uri)) - { - chunk_t distributionPoint; - - distributionPoint = asn1_wrap(ASN1_SEQUENCE, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_CONTEXT_S_6, "c", - chunk_create(uri, strlen(uri)))))); - - crlDistributionPoints = chunk_cat("mm", crlDistributionPoints, - distributionPoint); - } - enumerator->destroy(enumerator); - if (crlDistributionPoints.ptr) - { - crlDistributionPoints = asn1_wrap(ASN1_SEQUENCE, "mm", - asn1_build_known_oid(OID_CRL_DISTRIBUTION_POINTS), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_SEQUENCE, "m", crlDistributionPoints))); - } + crlDistributionPoints = x509_build_crlDistributionPoints(cert->crl_uris, + OID_CRL_DISTRIBUTION_POINTS); /* encode OCSP URIs in authorityInfoAccess extension */ enumerator = cert->ocsp_uris->create_enumerator(cert->ocsp_uris); @@ -1625,11 +2077,10 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, { chunk_t pathLenConstraint = chunk_empty; - if (cert->pathLenConstraint != X509_NO_PATH_LEN_CONSTRAINT) + if (cert->pathLenConstraint != X509_NO_CONSTRAINT) { - char pathlen = (char)cert->pathLenConstraint; - - pathLenConstraint = asn1_integer("c", chunk_from_thing(pathlen)); + pathLenConstraint = asn1_integer("c", + chunk_from_thing(cert->pathLenConstraint)); } basicConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", asn1_build_known_oid(OID_BASIC_CONSTRAINTS), @@ -1640,13 +2091,20 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), pathLenConstraint))); + /* set CertificateSign and implicitly CRLsign */ + keyUsageBits = chunk_from_chars(0x01, 0x06); + } + else if (cert->flags & X509_CRL_SIGN) + { + keyUsageBits = chunk_from_chars(0x01, 0x02); + } + if (keyUsageBits.len) + { keyUsage = asn1_wrap(ASN1_SEQUENCE, "mmm", - asn1_build_known_oid(OID_KEY_USAGE), - asn1_wrap(ASN1_BOOLEAN, "c", - chunk_from_chars(0xFF)), - asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_wrap(ASN1_BIT_STRING, "c", - chunk_from_chars(0x01, 0x06)))); + asn1_build_known_oid(OID_KEY_USAGE), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits))); } /* add serverAuth extendedKeyUsage flag */ @@ -1675,7 +2133,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, } /* add subjectKeyIdentifier to CA and OCSP signer certificates */ - if (cert->flags & (X509_CA | X509_OCSP_SIGNER)) + if (cert->flags & (X509_CA | X509_OCSP_SIGNER | X509_CRL_SIGN)) { chunk_t keyid; @@ -1703,15 +2161,153 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert, asn1_wrap(ASN1_CONTEXT_S_0, "c", keyid)))); } } + + if (cert->permitted_names->get_count(cert->permitted_names) || + cert->excluded_names->get_count(cert->excluded_names)) + { + chunk_t permitted = chunk_empty, excluded = chunk_empty, subtree; + identification_t *id; + + enumerator = create_name_constraint_enumerator(cert, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id)); + permitted = chunk_cat("mm", permitted, subtree); + } + enumerator->destroy(enumerator); + if (permitted.ptr) + { + permitted = asn1_wrap(ASN1_CONTEXT_C_0, "m", permitted); + } + + enumerator = create_name_constraint_enumerator(cert, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + subtree = asn1_wrap(ASN1_SEQUENCE, "m", build_generalName(id)); + excluded = chunk_cat("mm", excluded, subtree); + } + enumerator->destroy(enumerator); + if (excluded.ptr) + { + excluded = asn1_wrap(ASN1_CONTEXT_C_1, "m", excluded); + } + + nameConstraints = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_NAME_CONSTRAINTS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + permitted, excluded))); + } + + if (cert->cert_policies->get_count(cert->cert_policies)) + { + x509_cert_policy_t *policy; + + enumerator = create_cert_policy_enumerator(cert); + while (enumerator->enumerate(enumerator, &policy)) + { + chunk_t chunk = chunk_empty, cps = chunk_empty, notice = chunk_empty; + + if (policy->cps_uri) + { + cps = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_QUALIFIER_CPS), + asn1_wrap(ASN1_IA5STRING, "c", + chunk_create(policy->cps_uri, + strlen(policy->cps_uri)))); + } + if (policy->unotice_text) + { + notice = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_QUALIFIER_UNOTICE), + asn1_wrap(ASN1_SEQUENCE, "m", + asn1_wrap(ASN1_VISIBLESTRING, "c", + chunk_create(policy->unotice_text, + strlen(policy->unotice_text))))); + } + if (cps.len || notice.len) + { + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", cps, notice); + } + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_OID, "c", policy->oid), chunk); + certPolicies = chunk_cat("mm", certPolicies, chunk); + } + enumerator->destroy(enumerator); + + certPolicies = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_CERTIFICATE_POLICIES), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", certPolicies))); + } + + if (cert->policy_mappings->get_count(cert->policy_mappings)) + { + x509_policy_mapping_t *mapping; + + enumerator = create_policy_mapping_enumerator(cert); + while (enumerator->enumerate(enumerator, &mapping)) + { + chunk_t chunk; + + chunk = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_OID, "c", mapping->issuer), + asn1_wrap(ASN1_OID, "c", mapping->subject)); + policyMappings = chunk_cat("mm", policyMappings, chunk); + } + enumerator->destroy(enumerator); + + policyMappings = asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_build_known_oid(OID_POLICY_MAPPINGS), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "m", policyMappings))); + } + + if (cert->inhibit_mapping != X509_NO_CONSTRAINT || + cert->require_explicit != X509_NO_CONSTRAINT) + { + chunk_t inhibit = chunk_empty, explicit = chunk_empty; + + if (cert->require_explicit != X509_NO_CONSTRAINT) + { + explicit = asn1_wrap(ASN1_CONTEXT_C_0, "m", + asn1_integer("c", + chunk_from_thing(cert->require_explicit))); + } + if (cert->inhibit_mapping != X509_NO_CONSTRAINT) + { + inhibit = asn1_wrap(ASN1_CONTEXT_C_1, "m", + asn1_integer("c", + chunk_from_thing(cert->inhibit_mapping))); + } + policyConstraints = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_POLICY_CONSTRAINTS), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_wrap(ASN1_SEQUENCE, "mm", + explicit, inhibit))); + } + + if (cert->inhibit_any != X509_NO_CONSTRAINT) + { + inhibitAnyPolicy = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_INHIBIT_ANY_POLICY), + asn1_wrap(ASN1_BOOLEAN, "c", chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", + chunk_from_thing(cert->inhibit_any)))); + } + if (basicConstraints.ptr || subjectAltNames.ptr || authKeyIdentifier.ptr || - crlDistributionPoints.ptr) + crlDistributionPoints.ptr || nameConstraints.ptr) { extensions = asn1_wrap(ASN1_CONTEXT_C_3, "m", - asn1_wrap(ASN1_SEQUENCE, "mmmmmmmm", + asn1_wrap(ASN1_SEQUENCE, "mmmmmmmmmmmmm", basicConstraints, keyUsage, subjectKeyIdentifier, authKeyIdentifier, subjectAltNames, extendedKeyUsage, crlDistributionPoints, - authorityInfoAccess)); + authorityInfoAccess, nameConstraints, certPolicies, + policyMappings, policyConstraints, inhibitAnyPolicy)); } cert->tbsCertificate = asn1_wrap(ASN1_SEQUENCE, "mmmcmcmm", @@ -1794,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) certificate_t *sign_cert = NULL; private_key_t *sign_key = NULL; hash_algorithm_t digest_alg = HASH_SHA1; + u_int constraint; cert = create_empty(); while (TRUE) @@ -1837,13 +2434,17 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) { enumerator_t *enumerator; linked_list_t *list; - char *uri; + x509_cdp_t *in, *cdp; list = va_arg(args, linked_list_t*); enumerator = list->create_enumerator(list); - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &in)) { - cert->crl_uris->insert_last(cert->crl_uris, strdup(uri)); + INIT(cdp, + .uri = strdup(in->uri), + .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, + ); + cert->crl_uris->insert_last(cert->crl_uris, cdp); } enumerator->destroy(enumerator); continue; @@ -1864,11 +2465,96 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args) continue; } case BUILD_PATHLEN: - cert->pathLenConstraint = va_arg(args, int); - if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127) + constraint = va_arg(args, u_int); + cert->pathLenConstraint = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_PERMITTED_NAME_CONSTRAINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + identification_t *constraint; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &constraint)) + { + cert->permitted_names->insert_last(cert->permitted_names, + constraint->clone(constraint)); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_EXCLUDED_NAME_CONSTRAINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + identification_t *constraint; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &constraint)) + { + cert->excluded_names->insert_last(cert->excluded_names, + constraint->clone(constraint)); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_CERTIFICATE_POLICIES: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_cert_policy_t *policy, *in; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) + { + INIT(policy, + .oid = chunk_clone(in->oid), + .cps_uri = strdupnull(in->cps_uri), + .unotice_text = strdupnull(in->unotice_text), + ); + cert->cert_policies->insert_last(cert->cert_policies, policy); + } + enumerator->destroy(enumerator); + continue; + } + case BUILD_POLICY_MAPPINGS: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_policy_mapping_t* mapping, *in; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) { - cert->pathLenConstraint = X509_NO_PATH_LEN_CONSTRAINT; + INIT(mapping, + .issuer = chunk_clone(in->issuer), + .subject = chunk_clone(in->subject), + ); + cert->policy_mappings->insert_last(cert->policy_mappings, + mapping); } + enumerator->destroy(enumerator); + continue; + } + case BUILD_POLICY_REQUIRE_EXPLICIT: + constraint = va_arg(args, u_int); + cert->require_explicit = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_POLICY_INHIBIT_MAPPING: + constraint = va_arg(args, u_int); + cert->inhibit_mapping = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; + continue; + case BUILD_POLICY_INHIBIT_ANY: + constraint = va_arg(args, u_int); + cert->inhibit_any = (constraint < 128) ? + constraint : X509_NO_CONSTRAINT; continue; case BUILD_NOT_BEFORE_TIME: cert->notBefore = va_arg(args, time_t); diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index 4bd0470d3..758505ab5 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -99,6 +99,11 @@ struct private_x509_crl_t { */ linked_list_t *revoked; + /** + * List of Freshest CRL distribution points + */ + linked_list_t *crl_uris; + /** * Authority Key Identifier */ @@ -109,6 +114,11 @@ struct private_x509_crl_t { */ chunk_t authKeySerialNumber; + /** + * Number of BaseCRL, if a delta CRL + */ + chunk_t baseCrlNumber; + /** * Signature algorithm */ @@ -133,9 +143,19 @@ struct private_x509_crl_t { /** * from x509_cert */ -extern chunk_t x509_parse_authorityKeyIdentifier( - chunk_t blob, int level0, - chunk_t *authKeySerialNumber); +extern chunk_t x509_parse_authorityKeyIdentifier(chunk_t blob, int level0, + chunk_t *authKeySerialNumber); + +/** + * from x509_cert + */ +extern void x509_parse_crlDistributionPoints(chunk_t blob, int level0, + linked_list_t *list); + +/** + * from x509_cert + */ +extern chunk_t x509_build_crlDistributionPoints(linked_list_t *list, int extn); /** * ASN.1 definition of an X.509 certificate revocation list @@ -206,7 +226,7 @@ static bool parse(private_x509_crl_t *this) int objectID; int sig_alg = OID_UNKNOWN; bool success = FALSE; - bool critical; + bool critical = FALSE; revoked_t *revoked = NULL; parser = asn1_parser_create(crlObjects, this->encoding); @@ -258,35 +278,61 @@ static bool parse(private_x509_crl_t *this) break; case CRL_OBJ_CRL_ENTRY_EXTN_VALUE: case CRL_OBJ_EXTN_VALUE: - { - int extn_oid = asn1_known_oid(extnID); + { + int extn_oid = asn1_known_oid(extnID); - if (revoked && extn_oid == OID_CRL_REASON_CODE) - { - if (*object.ptr == ASN1_ENUMERATED && - asn1_length(&object) == 1) + switch (extn_oid) + { + case OID_CRL_REASON_CODE: + if (revoked) { - revoked->reason = *object.ptr; + if (object.len && *object.ptr == ASN1_ENUMERATED && + asn1_length(&object) == 1) + { + revoked->reason = *object.ptr; + } + DBG2(DBG_LIB, " '%N'", crl_reason_names, + revoked->reason); } - DBG2(DBG_LIB, " '%N'", crl_reason_names, - revoked->reason); - } - else if (extn_oid == OID_AUTHORITY_KEY_ID) - { - this->authKeyIdentifier = x509_parse_authorityKeyIdentifier(object, - level, &this->authKeySerialNumber); - } - else if (extn_oid == OID_CRL_NUMBER) - { + break; + case OID_AUTHORITY_KEY_ID: + this->authKeyIdentifier = + x509_parse_authorityKeyIdentifier( + object, level, &this->authKeySerialNumber); + break; + case OID_CRL_NUMBER: if (!asn1_parse_simple_object(&object, ASN1_INTEGER, level, "crlNumber")) { goto end; } this->crlNumber = object; - } + break; + case OID_FRESHEST_CRL: + x509_parse_crlDistributionPoints(object, level, + this->crl_uris); + break; + case OID_DELTA_CRL_INDICATOR: + if (!asn1_parse_simple_object(&object, ASN1_INTEGER, + level, "deltaCrlIndicator")) + { + goto end; + } + this->baseCrlNumber = object; + break; + default: + if (critical && lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE)) + { + DBG1(DBG_LIB, "critical '%s' extension not supported", + (extn_oid == OID_UNKNOWN) ? "unknown" : + (char*)oid_names[extn_oid].name); + goto end; + } + break; } break; + } case CRL_OBJ_ALGORITHM: { this->algorithm = asn1_parse_algorithmIdentifier(object, level, NULL); @@ -344,6 +390,26 @@ METHOD(crl_t, get_authKeyIdentifier, chunk_t, return this->authKeyIdentifier; } +METHOD(crl_t, is_delta_crl, bool, + private_x509_crl_t *this, chunk_t *base_crl) +{ + if (this->baseCrlNumber.len) + { + if (base_crl) + { + *base_crl = this->baseCrlNumber; + } + return TRUE; + } + return FALSE; +} + +METHOD(crl_t, create_delta_crl_uri_enumerator, enumerator_t*, + private_x509_crl_t *this) +{ + return this->crl_uris->create_enumerator(this->crl_uris); +} + METHOD(crl_t, create_enumerator, enumerator_t*, private_x509_crl_t *this) { @@ -388,7 +454,7 @@ METHOD(certificate_t, issued_by, bool, { return FALSE; } - if (!(x509->get_flags(x509) & X509_CA)) + if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) { return FALSE; } @@ -501,18 +567,30 @@ static void revoked_destroy(revoked_t *revoked) free(revoked); } +/** + * Destroy a CDP entry + */ +static void cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + DESTROY_IF(this->issuer); + free(this); +} + METHOD(certificate_t, destroy, void, private_x509_crl_t *this) { if (ref_put(&this->ref)) { this->revoked->destroy_function(this->revoked, (void*)revoked_destroy); + this->crl_uris->destroy_function(this->crl_uris, (void*)cdp_destroy); DESTROY_IF(this->issuer); free(this->authKeyIdentifier.ptr); free(this->encoding.ptr); if (this->generated) { free(this->crlNumber.ptr); + free(this->baseCrlNumber.ptr); free(this->signature.ptr); free(this->tbsCertList.ptr); } @@ -546,10 +624,13 @@ static private_x509_crl_t* create_empty(void) }, .get_serial = _get_serial, .get_authKeyIdentifier = _get_authKeyIdentifier, + .is_delta_crl = _is_delta_crl, + .create_delta_crl_uri_enumerator = _create_delta_crl_uri_enumerator, .create_enumerator = _create_enumerator, }, }, .revoked = linked_list_create(), + .crl_uris = linked_list_create(), .ref = 1, ); return this; @@ -618,6 +699,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, private_key_t *key, hash_algorithm_t digest_alg) { chunk_t extensions = chunk_empty, certList = chunk_empty, serial; + chunk_t crlDistributionPoints = chunk_empty, baseCrlNumber = chunk_empty; enumerator_t *enumerator; crl_reason_t reason; time_t date; @@ -625,7 +707,7 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, x509 = (x509_t*)cert; - this->issuer = cert->get_issuer(cert); + this->issuer = cert->get_subject(cert); this->issuer = this->issuer->clone(this->issuer); this->authKeyIdentifier = chunk_clone(x509->get_subjectKeyIdentifier(x509)); @@ -660,8 +742,21 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, } enumerator->destroy(enumerator); + crlDistributionPoints = x509_build_crlDistributionPoints(this->crl_uris, + OID_FRESHEST_CRL); + + if (this->baseCrlNumber.len) + { + baseCrlNumber = asn1_wrap(ASN1_SEQUENCE, "mmm", + asn1_build_known_oid(OID_DELTA_CRL_INDICATOR), + asn1_wrap(ASN1_BOOLEAN, "c", + chunk_from_chars(0xFF)), + asn1_wrap(ASN1_OCTET_STRING, "m", + asn1_integer("c", this->baseCrlNumber))); + } + extensions = asn1_wrap(ASN1_CONTEXT_C_0, "m", - asn1_wrap(ASN1_SEQUENCE, "mm", + asn1_wrap(ASN1_SEQUENCE, "mmmm", asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_AUTHORITY_KEY_ID), asn1_wrap(ASN1_OCTET_STRING, "m", @@ -671,9 +766,8 @@ static bool generate(private_x509_crl_t *this, certificate_t *cert, asn1_wrap(ASN1_SEQUENCE, "mm", asn1_build_known_oid(OID_CRL_NUMBER), asn1_wrap(ASN1_OCTET_STRING, "m", - asn1_integer("c", this->crlNumber)) - ) - )); + asn1_integer("c", this->crlNumber))), + crlDistributionPoints, baseCrlNumber)); this->tbsCertList = asn1_wrap(ASN1_SEQUENCE, "cmcmmmm", ASN1_INTEGER_1, @@ -736,6 +830,29 @@ x509_crl_t *x509_crl_gen(certificate_type_t type, va_list args) case BUILD_REVOKED_ENUMERATOR: read_revoked(crl, va_arg(args, enumerator_t*)); continue; + case BUILD_BASE_CRL: + crl->baseCrlNumber = va_arg(args, chunk_t); + crl->baseCrlNumber = chunk_clone(crl->baseCrlNumber); + break; + case BUILD_CRL_DISTRIBUTION_POINTS: + { + enumerator_t *enumerator; + linked_list_t *list; + x509_cdp_t *in, *cdp; + + list = va_arg(args, linked_list_t*); + enumerator = list->create_enumerator(list); + while (enumerator->enumerate(enumerator, &in)) + { + INIT(cdp, + .uri = strdup(in->uri), + .issuer = in->issuer ? in->issuer->clone(in->issuer) : NULL, + ); + crl->crl_uris->insert_last(crl->crl_uris, cdp); + } + enumerator->destroy(enumerator); + continue; + } case BUILD_END: break; default: diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c index 11a7f023c..d40cc3567 100644 --- a/src/libstrongswan/plugins/x509/x509_plugin.c +++ b/src/libstrongswan/plugins/x509/x509_plugin.c @@ -36,10 +36,8 @@ struct private_x509_plugin_t { x509_plugin_t public; }; -/** - * Implementation of x509_plugin_t.x509troy - */ -static void destroy(private_x509_plugin_t *this) +METHOD(plugin_t, destroy, void, + private_x509_plugin_t *this) { lib->creds->remove_builder(lib->creds, (builder_function_t)x509_cert_gen); @@ -69,9 +67,15 @@ static void destroy(private_x509_plugin_t *this) */ plugin_t *x509_plugin_create() { - private_x509_plugin_t *this = malloc_thing(private_x509_plugin_t); + private_x509_plugin_t *this; - this->public.plugin.destroy = (void(*)(plugin_t*))destroy; + INIT(this, + .public = { + .plugin = { + .destroy = _destroy, + }, + }, + ); lib->creds->add_builder(lib->creds, CRED_CERTIFICATE, CERT_X509, FALSE, (builder_function_t)x509_cert_gen); diff --git a/src/libstrongswan/plugins/xcbc/Makefile.in b/src/libstrongswan/plugins/xcbc/Makefile.in index e82e5246f..06d7a2121 100644 --- a/src/libstrongswan/plugins/xcbc/Makefile.in +++ b/src/libstrongswan/plugins/xcbc/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c index 88156f383..65e88335c 100644 --- a/src/libstrongswan/plugins/xcbc/xcbc_plugin.c +++ b/src/libstrongswan/plugins/xcbc/xcbc_plugin.c @@ -19,6 +19,8 @@ #include "xcbc_signer.h" #include "xcbc_prf.h" +static const char *plugin_name = "xcbc"; + typedef struct private_xcbc_plugin_t private_xcbc_plugin_t; /** @@ -48,6 +50,7 @@ METHOD(plugin_t, destroy, void, plugin_t *xcbc_plugin_create() { private_xcbc_plugin_t *this; + crypter_t *crypter; INIT(this, .public = { @@ -57,15 +60,24 @@ plugin_t *xcbc_plugin_create() }, ); - lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, - (prf_constructor_t)xcbc_prf_create); - lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, - (prf_constructor_t)xcbc_prf_create); - lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, - (signer_constructor_t)xcbc_signer_create); - lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, - (signer_constructor_t)xcbc_signer_create); - + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_prf(lib->crypto, PRF_AES128_XCBC, plugin_name, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_AES_XCBC_96, plugin_name, + (signer_constructor_t)xcbc_signer_create); + } + crypter = lib->crypto->create_crypter(lib->crypto, ENCR_CAMELLIA_CBC, 16); + if (crypter) + { + crypter->destroy(crypter); + lib->crypto->add_prf(lib->crypto, PRF_CAMELLIA128_XCBC, plugin_name, + (prf_constructor_t)xcbc_prf_create); + lib->crypto->add_signer(lib->crypto, AUTH_CAMELLIA_XCBC_96, plugin_name, + (signer_constructor_t)xcbc_signer_create); + } return &this->public.plugin; } diff --git a/src/libstrongswan/printf_hook.c b/src/libstrongswan/printf_hook.c index 4d4cef829..7e7045d69 100644 --- a/src/libstrongswan/printf_hook.c +++ b/src/libstrongswan/printf_hook.c @@ -377,10 +377,8 @@ int vstr_wrapper_vasprintf(char **str, const char *format, va_list args) } #endif -/** - * Implementation of printf_hook_t.add_handler. - */ -static void add_handler(private_printf_hook_t *this, char spec, +METHOD(printf_hook_t, add_handler, void, + private_printf_hook_t *this, char spec, printf_hook_function_t hook, ...) { int i = -1; @@ -439,10 +437,8 @@ static void add_handler(private_printf_hook_t *this, char spec, } } -/** - * Implementation of printf_hook_t.destroy - */ -static void destroy(private_printf_hook_t *this) +METHOD(printf_hook_t, destroy, void, + private_printf_hook_t *this) { int i; #ifdef USE_VSTR @@ -477,10 +473,14 @@ static void destroy(private_printf_hook_t *this) */ printf_hook_t *printf_hook_create() { - private_printf_hook_t *this = malloc_thing(private_printf_hook_t); - - this->public.add_handler = (void(*)(printf_hook_t*, char, printf_hook_function_t, ...))add_handler; - this->public.destroy = (void(*)(printf_hook_t*))destroy; + private_printf_hook_t *this; + + INIT(this, + .public = { + .add_handler = _add_handler, + .destroy = _destroy, + }, + ); memset(printf_hooks, 0, sizeof(printf_hooks)); diff --git a/src/libstrongswan/processing/processor.c b/src/libstrongswan/processing/processor.c index 2a44f61e8..723aec908 100644 --- a/src/libstrongswan/processing/processor.c +++ b/src/libstrongswan/processing/processor.c @@ -248,7 +248,7 @@ static void destroy(private_processor_t *this) /* * Described in header. */ -processor_t *processor_create(size_t pool_size) +processor_t *processor_create() { private_processor_t *this = malloc_thing(private_processor_t); diff --git a/src/libstrongswan/selectors/traffic_selector.c b/src/libstrongswan/selectors/traffic_selector.c index 68bbbe2fd..32da194ef 100644 --- a/src/libstrongswan/selectors/traffic_selector.c +++ b/src/libstrongswan/selectors/traffic_selector.c @@ -393,13 +393,15 @@ static bool equals(private_traffic_selector_t *this, private_traffic_selector_t switch (this->type) { case TS_IPV4_ADDR_RANGE: - if (memeq(this->from4, other->from4, sizeof(this->from4))) + if (memeq(this->from4, other->from4, sizeof(this->from4)) && + memeq(this->to4, other->to4, sizeof(this->to4))) { return TRUE; } break; case TS_IPV6_ADDR_RANGE: - if (memeq(this->from6, other->from6, sizeof(this->from6))) + if (memeq(this->from6, other->from6, sizeof(this->from6)) && + memeq(this->to6, other->to6, sizeof(this->to6))) { return TRUE; } diff --git a/src/libstrongswan/settings.c b/src/libstrongswan/settings.c index d85abb1df..bd279f51d 100644 --- a/src/libstrongswan/settings.c +++ b/src/libstrongswan/settings.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -18,12 +19,17 @@ #include #include #include +#include +#include +#include #include "settings.h" #include "debug.h" #include "utils/linked_list.h" +#include "threading/rwlock.h" +#define MAX_INCLUSION_LEVEL 10 typedef struct private_settings_t private_settings_t; typedef struct section_t section_t; @@ -45,9 +51,14 @@ struct private_settings_t { section_t *top; /** - * allocated file text + * contents of loaded files and in-memory settings (char*) */ - char *text; + linked_list_t *contents; + + /** + * lock to safely access the settings + */ + rwlock_t *lock; }; /** @@ -87,6 +98,69 @@ struct kv_t { char *value; }; +/** + * create a key/value pair + */ +static kv_t *kv_create(char *key, char *value) +{ + kv_t *this; + INIT(this, + .key = strdup(key), + .value = value, + ); + return this; +} + +/** + * destroy a key/value pair + */ +static void kv_destroy(kv_t *this) +{ + free(this->key); + free(this); +} + +/** + * create a section with the given name + */ +static section_t *section_create(char *name) +{ + section_t *this; + INIT(this, + .name = strdupnull(name), + .sections = linked_list_create(), + .kv = linked_list_create(), + ); + return this; +} + +/** + * destroy a section + */ +static void section_destroy(section_t *this) +{ + this->kv->destroy_function(this->kv, (void*)kv_destroy); + this->sections->destroy_function(this->sections, (void*)section_destroy); + free(this->name); + free(this); +} + +/** + * callback to find a section by name + */ +static bool section_find(section_t *this, char *name) +{ + return streq(this->name, name); +} + +/** + * callback to find a kv pair by key + */ +static bool kv_find(kv_t *this, char *key) +{ + return streq(this->key, key); +} + /** * Print a format key, but consume already processed arguments */ @@ -136,14 +210,15 @@ static bool print_key(char *buf, int len, char *start, char *key, va_list args) } /** - * find a section by a given key, using buffered key, reusable buffer + * Find a section by a given key, using buffered key, reusable buffer. + * If "ensure" is TRUE, the sections are created if they don't exist. */ static section_t *find_section_buffered(section_t *section, - char *start, char *key, va_list args, char *buf, int len) + char *start, char *key, va_list args, char *buf, int len, + bool ensure) { char *pos; - enumerator_t *enumerator; - section_t *current, *found = NULL; + section_t *found = NULL; if (section == NULL) { @@ -159,47 +234,75 @@ static section_t *find_section_buffered(section_t *section, { return NULL; } - enumerator = section->sections->create_enumerator(section->sections); - while (enumerator->enumerate(enumerator, ¤t)) + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&found, buf) != SUCCESS) { - if (streq(current->name, buf)) + if (ensure) { - found = current; - break; + found = section_create(buf); + section->sections->insert_last(section->sections, found); } } - enumerator->destroy(enumerator); if (found && pos) { - return find_section_buffered(found, start, pos, args, buf, len); + return find_section_buffered(found, start, pos, args, buf, len, ensure); } return found; } /** - * find a section by a given key + * Find a section by a given key (thread-safe). */ -static section_t *find_section(section_t *section, char *key, va_list args) +static section_t *find_section(private_settings_t *this, section_t *section, + char *key, va_list args) { char buf[128], keybuf[512]; + section_t *found; if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } - return find_section_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); + this->lock->read_lock(this->lock); + found = find_section_buffered(section, keybuf, keybuf, args, buf, + sizeof(buf), FALSE); + this->lock->unlock(this->lock); + return found; } /** - * Find the string value for a key, using buffered key, reusable buffer + * Ensure that the section with the given key exists (thread-safe). */ -static char *find_value_buffered(section_t *section, - char *start, char *key, va_list args, char *buf, int len) +static section_t *ensure_section(private_settings_t *this, section_t *section, + char *key, va_list args) { - char *pos, *value = NULL; - enumerator_t *enumerator; - kv_t *kv; - section_t *current, *found = NULL; + char buf[128], keybuf[512]; + section_t *found; + + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) + { + return NULL; + } + /* we might have to change the tree */ + this->lock->write_lock(this->lock); + found = find_section_buffered(section, keybuf, keybuf, args, buf, + sizeof(buf), TRUE); + this->lock->unlock(this->lock); + return found; +} + +/** + * Find the key/value pair for a key, using buffered key, reusable buffer + * If "ensure" is TRUE, the sections (and key/value pair) are created if they + * don't exist. + */ +static kv_t *find_value_buffered(section_t *section, char *start, char *key, + va_list args, char *buf, int len, bool ensure) +{ + char *pos; + kv_t *kv = NULL; + section_t *found = NULL; if (section == NULL) { @@ -216,20 +319,19 @@ static char *find_value_buffered(section_t *section, { return NULL; } - enumerator = section->sections->create_enumerator(section->sections); - while (enumerator->enumerate(enumerator, ¤t)) + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&found, buf) != SUCCESS) { - if (streq(current->name, buf)) + if (!ensure) { - found = current; - break; + return NULL; } + found = section_create(buf); + section->sections->insert_last(section->sections, found); } - enumerator->destroy(enumerator); - if (found) - { - return find_value_buffered(found, start, pos, args, buf, len); - } + return find_value_buffered(found, start, pos, args, buf, len, + ensure); } else { @@ -237,44 +339,86 @@ static char *find_value_buffered(section_t *section, { return NULL; } - enumerator = section->kv->create_enumerator(section->kv); - while (enumerator->enumerate(enumerator, &kv)) + if (section->kv->find_first(section->kv, (linked_list_match_t)kv_find, + (void**)&kv, buf) != SUCCESS) { - if (streq(kv->key, buf)) + if (ensure) { - value = kv->value; - break; + kv = kv_create(buf, NULL); + section->kv->insert_last(section->kv, kv); } } - enumerator->destroy(enumerator); } - return value; + return kv; } /** - * Find the string value for a key + * Find the string value for a key (thread-safe). */ -static char *find_value(section_t *section, char *key, va_list args) +static char *find_value(private_settings_t *this, section_t *section, + char *key, va_list args) { - char buf[128], keybuf[512]; + char buf[128], keybuf[512], *value = NULL; + kv_t *kv; if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) { return NULL; } - return find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf)); + this->lock->read_lock(this->lock); + kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), + FALSE); + if (kv) + { + value = kv->value; + } + this->lock->unlock(this->lock); + return value; } /** - * Implementation of settings_t.get. + * Set a value to a copy of the given string (thread-safe). */ -static char* get_str(private_settings_t *this, char *key, char *def, ...) +static void set_value(private_settings_t *this, section_t *section, + char *key, va_list args, char *value) +{ + char buf[128], keybuf[512]; + kv_t *kv; + + if (snprintf(keybuf, sizeof(keybuf), "%s", key) >= sizeof(keybuf)) + { + return; + } + this->lock->write_lock(this->lock); + kv = find_value_buffered(section, keybuf, keybuf, args, buf, sizeof(buf), + TRUE); + if (kv) + { + if (!value) + { + kv->value = NULL; + } + else if (kv->value && (strlen(value) <= strlen(kv->value))) + { /* overwrite in-place, if possible */ + strcpy(kv->value, value); + } + else + { /* otherwise clone the string and store it in the cache */ + kv->value = strdup(value); + this->contents->insert_last(this->contents, kv->value); + } + } + this->lock->unlock(this->lock); +} + +METHOD(settings_t, get_str, char*, + private_settings_t *this, char *key, char *def, ...) { char *value; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); if (value) { @@ -284,29 +428,23 @@ static char* get_str(private_settings_t *this, char *key, char *def, ...) } /** - * Implementation of settings_t.get_bool. + * Described in header */ -static bool get_bool(private_settings_t *this, char *key, bool def, ...) +inline bool settings_value_as_bool(char *value, bool def) { - char *value; - va_list args; - - va_start(args, def); - value = find_value(this->top, key, args); - va_end(args); if (value) { - if (strcaseeq(value, "true") || - strcaseeq(value, "enabled") || + if (strcaseeq(value, "1") || strcaseeq(value, "yes") || - strcaseeq(value, "1")) + strcaseeq(value, "true") || + strcaseeq(value, "enabled")) { return TRUE; } - else if (strcaseeq(value, "false") || - strcaseeq(value, "disabled") || + else if (strcaseeq(value, "0") || strcaseeq(value, "no") || - strcaseeq(value, "0")) + strcaseeq(value, "false") || + strcaseeq(value, "disabled")) { return FALSE; } @@ -314,18 +452,24 @@ static bool get_bool(private_settings_t *this, char *key, bool def, ...) return def; } -/** - * Implementation of settings_t.get_int. - */ -static int get_int(private_settings_t *this, char *key, int def, ...) +METHOD(settings_t, get_bool, bool, + private_settings_t *this, char *key, bool def, ...) { char *value; - int intval; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_bool(value, def); +} + +/** + * Described in header + */ +inline int settings_value_as_int(char *value, int def) +{ + int intval; if (value) { errno = 0; @@ -338,18 +482,24 @@ static int get_int(private_settings_t *this, char *key, int def, ...) return def; } -/** - * Implementation of settings_t.get_double. - */ -static double get_double(private_settings_t *this, char *key, double def, ...) +METHOD(settings_t, get_int, int, + private_settings_t *this, char *key, int def, ...) { char *value; - double dval; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_int(value, def); +} + +/** + * Described in header + */ +inline double settings_value_as_double(char *value, double def) +{ + double dval; if (value) { errno = 0; @@ -362,18 +512,25 @@ static double get_double(private_settings_t *this, char *key, double def, ...) return def; } -/** - * Implementation of settings_t.get_time. - */ -static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, ...) +METHOD(settings_t, get_double, double, + private_settings_t *this, char *key, double def, ...) { - char *value, *endptr; - u_int32_t timeval; + char *value; va_list args; va_start(args, def); - value = find_value(this->top, key, args); + value = find_value(this, this->top, key, args); va_end(args); + return settings_value_as_double(value, def); +} + +/** + * Described in header + */ +inline u_int32_t settings_value_as_time(char *value, u_int32_t def) +{ + char *endptr; + u_int32_t timeval; if (value) { errno = 0; @@ -392,7 +549,7 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, .. timeval *= 60; break; case 's': /* time in seconds */ - default: + default: break; } return timeval; @@ -401,6 +558,75 @@ static u_int32_t get_time(private_settings_t *this, char *key, u_int32_t def, .. return def; } +METHOD(settings_t, get_time, u_int32_t, + private_settings_t *this, char *key, u_int32_t def, ...) +{ + char *value; + va_list args; + + va_start(args, def); + value = find_value(this, this->top, key, args); + va_end(args); + return settings_value_as_time(value, def); +} + +METHOD(settings_t, set_str, void, + private_settings_t *this, char *key, char *value, ...) +{ + va_list args; + va_start(args, value); + set_value(this, this->top, key, args, value); + va_end(args); +} + +METHOD(settings_t, set_bool, void, + private_settings_t *this, char *key, bool value, ...) +{ + va_list args; + va_start(args, value); + set_value(this, this->top, key, args, value ? "1" : "0"); + va_end(args); +} + +METHOD(settings_t, set_int, void, + private_settings_t *this, char *key, int value, ...) +{ + char val[16]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%d", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + +METHOD(settings_t, set_double, void, + private_settings_t *this, char *key, double value, ...) +{ + char val[64]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%f", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + +METHOD(settings_t, set_time, void, + private_settings_t *this, char *key, u_int32_t value, ...) +{ + char val[16]; + va_list args; + va_start(args, value); + if (snprintf(val, sizeof(val), "%u", value) < sizeof(val)) + { + set_value(this, this->top, key, args, val); + } + va_end(args); +} + /** * Enumerate section names, not sections */ @@ -410,26 +636,24 @@ static bool section_filter(void *null, section_t **in, char **out) return TRUE; } -/** - * Implementation of settings_t.create_section_enumerator - */ -static enumerator_t* create_section_enumerator(private_settings_t *this, - char *key, ...) +METHOD(settings_t, create_section_enumerator, enumerator_t*, + private_settings_t *this, char *key, ...) { section_t *section; va_list args; va_start(args, key); - section = find_section(this->top, key, args); + section = find_section(this, this->top, key, args); va_end(args); if (!section) { return enumerator_create_empty(); } + this->lock->read_lock(this->lock); return enumerator_create_filter( - section->sections->create_enumerator(section->sections), - (void*)section_filter, NULL, NULL); + section->sections->create_enumerator(section->sections), + (void*)section_filter, this->lock, (void*)this->lock->unlock); } /** @@ -443,37 +667,24 @@ static bool kv_filter(void *null, kv_t **in, char **key, return TRUE; } -/** - * Implementation of settings_t.create_key_value_enumerator - */ -static enumerator_t* create_key_value_enumerator(private_settings_t *this, - char *key, ...) +METHOD(settings_t, create_key_value_enumerator, enumerator_t*, + private_settings_t *this, char *key, ...) { section_t *section; va_list args; va_start(args, key); - section = find_section(this->top, key, args); + section = find_section(this, this->top, key, args); va_end(args); if (!section) { return enumerator_create_empty(); } + this->lock->read_lock(this->lock); return enumerator_create_filter( section->kv->create_enumerator(section->kv), - (void*)kv_filter, NULL, NULL); -} - -/** - * destroy a section - */ -static void section_destroy(section_t *this) -{ - this->kv->destroy_function(this->kv, free); - this->sections->destroy_function(this->sections, (void*)section_destroy); - - free(this); + (void*)kv_filter, this->lock, (void*)this->lock->unlock); } /** @@ -550,46 +761,135 @@ static char parse(char **text, char *skip, char *term, char *br, char **token) return 0; } +/** + * Check if "text" starts with "pattern". + * Characters in "skip" are skipped first. If found, TRUE is returned and "text" + * is modified to point to the character right after "pattern". + */ +static bool starts_with(char **text, char *skip, char *pattern) +{ + char *pos = *text; + int len = strlen(pattern); + while (strchr(skip, *pos)) + { + pos++; + if (!*pos) + { + return FALSE; + } + } + if (strlen(pos) < len || !strneq(pos, pattern, len)) + { + return FALSE; + } + *text = pos + len; + return TRUE; +} + +/** + * Check if what follows in "text" is an include statement. + * If this function returns TRUE, "text" will point to the character right after + * the include pattern, which is returned in "pattern". + */ +static bool parse_include(char **text, char **pattern) +{ + char *pos = *text; + if (!starts_with(&pos, "\n\t ", "include")) + { + return FALSE; + } + if (starts_with(&pos, "\t ", "=")) + { /* ignore "include = value" */ + return FALSE; + } + *text = pos; + return parse(text, "\t ", "\n", NULL, pattern) != 0; +} + +/** + * Forward declaration. + */ +static bool parse_files(linked_list_t *contents, char *file, int level, + char *pattern, section_t *section); + /** * Parse a section */ -static section_t* parse_section(char **text, char *name) +static bool parse_section(linked_list_t *contents, char *file, int level, + char **text, section_t *section) { - section_t *sub, *section; bool finished = FALSE; char *key, *value, *inner; - static int lev = 0; - lev++; - - section = malloc_thing(section_t); - section->name = name; - section->sections = linked_list_create(); - section->kv = linked_list_create(); - while (!finished) { + if (parse_include(text, &value)) + { + if (!parse_files(contents, file, level, value, section)) + { + DBG1(DBG_LIB, "failed to include '%s'", value); + return FALSE; + } + continue; + } switch (parse(text, "\t\n ", "{=#", NULL, &key)) { case '{': if (parse(text, "\t ", "}", "{", &inner)) { - sub = parse_section(&inner, key); - if (sub) + section_t *sub; + if (!strlen(key)) { - section->sections->insert_last(section->sections, sub); + DBG1(DBG_LIB, "skipping section without name in '%s'", + section->name); continue; } + if (section->sections->find_first(section->sections, + (linked_list_match_t)section_find, + (void**)&sub, key) != SUCCESS) + { + sub = section_create(key); + if (parse_section(contents, file, level, &inner, sub)) + { + section->sections->insert_last(section->sections, + sub); + continue; + } + section_destroy(sub); + } + else + { /* extend the existing section */ + if (parse_section(contents, file, level, &inner, sub)) + { + continue; + } + } + DBG1(DBG_LIB, "parsing subsection '%s' failed", key); + break; } DBG1(DBG_LIB, "matching '}' not found near %s", *text); break; case '=': if (parse(text, "\t ", "\n", NULL, &value)) { - kv_t *kv = malloc_thing(kv_t); - kv->key = key; - kv->value = value; - section->kv->insert_last(section->kv, kv); + kv_t *kv; + if (!strlen(key)) + { + DBG1(DBG_LIB, "skipping value without key in '%s'", + section->name); + continue; + } + if (section->kv->find_first(section->kv, + (linked_list_match_t)kv_find, + (void**)&kv, key) != SUCCESS) + { + kv = kv_create(key, value); + section->kv->insert_last(section->kv, kv); + } + else + { /* replace with the most recently read value */ + kv->value = value; + } continue; } DBG1(DBG_LIB, "parsing value failed near %s", *text); @@ -601,78 +901,272 @@ static section_t* parse_section(char **text, char *name) finished = TRUE; continue; } - section_destroy(section); - return NULL; + return FALSE; } - return section; + return TRUE; } /** - * Implementation of settings_t.destroy + * Parse a file and add the settings to the given section. */ -static void destroy(private_settings_t *this) +static bool parse_file(linked_list_t *contents, char *file, int level, + section_t *section) { - if (this->top) + bool success; + char *text, *pos; + FILE *fd; + int len; + + DBG2(DBG_LIB, "loading config file '%s'", file); + fd = fopen(file, "r"); + if (fd == NULL) { - section_destroy(this->top); + DBG1(DBG_LIB, "'%s' does not exist or is not readable", file); + return FALSE; } - free(this->text); - free(this); + fseek(fd, 0, SEEK_END); + len = ftell(fd); + rewind(fd); + text = malloc(len + 1); + text[len] = '\0'; + if (fread(text, 1, len, fd) != len) + { + free(text); + return FALSE; + } + fclose(fd); + + pos = text; + success = parse_section(contents, file, level, &pos, section); + if (!success) + { + free(text); + } + else + { + contents->insert_last(contents, text); + } + return success; } -/* - * see header file +/** + * Load the files matching "pattern", which is resolved with glob(3). + * If the pattern is relative, the directory of "file" is used as base. */ -settings_t *settings_create(char *file) +static bool parse_files(linked_list_t *contents, char *file, int level, + char *pattern, section_t *section) { - private_settings_t *this; - char *pos; - FILE *fd; - int len; + bool success = TRUE; + int status; + glob_t buf; + char **expanded, pat[PATH_MAX]; - this = malloc_thing(private_settings_t); - this->public.get_str = (char*(*)(settings_t*, char *key, char* def, ...))get_str; - this->public.get_int = (int(*)(settings_t*, char *key, int def, ...))get_int; - this->public.get_double = (double(*)(settings_t*, char *key, double def, ...))get_double; - this->public.get_time = (u_int32_t(*)(settings_t*, char *key, u_int32_t def, ...))get_time; - this->public.get_bool = (bool(*)(settings_t*, char *key, bool def, ...))get_bool; - this->public.create_section_enumerator = (enumerator_t*(*)(settings_t*,char *section, ...))create_section_enumerator; - this->public.create_key_value_enumerator = (enumerator_t*(*)(settings_t*, char *key, ...))create_key_value_enumerator; - this->public.destroy = (void(*)(settings_t*))destroy; + if (level > MAX_INCLUSION_LEVEL) + { + DBG1(DBG_LIB, "maximum level of %d includes reached, ignored", + MAX_INCLUSION_LEVEL); + return TRUE; + } - this->top = NULL; - this->text = NULL; + if (!strlen(pattern)) + { + DBG2(DBG_LIB, "empty include pattern, ignored"); + return TRUE; + } - if (file == NULL) + if (!file || pattern[0] == '/') + { /* absolute path */ + if (snprintf(pat, sizeof(pat), "%s", pattern) >= sizeof(pat)) + { + DBG1(DBG_LIB, "include pattern too long, ignored"); + return TRUE; + } + } + else + { /* base relative paths to the directory of the current file */ + char *dir = strdup(file); + dir = dirname(dir); + if (snprintf(pat, sizeof(pat), "%s/%s", dir, pattern) >= sizeof(pat)) + { + DBG1(DBG_LIB, "include pattern too long, ignored"); + free(dir); + return TRUE; + } + free(dir); + } + status = glob(pat, GLOB_ERR, NULL, &buf); + if (status == GLOB_NOMATCH) { - file = STRONGSWAN_CONF; + DBG2(DBG_LIB, "no files found matching '%s', ignored", pat); } - fd = fopen(file, "r"); - if (fd == NULL) + else if (status != 0) { - DBG1(DBG_LIB, "'%s' does not exist or is not readable", file); - return &this->public; + DBG1(DBG_LIB, "expanding file pattern '%s' failed", pat); + success = FALSE; } - fseek(fd, 0, SEEK_END); - len = ftell(fd); - rewind(fd); - this->text = malloc(len + 1); - this->text[len] = '\0'; - if (fread(this->text, 1, len, fd) != len) + else { - free(this->text); - this->text = NULL; - return &this->public; + for (expanded = buf.gl_pathv; *expanded != NULL; expanded++) + { + success &= parse_file(contents, *expanded, level + 1, section); + if (!success) + { + break; + } + } } - fclose(fd); + globfree(&buf); + return success; +} + +/** + * Recursivly extends "base" with "extension". + */ +static void section_extend(section_t *base, section_t *extension) +{ + enumerator_t *enumerator; + section_t *sec; + kv_t *kv; + + enumerator = extension->sections->create_enumerator(extension->sections); + while (enumerator->enumerate(enumerator, (void**)&sec)) + { + section_t *found; + if (base->sections->find_first(base->sections, + (linked_list_match_t)section_find, (void**)&found, + sec->name) == SUCCESS) + { + section_extend(found, sec); + } + else + { + extension->sections->remove_at(extension->sections, enumerator); + base->sections->insert_last(base->sections, sec); + } + } + enumerator->destroy(enumerator); + + enumerator = extension->kv->create_enumerator(extension->kv); + while (enumerator->enumerate(enumerator, (void**)&kv)) + { + kv_t *found; + if (base->kv->find_first(base->kv, (linked_list_match_t)kv_find, + (void**)&found, kv->key) == SUCCESS) + { + found->value = kv->value; + } + else + { + extension->kv->remove_at(extension->kv, enumerator); + base->kv->insert_last(base->kv, kv); + } + } + enumerator->destroy(enumerator); +} + +/** + * Load settings from files matching the given file pattern. + * All sections and values are added relative to "parent". + * All files (even included ones) have to be loaded successfully. + */ +static bool load_files_internal(private_settings_t *this, section_t *parent, + char *pattern) +{ + char *text; + linked_list_t *contents = linked_list_create(); + section_t *section = section_create(NULL); + + if (!parse_files(contents, NULL, 0, pattern, section)) + { + contents->destroy_function(contents, (void*)free); + section_destroy(section); + return FALSE; + } + + this->lock->write_lock(this->lock); + /* extend parent section */ + section_extend(parent, section); + /* move contents of loaded files to main store */ + while (contents->remove_first(contents, (void**)&text) == SUCCESS) + { + this->contents->insert_last(this->contents, text); + } + this->lock->unlock(this->lock); + + section_destroy(section); + contents->destroy(contents); + return TRUE; +} + +METHOD(settings_t, load_files, bool, + private_settings_t *this, char *pattern) +{ + return load_files_internal(this, this->top, pattern); +} + +METHOD(settings_t, load_files_section, bool, + private_settings_t *this, char *pattern, char *key, ...) +{ + section_t *section; + va_list args; + + va_start(args, key); + section = ensure_section(this, this->top, key, args); + va_end(args); - pos = this->text; - this->top = parse_section(&pos, NULL); - if (this->top == NULL) + if (!section) { - free(this->text); - this->text = NULL; + return FALSE; } + return load_files_internal(this, section, pattern); +} + +METHOD(settings_t, destroy, void, + private_settings_t *this) +{ + section_destroy(this->top); + this->contents->destroy_function(this->contents, (void*)free); + this->lock->destroy(this->lock); + free(this); +} + +/* + * see header file + */ +settings_t *settings_create(char *file) +{ + private_settings_t *this; + + INIT(this, + .public = { + .get_str = _get_str, + .get_int = _get_int, + .get_double = _get_double, + .get_time = _get_time, + .get_bool = _get_bool, + .set_str = _set_str, + .set_int = _set_int, + .set_double = _set_double, + .set_time = _set_time, + .set_bool = _set_bool, + .create_section_enumerator = _create_section_enumerator, + .create_key_value_enumerator = _create_key_value_enumerator, + .load_files = _load_files, + .load_files_section = _load_files_section, + .destroy = _destroy, + }, + .top = section_create(NULL), + .contents = linked_list_create(), + .lock = rwlock_create(RWLOCK_TYPE_DEFAULT), + ); + + if (file == NULL) + { + file = STRONGSWAN_CONF; + } + + load_files(this, file); + return &this->public; } diff --git a/src/libstrongswan/settings.h b/src/libstrongswan/settings.h index 486de8def..bc3df3706 100644 --- a/src/libstrongswan/settings.h +++ b/src/libstrongswan/settings.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2010 Tobias Brunner * Copyright (C) 2008 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -26,15 +27,55 @@ typedef struct settings_t settings_t; #include "utils.h" #include "utils/enumerator.h" +/** + * Convert a string value returned by a key/value enumerator to a boolean. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_bool() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +bool settings_value_as_bool(char *value, bool def); + +/** + * Convert a string value returned by a key/value enumerator to an integer. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_int() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +int settings_value_as_int(char *value, int def); + +/** + * Convert a string value returned by a key/value enumerator to a double. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_double() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +double settings_value_as_double(char *value, double def); + +/** + * Convert a string value returned by a key/value enumerator to a time value. + * + * @see settings_t.create_key_value_enumerator() + * @see settings_t.get_time() + * @param value the string value + * @param def the default value, if value is NULL or invalid + */ +u_int32_t settings_value_as_time(char *value, u_int32_t def); + /** * Generic configuration options read from a config file. * * The syntax is quite simple: - * + * @code * settings := (section|keyvalue)* * section := name { settings } * keyvalue := key = value\n - * + * @endcode * E.g.: * @code a = b @@ -54,6 +95,51 @@ typedef struct settings_t settings_t; * * Currently only a limited set of printf format specifiers are supported * (namely %s, %d and %N, see implementation for details). + * + * \section includes Including other files + * Other files can be included, using the include statement e.g. + * @code + * include /somepath/subconfig.conf + * @endcode + * Shell patterns like *.conf are possible. + * + * If the path is relative, the directory of the file containing the include + * statement is used as base. + * + * Sections loaded from included files extend previously loaded sections, + * already existing values are replaced. + * + * All settings included from files are added relative to the section the + * include statment is in. + * + * The following files result in the same final config as above: + * + * @code + a = b + section-one { + somevalue = before include + include include.conf + } + include two.conf + @endcode + * include.conf + * @code + somevalue = asdf + subsection { + othervalue = yyy + } + yetanother = zz + @endcode + * two.conf + * @code + section-one { + subsection { + othervalue = xxx + } + } + section-two { + } + @endcode */ struct settings_t { @@ -107,6 +193,51 @@ struct settings_t { */ u_int32_t (*get_time)(settings_t *this, char *key, u_int32_t def, ...); + /** + * Set a string value. + * + * @param key key including sections, printf style format + * @param value value to set (gets cloned) + * @param ... argument list for key + */ + void (*set_str)(settings_t *this, char *key, char *value, ...); + + /** + * Set a boolean value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_bool)(settings_t *this, char *key, bool value, ...); + + /** + * Set an integer value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_int)(settings_t *this, char *key, int value, ...); + + /** + * Set an double value. + * + * @param key key including sections, printf style format + * @param value value to set + * @param ... argument list for key + */ + void (*set_double)(settings_t *this, char *key, double value, ...); + + /** + * Set a time value. + * + * @param key key including sections, printf style format + * @param def value to set + * @param ... argument list for key + */ + void (*set_time)(settings_t *this, char *key, u_int32_t value, ...); + /** * Create an enumerator over subsection names of a section. * @@ -121,12 +252,46 @@ struct settings_t { * Create an enumerator over key/value pairs in a section. * * @param section section name to list key/value pairs of, printf style - * @param ... argmuent list for section + * @param ... argument list for section * @return enumerator over (char *key, char *value) */ enumerator_t* (*create_key_value_enumerator)(settings_t *this, char *section, ...); + /** + * Load settings from the files matching the given pattern. + * + * Existing sections are extended, existing values replaced, by those found + * in the loaded files. + * + * @note If any of the files matching the pattern fails to load, no settings + * are added at all. So, it's all or nothing. + * + * @param pattern file pattern + * @return TRUE, if settings were loaded successfully + */ + bool (*load_files)(settings_t *this, char *pattern); + + /** + * Load settings from the files matching the given pattern. + * + * Existing sections are extended, existing values replaced, by those found + * in the loaded files. + * + * All settings are loaded relative to the given section. The section is + * created, if it does not yet exist. + * + * @note If any of the files matching the pattern fails to load, no settings + * are added at all. So, it's all or nothing. + * + * @param pattern file pattern + * @param section section name of parent section, printf style + * @param ... argument list for section + * @return TRUE, if settings were loaded successfully + */ + bool (*load_files_section)(settings_t *this, char *pattern, + char *section, ...); + /** * Destroy a settings instance. */ diff --git a/src/libstrongswan/utils.c b/src/libstrongswan/utils.c index b868d538d..2ab061a74 100644 --- a/src/libstrongswan/utils.c +++ b/src/libstrongswan/utils.c @@ -246,6 +246,14 @@ bool return_false() return FALSE; } +/** + * returns FAILED + */ +status_t return_failed() +{ + return FAILED; +} + /** * nop operation */ diff --git a/src/libstrongswan/utils.h b/src/libstrongswan/utils.h index 35d3bebd1..ed61895ee 100644 --- a/src/libstrongswan/utils.h +++ b/src/libstrongswan/utils.h @@ -57,7 +57,7 @@ #define streq(x,y) (strcmp(x, y) == 0) /** - * Macro compares two strings for equality + * Macro compares two strings for equality, length limited */ #define strneq(x,y,len) (strncmp(x, y, len) == 0) @@ -66,6 +66,16 @@ */ #define strcaseeq(x,y) (strcasecmp(x, y) == 0) +/** + * Macro compares two strings for equality ignoring case, length limited + */ +#define strncaseeq(x,y,len) (strncasecmp(x, y, len) == 0) + +/** + * NULL-safe strdup variant + */ +#define strdupnull(x) ({ char *_x = x; _x ? strdup(_x) : NULL; }) + /** * Macro compares two binary blobs for equality */ @@ -381,6 +391,11 @@ bool return_true(); */ bool return_false(); +/** + * returns FAILED + */ +status_t return_failed(); + /** * Write a 16-bit host order value in network order to an unaligned address. * diff --git a/src/libstrongswan/utils/backtrace.c b/src/libstrongswan/utils/backtrace.c index a67245194..41224e8c2 100644 --- a/src/libstrongswan/utils/backtrace.c +++ b/src/libstrongswan/utils/backtrace.c @@ -132,10 +132,11 @@ static void log_(private_backtrace_t *this, FILE *file, bool detailed) /** * Implementation of backtrace_t.contains_function */ -static bool contains_function(private_backtrace_t *this, char *function) +static bool contains_function(private_backtrace_t *this, + char *function[], int count) { #ifdef HAVE_DLADDR - int i; + int i, j; for (i = 0; i< this->frame_count; i++) { @@ -143,9 +144,12 @@ static bool contains_function(private_backtrace_t *this, char *function) if (dladdr(this->frames[i], &info) && info.dli_sname) { - if (streq(info.dli_sname, function)) + for (j = 0; j < count; j++) { - return TRUE; + if (streq(info.dli_sname, function[j])) + { + return TRUE; + } } } } @@ -179,7 +183,7 @@ backtrace_t *backtrace_create(int skip) this->frame_count = frame_count; this->public.log = (void(*)(backtrace_t*,FILE*,bool))log_; - this->public.contains_function = (bool(*)(backtrace_t*, char *function))contains_function; + this->public.contains_function = (bool(*)(backtrace_t*, char *function[], int count))contains_function; this->public.destroy = (void(*)(backtrace_t*))destroy; return &this->public; diff --git a/src/libstrongswan/utils/backtrace.h b/src/libstrongswan/utils/backtrace.h index c6b0ec78f..e8ccfc1bd 100644 --- a/src/libstrongswan/utils/backtrace.h +++ b/src/libstrongswan/utils/backtrace.h @@ -41,12 +41,13 @@ struct backtrace_t { void (*log)(backtrace_t *this, FILE *file, bool detailed); /** - * Check if the backtrace contains a frame in a specific function. + * Check if the backtrace contains a frame having a function in a list. * - * @param function name - * @return TRUE if function is in the stack + * @param function name array + * @param number of elements in function array + * @return TRUE if one of the functions is in the stack */ - bool (*contains_function)(backtrace_t *this, char *function); + bool (*contains_function)(backtrace_t *this, char *function[], int count); /** * Destroy a backtrace instance. diff --git a/src/libstrongswan/utils/hashtable.c b/src/libstrongswan/utils/hashtable.c index dde57dc65..49b0bb68c 100644 --- a/src/libstrongswan/utils/hashtable.c +++ b/src/libstrongswan/utils/hashtable.c @@ -186,7 +186,7 @@ static void rehash(private_hashtable_t *this) linked_list_t **old_table; u_int row, old_capacity; - if (this->capacity < MAX_CAPACITY) + if (this->capacity >= MAX_CAPACITY) { return; } @@ -249,6 +249,7 @@ METHOD(hashtable_t, put, void*, { old_value = pair->value; pair->value = value; + pair->key = key; break; } } diff --git a/src/libstrongswan/utils/host.c b/src/libstrongswan/utils/host.c index 112d07e5c..ffeebd05c 100644 --- a/src/libstrongswan/utils/host.c +++ b/src/libstrongswan/utils/host.c @@ -476,6 +476,10 @@ host_t *host_create_from_dns(char *string, int af, u_int16_t port) { return host_create_any_port(af ? af : AF_INET6, port); } + if (af == AF_INET && strchr(string, ':')) + { /* do not try to convert v6 addresses for v4 family */ + return NULL; + } memset(&hints, 0, sizeof(hints)); hints.ai_family = af; @@ -561,6 +565,41 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port) return &this->public; } +/* + * Described in header. + */ +host_t *host_create_from_subnet(char *string, int *bits) +{ + char *pos, buf[64]; + host_t *net; + + pos = strchr(string, '/'); + if (pos) + { + if (pos - string >= sizeof(buf)) + { + return NULL; + } + strncpy(buf, string, pos - string); + buf[pos - string] = '\0'; + *bits = atoi(pos + 1); + return host_create_from_string(buf, 0); + } + net = host_create_from_string(buf, 0); + if (net) + { + if (net->get_family(net) == AF_INET) + { + *bits = 32; + } + else + { + *bits = 128; + } + } + return net; +} + /* * Described in header. */ diff --git a/src/libstrongswan/utils/host.h b/src/libstrongswan/utils/host.h index f5796154c..0a1be6e47 100644 --- a/src/libstrongswan/utils/host.h +++ b/src/libstrongswan/utils/host.h @@ -189,6 +189,15 @@ host_t *host_create_from_chunk(int family, chunk_t address, u_int16_t port); */ host_t *host_create_from_sockaddr(sockaddr_t *sockaddr); +/** + * Create a host from a CIDR subnet definition (1.2.3.0/24), return bits. + * + * @param string string to parse + * @param bits gets the number of network bits in CIDR notation + * @return network start address, NULL on error + */ +host_t *host_create_from_subnet(char *string, int *bits); + /** * Create a host without an address, a "any" host. * diff --git a/src/libstrongswan/utils/identification.c b/src/libstrongswan/utils/identification.c index 0696c1030..fd2716deb 100644 --- a/src/libstrongswan/utils/identification.c +++ b/src/libstrongswan/utils/identification.c @@ -281,11 +281,13 @@ static void dntoa(chunk_t dn, char *buf, size_t len) chunk_t oid_data, data, printable; u_char type; int oid, written; - bool finished = FALSE; + bool finished = FALSE, empty = TRUE; e = create_rdn_enumerator(dn); while (e->enumerate(e, &oid_data, &type, &data)) { + empty = FALSE; + oid = asn1_known_oid(oid_data); if (oid == OID_UNKNOWN) @@ -329,7 +331,11 @@ static void dntoa(chunk_t dn, char *buf, size_t len) break; } } - if (!finished) + if (empty) + { + snprintf(buf, len, ""); + } + else if (!finished) { snprintf(buf, len, "(invalid ID_DER_ASN1_DN)"); } diff --git a/src/libstrongswan/utils/leak_detective.c b/src/libstrongswan/utils/leak_detective.c index 5673fc32d..52e92951b 100644 --- a/src/libstrongswan/utils/leak_detective.c +++ b/src/libstrongswan/utils/leak_detective.c @@ -218,24 +218,22 @@ char *whitelist[] = { "gcry_create_nonce", /* NSPR */ "PR_CallOnce", + /* libapr */ + "apr_pool_create_ex", + /* glib */ + "g_type_init_with_debug_flags", + "g_type_register_static", + "g_type_class_ref", + "g_type_create_instance", + "g_type_add_interface_static", + "g_type_interface_add_prerequisite", + "g_socket_connection_factory_lookup_type", + /* libgpg */ + "gpg_err_init", + /* gnutls */ + "gnutls_global_init", }; -/** - * check if a stack frame contains functions listed above - */ -static bool is_whitelisted(backtrace_t *backtrace) -{ - int i; - for (i = 0; i < sizeof(whitelist)/sizeof(char*); i++) - { - if (backtrace->contains_function(backtrace, whitelist[i])) - { - return TRUE; - } - } - return FALSE; -} - /** * Report leaks at library destruction */ @@ -248,7 +246,8 @@ static void report(private_leak_detective_t *this, bool detailed) for (hdr = first_header.next; hdr != NULL; hdr = hdr->next) { - if (is_whitelisted(hdr->backtrace)) + if (hdr->backtrace->contains_function(hdr->backtrace, + whitelist, countof(whitelist))) { whitelisted++; } diff --git a/src/libstrongswan/utils/optionsfrom.c b/src/libstrongswan/utils/optionsfrom.c index d8f635c62..e51780290 100644 --- a/src/libstrongswan/utils/optionsfrom.c +++ b/src/libstrongswan/utils/optionsfrom.c @@ -61,11 +61,8 @@ struct private_options_t { char *buffers[MAX_USES]; }; -/** - * Defined in header - */ -bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], - int optind) +METHOD(options_t, from, bool, + private_options_t *this, char *filename, int *argcp, char **argvp[], int optind) { int newargc; int next; /* place for next argument */ @@ -182,10 +179,8 @@ bool from(private_options_t *this, char *filename, int *argcp, char **argvp[], return good; } -/** - * Defined in header - */ -void destroy(private_options_t *this) +METHOD(options_t, destroy, void, + private_options_t *this) { while (this->nuses >= 0) { @@ -200,17 +195,16 @@ void destroy(private_options_t *this) */ options_t *options_create(void) { - private_options_t *this = malloc_thing(private_options_t); + private_options_t *this; - /* initialize */ - this->newargv = NULL; - this->room = 0; - this->nuses = -1; - memset(this->buffers, '\0', MAX_USES); + INIT(this, + .public = { + .from = _from, + .destroy = _destroy, - /* public functions */ - this->public.from = (bool (*) (options_t*,char*,int*,char***,int))from; - this->public.destroy = (void (*) (options_t*))destroy; + }, + .nuses = -1, + ); return &this->public; } diff --git a/src/libtls/Makefile.in b/src/libtls/Makefile.in index 9f0a817f5..93e8b4a9b 100644 --- a/src/libtls/Makefile.in +++ b/src/libtls/Makefile.in @@ -195,9 +195,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -236,6 +234,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/libtls/tls.h b/src/libtls/tls.h index 1908f5dd4..e2c377ad3 100644 --- a/src/libtls/tls.h +++ b/src/libtls/tls.h @@ -202,7 +202,7 @@ struct tls_t { /** * Check if TLS negotiation completed successfully. * - * @return TRUE if TLS negotation and authentication complete + * @return TRUE if TLS negotiation and authentication complete */ bool (*is_complete)(tls_t *this); diff --git a/src/libtls/tls_crypto.c b/src/libtls/tls_crypto.c index 78f2a796d..b4eaf4d79 100644 --- a/src/libtls/tls_crypto.c +++ b/src/libtls/tls_crypto.c @@ -626,15 +626,18 @@ static void filter_suite(private_tls_crypto_t *this, suite_algs_t suites[], int *count, int offset, enumerator_t*(*create_enumerator)(crypto_factory_t*)) { + const char *plugin_name; suite_algs_t current; - int i, remaining = 0; + int *current_alg, i, remaining = 0; enumerator_t *enumerator; memset(¤t, 0, sizeof(current)); + current_alg = (int*)((char*)¤t + offset); + for (i = 0; i < *count; i++) { enumerator = create_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, ((char*)¤t) + offset)) + while (enumerator->enumerate(enumerator, current_alg, &plugin_name)) { if ((suites[i].encr == ENCR_NULL || !current.encr || current.encr == suites[i].encr) && @@ -1060,10 +1063,11 @@ METHOD(tls_crypto_t, get_signature_algorithms, void, enumerator_t *enumerator; hash_algorithm_t alg; tls_hash_algorithm_t hash; + const char *plugin_name; supported = tls_writer_create(32); enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &alg)) + while (enumerator->enumerate(enumerator, &alg, &plugin_name)) { switch (alg) { diff --git a/src/libtls/tls_eap.c b/src/libtls/tls_eap.c index a8c3a5053..8204a3441 100644 --- a/src/libtls/tls_eap.c +++ b/src/libtls/tls_eap.c @@ -303,17 +303,21 @@ METHOD(tls_eap_t, process, status_t, DBG2(DBG_TLS, "received %N acknowledgement packet", eap_type_names, this->type); status = build_pkt(this, pkt->identifier, out); - if (status == INVALID_STATE && - this->tls->is_complete(this->tls)) + if (status == INVALID_STATE && this->tls->is_complete(this->tls)) { return SUCCESS; } return status; } status = process_pkt(this, pkt); - if (status != NEED_MORE) + switch (status) { - return status; + case NEED_MORE: + break; + case SUCCESS: + return this->tls->is_complete(this->tls) ? SUCCESS : FAILED; + default: + return status; } } status = build_pkt(this, pkt->identifier, out); diff --git a/src/libtls/tls_reader.c b/src/libtls/tls_reader.c index 17ec68fd5..2b3cd8cac 100644 --- a/src/libtls/tls_reader.c +++ b/src/libtls/tls_reader.c @@ -52,8 +52,8 @@ METHOD(tls_reader_t, read_uint8, bool, { if (this->buf.len < 1) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 8); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int8 data", + this->buf.len); return FALSE; } *res = this->buf.ptr[0]; @@ -66,8 +66,8 @@ METHOD(tls_reader_t, read_uint16, bool, { if (this->buf.len < 2) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 16); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int16 data", + this->buf.len); return FALSE; } *res = untoh16(this->buf.ptr); @@ -80,8 +80,8 @@ METHOD(tls_reader_t, read_uint24, bool, { if (this->buf.len < 3) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 24); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int24 data", + this->buf.len); return FALSE; } *res = untoh32(this->buf.ptr) >> 8; @@ -94,8 +94,8 @@ METHOD(tls_reader_t, read_uint32, bool, { if (this->buf.len < 4) { - DBG1(DBG_TLS, "%d bytes insufficient to parse uint%d TLS data", - this->buf.len, 32); + DBG1(DBG_TLS, "%d bytes insufficient to parse u_int32 data", + this->buf.len); return FALSE; } *res = untoh32(this->buf.ptr); @@ -108,7 +108,7 @@ METHOD(tls_reader_t, read_data, bool, { if (this->buf.len < len) { - DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes TLS data", + DBG1(DBG_TLS, "%d bytes insufficient to parse %d bytes of data", this->buf.len, len); return FALSE; } diff --git a/src/libtls/tls_writer.c b/src/libtls/tls_writer.c index 235dc2cdf..e87c2efea 100644 --- a/src/libtls/tls_writer.c +++ b/src/libtls/tls_writer.c @@ -226,7 +226,7 @@ tls_writer_t *tls_writer_create(u_int32_t bufsize) .get_buf = _get_buf, .destroy = _destroy, }, - .increase = bufsize ?: 32, + .increase = bufsize ? max(bufsize, 4) : 32, ); if (bufsize) { diff --git a/src/manager/Makefile.in b/src/manager/Makefile.in index 5073d9686..2e139f839 100644 --- a/src/manager/Makefile.in +++ b/src/manager/Makefile.in @@ -236,9 +236,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -277,6 +275,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/medsrv/Makefile.in b/src/medsrv/Makefile.in index 07315cfd2..9c9662f7f 100644 --- a/src/medsrv/Makefile.in +++ b/src/medsrv/Makefile.in @@ -226,9 +226,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -267,6 +265,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/openac/Makefile.in b/src/openac/Makefile.in index fcac66226..ec4657e55 100644 --- a/src/openac/Makefile.in +++ b/src/openac/Makefile.in @@ -220,9 +220,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -261,6 +259,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in index 0ec6f9c0b..c6651fdf5 100644 --- a/src/pki/Makefile.in +++ b/src/pki/Makefile.in @@ -197,9 +197,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -238,6 +236,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pki/command.c b/src/pki/command.c index b9c35d99b..0142b4ab7 100644 --- a/src/pki/command.c +++ b/src/pki/command.c @@ -201,7 +201,7 @@ int command_usage(char *error) } for (i = 0; cmds[active].options[i].name; i++) { - fprintf(out, " --%-8s (-%c) %s\n", + fprintf(out, " --%-15s (-%c) %s\n", cmds[active].options[i].name, cmds[active].options[i].op, cmds[active].options[i].desc); } diff --git a/src/pki/command.h b/src/pki/command.h index fad598c0b..a6f8bc758 100644 --- a/src/pki/command.h +++ b/src/pki/command.h @@ -29,7 +29,7 @@ /** * Maximum number of options in a command (+1) */ -#define MAX_OPTIONS 20 +#define MAX_OPTIONS 32 /** * Maximum number of usage summary lines (+1) diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c index 8ea852e31..6a5686d92 100644 --- a/src/pki/commands/issue.c +++ b/src/pki/commands/issue.c @@ -18,11 +18,40 @@ #include "pki.h" #include +#include #include #include #include #include +/** + * Free cert policy with OID + */ +static void destroy_cert_policy(x509_cert_policy_t *policy) +{ + free(policy->oid.ptr); + free(policy); +} + +/** + * Free policy mapping + */ +static void destroy_policy_mapping(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} + +/** + * Free a CRL DistributionPoint + */ +static void destroy_cdp(x509_cdp_t *this) +{ + DESTROY_IF(this->issuer); + free(this); +} + /** * Issue a certificate using a CA certificate and key */ @@ -37,19 +66,26 @@ static int issue() char *file = NULL, *dn = NULL, *hex = NULL, *cacert = NULL, *cakey = NULL; char *error = NULL, *keyid = NULL; identification_t *id = NULL; - linked_list_t *san, *cdps, *ocsp; + linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; - int pathlen = X509_NO_PATH_LEN_CONSTRAINT; + int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; + int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; x509_t *x509; + x509_cdp_t *cdp = NULL; + x509_cert_policy_t *policy = NULL; char *arg; san = linked_list_create(); cdps = linked_list_create(); ocsp = linked_list_create(); + permitted = linked_list_create(); + excluded = linked_list_create(); + policies = linked_list_create(); + mappings = linked_list_create(); while (TRUE) { @@ -111,6 +147,79 @@ static int issue() case 'p': pathlen = atoi(arg); continue; + case 'n': + permitted->insert_last(permitted, + identification_create_from_string(arg)); + continue; + case 'N': + excluded->insert_last(excluded, + identification_create_from_string(arg)); + continue; + case 'P': + { + chunk_t oid; + + oid = asn1_oid_from_string(arg); + if (!oid.len) + { + error = "--cert-policy OID invalid"; + goto usage; + } + INIT(policy, + .oid = oid, + ); + policies->insert_last(policies, policy); + continue; + } + case 'C': + if (!policy) + { + error = "--cps-uri must follow a --cert-policy"; + goto usage; + } + policy->cps_uri = arg; + continue; + case 'U': + if (!policy) + { + error = "--user-notice must follow a --cert-policy"; + goto usage; + } + policy->unotice_text = arg; + continue; + case 'M': + { + char *pos = strchr(arg, ':'); + x509_policy_mapping_t *mapping; + chunk_t subject_oid, issuer_oid; + + if (pos) + { + *pos++ = '\0'; + issuer_oid = asn1_oid_from_string(arg); + subject_oid = asn1_oid_from_string(pos); + } + if (!pos || !issuer_oid.len || !subject_oid.len) + { + error = "--policy-map OIDs invalid"; + goto usage; + } + INIT(mapping, + .issuer = issuer_oid, + .subject = subject_oid, + ); + mappings->insert_last(mappings, mapping); + continue; + } + case 'E': + require_explicit = atoi(arg); + continue; + case 'H': + inhibit_mapping = atoi(arg); + continue; + case 'A': + inhibit_any = atoi(arg); + continue; case 'e': if (streq(arg, "serverAuth")) { @@ -120,6 +229,10 @@ static int issue() { flags |= X509_CLIENT_AUTH; } + else if (streq(arg, "crlSign")) + { + flags |= X509_CRL_SIGN; + } else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -128,11 +241,23 @@ static int issue() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { - return command_usage("invalid output format"); + error = "invalid output format"; + goto usage; } continue; case 'u': - cdps->insert_last(cdps, arg); + INIT(cdp, + .uri = arg, + ); + cdps->insert_last(cdps, cdp); + continue; + case 'I': + if (!cdp || cdp->issuer) + { + error = "--crlissuer must follow a --crl"; + goto usage; + } + cdp->issuer = identification_create_from_string(arg); continue; case 'o': ocsp->insert_last(ocsp, arg); @@ -145,12 +270,6 @@ static int issue() } break; } - - if (!pkcs10 && !dn) - { - error = "--dn is required"; - goto usage; - } if (!cacert) { error = "--cacert is required"; @@ -161,7 +280,7 @@ static int issue() error = "--cakey or --keyid is required"; goto usage; } - if (dn) + if (dn && *dn) { id = identification_create_from_string(dn); if (id->get_type(id) != ID_DER_ASN1_DN) @@ -306,6 +425,12 @@ static int issue() goto end; } + if (!id) + { + id = identification_create_from_encoding(ID_DER_ASN1_DN, + chunk_from_chars(ASN1_SEQUENCE, 0)); + } + not_before = time(NULL); not_after = not_before + lifetime * 24 * 60 * 60; @@ -317,7 +442,15 @@ static int issue() BUILD_SUBJECT_ALTNAMES, san, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_CRL_DISTRIBUTION_POINTS, cdps, - BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, + BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, + BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, + BUILD_CERTIFICATE_POLICIES, policies, + BUILD_POLICY_MAPPINGS, mappings, + BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, + BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, + BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_END); if (!cert) { error = "generating certificate failed"; @@ -342,7 +475,11 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); - cdps->destroy(cdps); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -356,7 +493,11 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); - cdps->destroy(cdps); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); + cdps->destroy_function(cdps, (void*)destroy_cdp); ocsp->destroy(ocsp); return command_usage(error); } @@ -370,28 +511,42 @@ static void __attribute__ ((constructor))reg() issue, 'i', "issue", "issue a certificate using a CA certificate and key", {"[--in file] [--type pub|pkcs10] --cakey file | --cakeyid hex", - " --cacert file --dn subject-dn [--san subjectAltName]+", - "[--lifetime days] [--serial hex] [--crl uri]+ [--ocsp uri]+", - "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|ocspSigning]+", + " --cacert file [--dn subject-dn] [--san subjectAltName]+", + "[--lifetime days] [--serial hex] [--crl uri [--crlissuer i] ]+ [--ocsp uri]+", + "[--ca] [--pathlen len] [--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--nc-permitted name] [--nc-excluded name]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", + "[--policy-map issuer-oid:subject-oid]", + "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "public key/request file to issue, default: stdin"}, - {"type", 't', 1, "type of input, default: pub"}, - {"cacert", 'c', 1, "CA certificate file"}, - {"cakey", 'k', 1, "CA private key file"}, - {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, - {"dn", 'd', 1, "distinguished name to include as subject"}, - {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, - {"serial", 's', 1, "serial number in hex, default: random"}, - {"ca", 'b', 0, "include CA basicConstraint, default: no"}, - {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'e', 1, "include extendedKeyUsage flag"}, - {"crl", 'u', 1, "CRL distribution point URI to include"}, - {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated cert, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "public key/request file to issue, default: stdin"}, + {"type", 't', 1, "type of input, default: pub"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"dn", 'd', 1, "distinguished name to include as subject"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"nc-permitted", 'n', 1, "add permitted NameConstraint"}, + {"nc-excluded", 'N', 1, "add excluded NameConstraint"}, + {"cert-policy", 'P', 1, "certificatePolicy OID to include"}, + {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"}, + {"user-notice", 'U', 1, "user notice for certificatePolicy"}, + {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"}, + {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"}, + {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"}, + {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"crl", 'u', 1, "CRL distribution point URI to include"}, + {"crlissuer", 'I', 1, "CRL Issuer for CRL at distribution point"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c index 870dca920..ee6f30c98 100644 --- a/src/pki/commands/print.c +++ b/src/pki/commands/print.c @@ -15,6 +15,7 @@ #include "pki.h" +#include #include #include #include @@ -72,8 +73,11 @@ static void print_x509(x509_t *x509) chunk_t chunk; bool first; char *uri; - int len; + int len, explicit, inhibit; x509_flag_t flags; + x509_cdp_t *cdp; + x509_cert_policy_t *policy; + x509_policy_mapping_t *mapping; chunk = x509->get_serial(x509); printf("serial: %#B\n", &chunk); @@ -105,6 +109,10 @@ static void print_x509(x509_t *x509) { printf("CA "); } + if (flags & X509_CRL_SIGN) + { + printf("CRLSign "); + } if (flags & X509_AA) { printf("AA "); @@ -133,17 +141,22 @@ static void print_x509(x509_t *x509) first = TRUE; enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &uri)) + while (enumerator->enumerate(enumerator, &cdp)) { if (first) { - printf("CRL URIs: %s\n", uri); + printf("CRL URIs: %s", cdp->uri); first = FALSE; } else { - printf(" %s\n", uri); + printf(" %s", cdp->uri); + } + if (cdp->issuer) + { + printf(" (CRL issuer: %Y)", cdp->issuer); } + printf("\n"); } enumerator->destroy(enumerator); @@ -163,12 +176,111 @@ static void print_x509(x509_t *x509) } enumerator->destroy(enumerator); - len = x509->get_pathLenConstraint(x509); - if (len != X509_NO_PATH_LEN_CONSTRAINT) + len = x509->get_constraint(x509, X509_PATH_LEN); + if (len != X509_NO_CONSTRAINT) { printf("pathlen: %d\n", len); } + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, TRUE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("Permitted NameConstraints:\n"); + first = FALSE; + } + printf(" %Y\n", id); + } + enumerator->destroy(enumerator); + first = TRUE; + enumerator = x509->create_name_constraint_enumerator(x509, FALSE); + while (enumerator->enumerate(enumerator, &id)) + { + if (first) + { + printf("Excluded NameConstraints:\n"); + first = FALSE; + } + printf(" %Y\n", id); + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_cert_policy_enumerator(x509); + while (enumerator->enumerate(enumerator, &policy)) + { + char *oid; + + if (first) + { + printf("CertificatePolicies:\n"); + first = FALSE; + } + oid = asn1_oid_to_string(policy->oid); + if (oid) + { + printf(" %s\n", oid); + free(oid); + } + else + { + printf(" %#B\n", &policy->oid); + } + if (policy->cps_uri) + { + printf(" CPS: %s\n", policy->cps_uri); + } + if (policy->unotice_text) + { + printf(" Notice: %s\n", policy->unotice_text); + + } + } + enumerator->destroy(enumerator); + + first = TRUE; + enumerator = x509->create_policy_mapping_enumerator(x509); + while (enumerator->enumerate(enumerator, &mapping)) + { + char *issuer_oid, *subject_oid; + + if (first) + { + printf("PolicyMappings:\n"); + first = FALSE; + } + issuer_oid = asn1_oid_to_string(mapping->issuer); + subject_oid = asn1_oid_to_string(mapping->subject); + printf(" %s => %s\n", issuer_oid, subject_oid); + free(issuer_oid); + free(subject_oid); + } + enumerator->destroy(enumerator); + + explicit = x509->get_constraint(x509, X509_REQUIRE_EXPLICIT_POLICY); + inhibit = x509->get_constraint(x509, X509_INHIBIT_POLICY_MAPPING); + len = x509->get_constraint(x509, X509_INHIBIT_ANY_POLICY); + + if (explicit != X509_NO_CONSTRAINT || inhibit != X509_NO_CONSTRAINT || + len != X509_NO_CONSTRAINT) + { + printf("PolicyConstraints:\n"); + if (explicit != X509_NO_CONSTRAINT) + { + printf(" requireExplicitPolicy: %d\n", explicit); + } + if (inhibit != X509_NO_CONSTRAINT) + { + printf(" inhibitPolicyMapping: %d\n", inhibit); + } + if (len != X509_NO_CONSTRAINT) + { + printf(" inhibitAnyPolicy: %d\n", len); + } + } + chunk = x509->get_authKeyIdentifier(x509); if (chunk.ptr) { @@ -212,14 +324,41 @@ static void print_crl(crl_t *crl) crl_reason_t reason; chunk_t chunk; int count = 0; + bool first; char buf[64]; struct tm tm; + x509_cdp_t *cdp; chunk = crl->get_serial(crl); printf("serial: %#B\n", &chunk); + if (crl->is_delta_crl(crl, &chunk)) + { + printf("delta CRL: for serial %#B\n", &chunk); + } chunk = crl->get_authKeyIdentifier(crl); printf("authKeyId: %#B\n", &chunk); + first = TRUE; + enumerator = crl->create_delta_crl_uri_enumerator(crl); + while (enumerator->enumerate(enumerator, &cdp)) + { + if (first) + { + printf("freshest: %s", cdp->uri); + first = FALSE; + } + else + { + printf(" %s", cdp->uri); + } + if (cdp->issuer) + { + printf(" (CRL issuer: %Y)", cdp->issuer); + } + printf("\n"); + } + enumerator->destroy(enumerator); + enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &chunk, &ts, &reason)) { diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c index 5e6f0bd14..c7788ff62 100644 --- a/src/pki/commands/self.c +++ b/src/pki/commands/self.c @@ -20,6 +20,26 @@ #include #include #include +#include + +/** + * Free cert policy with OID + */ +static void destroy_cert_policy(x509_cert_policy_t *policy) +{ + free(policy->oid.ptr); + free(policy); +} + +/** + * Free policy mapping + */ +static void destroy_policy_mapping(x509_policy_mapping_t *mapping) +{ + free(mapping->issuer.ptr); + free(mapping->subject.ptr); + free(mapping); +} /** * Create a self signed certificate. @@ -34,17 +54,23 @@ static int self() public_key_t *public = NULL; char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL; identification_t *id = NULL; - linked_list_t *san, *ocsp; + linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings; int lifetime = 1095; - int pathlen = X509_NO_PATH_LEN_CONSTRAINT; + int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT; + int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT; chunk_t serial = chunk_empty; chunk_t encoding = chunk_empty; time_t not_before, not_after; x509_flag_t flags = 0; + x509_cert_policy_t *policy = NULL; char *arg; san = linked_list_create(); ocsp = linked_list_create(); + permitted = linked_list_create(); + excluded = linked_list_create(); + policies = linked_list_create(); + mappings = linked_list_create(); while (TRUE) { @@ -104,6 +130,79 @@ static int self() case 'p': pathlen = atoi(arg); continue; + case 'n': + permitted->insert_last(permitted, + identification_create_from_string(arg)); + continue; + case 'N': + excluded->insert_last(excluded, + identification_create_from_string(arg)); + continue; + case 'P': + { + chunk_t oid; + + oid = asn1_oid_from_string(arg); + if (!oid.len) + { + error = "--cert-policy OID invalid"; + goto usage; + } + INIT(policy, + .oid = oid, + ); + policies->insert_last(policies, policy); + continue; + } + case 'C': + if (!policy) + { + error = "--cps-uri must follow a --cert-policy"; + goto usage; + } + policy->cps_uri = arg; + continue; + case 'U': + if (!policy) + { + error = "--user-notice must follow a --cert-policy"; + goto usage; + } + policy->unotice_text = arg; + continue; + case 'M': + { + char *pos = strchr(arg, ':'); + x509_policy_mapping_t *mapping; + chunk_t subject_oid, issuer_oid; + + if (pos) + { + *pos++ = '\0'; + issuer_oid = asn1_oid_from_string(arg); + subject_oid = asn1_oid_from_string(pos); + } + if (!pos || !issuer_oid.len || !subject_oid.len) + { + error = "--policy-map OIDs invalid"; + goto usage; + } + INIT(mapping, + .issuer = issuer_oid, + .subject = subject_oid, + ); + mappings->insert_last(mappings, mapping); + continue; + } + case 'E': + require_explicit = atoi(arg); + continue; + case 'H': + inhibit_mapping = atoi(arg); + continue; + case 'A': + inhibit_any = atoi(arg); + continue; case 'e': if (streq(arg, "serverAuth")) { @@ -113,6 +212,10 @@ static int self() { flags |= X509_CLIENT_AUTH; } + else if (streq(arg, "crlSign")) + { + flags |= X509_CRL_SIGN; + } else if (streq(arg, "ocspSigning")) { flags |= X509_OCSP_SIGNER; @@ -121,7 +224,8 @@ static int self() case 'f': if (!get_form(arg, &form, CRED_CERTIFICATE)) { - return command_usage("invalid output format"); + error = "invalid output format"; + goto usage; } continue; case 'o': @@ -206,7 +310,15 @@ static int self() BUILD_NOT_AFTER_TIME, not_after, BUILD_SERIAL, serial, BUILD_DIGEST_ALG, digest, BUILD_X509_FLAG, flags, BUILD_PATHLEN, pathlen, BUILD_SUBJECT_ALTNAMES, san, - BUILD_OCSP_ACCESS_LOCATIONS, ocsp, BUILD_END); + BUILD_OCSP_ACCESS_LOCATIONS, ocsp, + BUILD_PERMITTED_NAME_CONSTRAINTS, permitted, + BUILD_EXCLUDED_NAME_CONSTRAINTS, excluded, + BUILD_CERTIFICATE_POLICIES, policies, + BUILD_POLICY_MAPPINGS, mappings, + BUILD_POLICY_REQUIRE_EXPLICIT, require_explicit, + BUILD_POLICY_INHIBIT_MAPPING, inhibit_mapping, + BUILD_POLICY_INHIBIT_ANY, inhibit_any, + BUILD_END); if (!cert) { error = "generating certificate failed"; @@ -229,6 +341,10 @@ end: DESTROY_IF(public); DESTROY_IF(private); san->destroy_offset(san, offsetof(identification_t, destroy)); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); free(encoding.ptr); free(serial.ptr); @@ -242,6 +358,10 @@ end: usage: san->destroy_offset(san, offsetof(identification_t, destroy)); + permitted->destroy_offset(permitted, offsetof(identification_t, destroy)); + excluded->destroy_offset(excluded, offsetof(identification_t, destroy)); + policies->destroy_function(policies, (void*)destroy_cert_policy); + mappings->destroy_function(mappings, (void*)destroy_policy_mapping); ocsp->destroy(ocsp); return command_usage(error); } @@ -257,23 +377,36 @@ static void __attribute__ ((constructor))reg() {"[--in file | --keyid hex] [--type rsa|ecdsa]", " --dn distinguished-name [--san subjectAltName]+", "[--lifetime days] [--serial hex] [--ca] [--ocsp uri]+", - "[--flag serverAuth|clientAuth|ocspSigning]+", + "[--flag serverAuth|clientAuth|crlSign|ocspSigning]+", + "[--nc-permitted name] [--nc-excluded name]", + "[--cert-policy oid [--cps-uri uri] [--user-notice text] ]+", + "[--policy-map issuer-oid:subject-oid]", + "[--policy-explicit len] [--policy-inhibit len] [--policy-any len]", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"in", 'i', 1, "private key input file, default: stdin"}, - {"keyid", 'x', 1, "keyid on smartcard of private key"}, - {"type", 't', 1, "type of input key, default: rsa"}, - {"dn", 'd', 1, "subject and issuer distinguished name"}, - {"san", 'a', 1, "subjectAltName to include in certificate"}, - {"lifetime",'l', 1, "days the certificate is valid, default: 1095"}, - {"serial", 's', 1, "serial number in hex, default: random"}, - {"ca", 'b', 0, "include CA basicConstraint, default: no"}, - {"pathlen", 'p', 1, "set path length constraint"}, - {"flag", 'e', 1, "include extendedKeyUsage flag"}, - {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated cert, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"in", 'i', 1, "private key input file, default: stdin"}, + {"keyid", 'x', 1, "keyid on smartcard of private key"}, + {"type", 't', 1, "type of input key, default: rsa"}, + {"dn", 'd', 1, "subject and issuer distinguished name"}, + {"san", 'a', 1, "subjectAltName to include in certificate"}, + {"lifetime", 'l', 1, "days the certificate is valid, default: 1095"}, + {"serial", 's', 1, "serial number in hex, default: random"}, + {"ca", 'b', 0, "include CA basicConstraint, default: no"}, + {"pathlen", 'p', 1, "set path length constraint"}, + {"nc-permitted", 'n', 1, "add permitted NameConstraint"}, + {"nc-excluded", 'N', 1, "add excluded NameConstraint"}, + {"cert-policy", 'P', 1, "certificatePolicy OID to include"}, + {"cps-uri", 'C', 1, "Certification Practice statement URI for certificatePolicy"}, + {"user-notice", 'U', 1, "user notice for certificatePolicy"}, + {"policy-mapping", 'M', 1, "policyMapping from issuer to subject OID"}, + {"policy-explicit", 'E', 1, "requireExplicitPolicy constraint"}, + {"policy-inhibit", 'H', 1, "inhibitPolicyMapping constraint"}, + {"policy-any", 'A', 1, "inhibitAnyPolicy constraint"}, + {"flag", 'e', 1, "include extendedKeyUsage flag"}, + {"ocsp", 'o', 1, "OCSP AuthorityInfoAccess URI to include"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated cert, default: der"}, } }); } diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c index 24bf9123f..4b1c12e5c 100644 --- a/src/pki/commands/signcrl.c +++ b/src/pki/commands/signcrl.c @@ -97,6 +97,15 @@ static int read_serial(char *file, char *buf, int buflen) return serial.len; } +/** + * Destroy a CDP + */ +static void cdp_destroy(x509_cdp_t *this) +{ + free(this->uri); + free(this); +} + /** * Sign a CRL */ @@ -110,16 +119,19 @@ static int sign_crl() x509_t *x509; hash_algorithm_t digest = HASH_SHA1; char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL; + char *basecrl = NULL; char serial[512], crl_serial[8], *keyid = NULL; int serial_len = 0; crl_reason_t reason = CRL_REASON_UNSPECIFIED; time_t thisUpdate, nextUpdate, date = time(NULL); int lifetime = 15; - linked_list_t *list; + linked_list_t *list, *cdps; enumerator_t *enumerator, *lastenum = NULL; - chunk_t encoding = chunk_empty; + x509_cdp_t *cdp; + chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty; list = linked_list_create(); + cdps = linked_list_create(); memset(crl_serial, 0, sizeof(crl_serial)); @@ -190,6 +202,15 @@ static int sign_crl() reason = CRL_REASON_UNSPECIFIED; continue; } + case 'b': + basecrl = arg; + continue; + case 'u': + INIT(cdp, + .uri = strdup(arg), + ); + cdps->insert_last(cdps, cdp); + continue; case 'r': if (streq(arg, "key-compromise")) { @@ -262,9 +283,9 @@ static int sign_crl() goto error; } x509 = (x509_t*)ca; - if (!(x509->get_flags(x509) & X509_CA)) + if (!(x509->get_flags(x509) & (X509_CA | X509_CRL_SIGN))) { - error = "CA certificate misses CA basicConstraint"; + error = "CA certificate misses CA basicConstraint / CRLSign keyUsage"; goto error; } public = ca->get_public_key(ca); @@ -302,6 +323,22 @@ static int sign_crl() thisUpdate = time(NULL); nextUpdate = thisUpdate + lifetime * 24 * 60 * 60; + if (basecrl) + { + lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, + BUILD_FROM_FILE, basecrl, BUILD_END); + if (!lastcrl) + { + error = "loading base CRL failed"; + goto error; + } + memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr, + min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); + baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl)); + DESTROY_IF((certificate_t*)lastcrl); + lastcrl = NULL; + } + if (lastupdate) { lastcrl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL, @@ -315,6 +352,10 @@ static int sign_crl() min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial))); lastenum = lastcrl->create_enumerator(lastcrl); } + else + { + lastenum = enumerator_create_empty(); + } chunk_increment(chunk_create(crl_serial, sizeof(crl_serial))); @@ -324,11 +365,12 @@ static int sign_crl() BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca, BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)), BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate, - BUILD_REVOKED_ENUMERATOR, enumerator, BUILD_DIGEST_ALG, digest, - lastenum ? BUILD_REVOKED_ENUMERATOR : BUILD_END, lastenum, + BUILD_REVOKED_ENUMERATOR, enumerator, + BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest, + BUILD_CRL_DISTRIBUTION_POINTS, cdps, BUILD_BASE_CRL, baseCrlNumber, BUILD_END); enumerator->destroy(enumerator); - DESTROY_IF(lastenum); + lastenum->destroy(lastenum); DESTROY_IF((certificate_t*)lastcrl); if (!crl) @@ -353,7 +395,9 @@ error: DESTROY_IF(ca); DESTROY_IF(crl); free(encoding.ptr); + free(baseCrlNumber.ptr); list->destroy_function(list, (void*)revoked_destroy); + cdps->destroy_function(cdps, (void*)cdp_destroy); if (error) { fprintf(stderr, "%s\n", error); @@ -363,6 +407,7 @@ error: usage: list->destroy_function(list, (void*)revoked_destroy); + cdps->destroy_function(cdps, (void*)cdp_destroy); return command_usage(error); } @@ -375,24 +420,27 @@ static void __attribute__ ((constructor))reg() sign_crl, 'c', "signcrl", "issue a CRL using a CA certificate and key", {"--cacert file --cakey file | --cakeyid hex --lifetime days", + "[--lastcrl crl] [--basecrl crl] [--crluri uri ]+", "[ [--reason key-compromise|ca-compromise|affiliation-changed|", " superseded|cessation-of-operation|certificate-hold]", " [--date timestamp]", " --cert file | --serial hex ]*", "[--digest md5|sha1|sha224|sha256|sha384|sha512] [--outform der|pem]"}, { - {"help", 'h', 0, "show usage information"}, - {"cacert", 'c', 1, "CA certificate file"}, - {"cakey", 'k', 1, "CA private key file"}, - {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, - {"lifetime",'l', 1, "days the CRL gets a nextUpdate, default: 15"}, - {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, - {"cert", 'z', 1, "certificate file to revoke"}, - {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, - {"reason", 'r', 1, "reason for certificate revocation"}, - {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, - {"digest", 'g', 1, "digest for signature creation, default: sha1"}, - {"outform", 'f', 1, "encoding of generated crl, default: der"}, + {"help", 'h', 0, "show usage information"}, + {"cacert", 'c', 1, "CA certificate file"}, + {"cakey", 'k', 1, "CA private key file"}, + {"cakeyid", 'x', 1, "keyid on smartcard of CA private key"}, + {"lifetime", 'l', 1, "days the CRL gets a nextUpdate, default: 15"}, + {"lastcrl", 'a', 1, "CRL of lastUpdate to copy revocations from"}, + {"basecrl", 'b', 1, "base CRL to create a delta CRL for"}, + {"crluri", 'u', 1, "freshest delta CRL URI to include"}, + {"cert", 'z', 1, "certificate file to revoke"}, + {"serial", 's', 1, "hex encoded certificate serial number to revoke"}, + {"reason", 'r', 1, "reason for certificate revocation"}, + {"date", 'd', 1, "revocation date as unix timestamp, default: now"}, + {"digest", 'g', 1, "digest for signature creation, default: sha1"}, + {"outform", 'f', 1, "encoding of generated crl, default: der"}, } }); } diff --git a/src/pluto/Makefile.in b/src/pluto/Makefile.in index 080530f86..1428854ee 100644 --- a/src/pluto/Makefile.in +++ b/src/pluto/Makefile.in @@ -304,9 +304,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -345,6 +343,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/ca.c b/src/pluto/ca.c index 2654774fa..add85def8 100644 --- a/src/pluto/ca.c +++ b/src/pluto/ca.c @@ -629,7 +629,7 @@ void add_ca_info(const whack_message_t *msg) if (strncasecmp(msg->ocspuri, "http", 4) == 0) ca->ocspuri = clone_str(msg->ocspuri); else - plog(" ignoring ocspuri with unkown protocol"); + plog(" ignoring ocspuri with unknown protocol"); } /* add crl uris */ diff --git a/src/pluto/crl.c b/src/pluto/crl.c index c8fb107d5..1c9c9a8cc 100644 --- a/src/pluto/crl.c +++ b/src/pluto/crl.c @@ -352,7 +352,7 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, x509crl_t *x509crl; ca_info_t *ca; enumerator_t *enumerator; - char *point; + x509_cdp_t *cdp; ca = get_ca_info(issuer, authKeyID); @@ -376,9 +376,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(crluris, point); + add_distribution_point(crluris, cdp->uri); } enumerator->destroy(enumerator); @@ -416,9 +416,9 @@ cert_status_t verify_by_crl(cert_t *cert, time_t *until, time_t *revocationDate, } enumerator = x509->create_crl_uri_enumerator(x509); - while (enumerator->enumerate(enumerator, &point)) + while (enumerator->enumerate(enumerator, &cdp)) { - add_distribution_point(x509crl->distributionPoints, point); + add_distribution_point(x509crl->distributionPoints, cdp->uri); } enumerator->destroy(enumerator); diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c index 0684de618..f01966c72 100644 --- a/src/pluto/crypto.c +++ b/src/pluto/crypto.c @@ -26,14 +26,15 @@ static struct encrypt_desc encrypt_desc_3des = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_3DES_CBC, - algo_next: NULL, - - enc_blocksize: DES_BLOCK_SIZE, - keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, - keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_3DES_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: DES_BLOCK_SIZE, + keydeflen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keyminlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, + keymaxlen: DES_BLOCK_SIZE * 3 * BITS_PER_BYTE, }; #define AES_KEY_MIN_LEN 128 @@ -42,14 +43,15 @@ static struct encrypt_desc encrypt_desc_3des = static struct encrypt_desc encrypt_desc_aes = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_AES_CBC, - algo_next: NULL, - - enc_blocksize: AES_BLOCK_SIZE, - keyminlen: AES_KEY_MIN_LEN, - keydeflen: AES_KEY_DEF_LEN, - keymaxlen: AES_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_AES_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: AES_BLOCK_SIZE, + keyminlen: AES_KEY_MIN_LEN, + keydeflen: AES_KEY_DEF_LEN, + keymaxlen: AES_KEY_MAX_LEN, }; #define CAMELLIA_KEY_MIN_LEN 128 @@ -58,14 +60,15 @@ static struct encrypt_desc encrypt_desc_aes = static struct encrypt_desc encrypt_desc_camellia = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_CAMELLIA_CBC, - algo_next: NULL, - - enc_blocksize: CAMELLIA_BLOCK_SIZE, - keyminlen: CAMELLIA_KEY_MIN_LEN, - keydeflen: CAMELLIA_KEY_DEF_LEN, - keymaxlen: CAMELLIA_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_CAMELLIA_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: CAMELLIA_BLOCK_SIZE, + keyminlen: CAMELLIA_KEY_MIN_LEN, + keydeflen: CAMELLIA_KEY_DEF_LEN, + keymaxlen: CAMELLIA_KEY_MAX_LEN, }; #define BLOWFISH_KEY_MIN_LEN 128 @@ -73,14 +76,15 @@ static struct encrypt_desc encrypt_desc_camellia = static struct encrypt_desc encrypt_desc_blowfish = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_BLOWFISH_CBC, - algo_next: NULL, - - enc_blocksize: BLOWFISH_BLOCK_SIZE, - keyminlen: BLOWFISH_KEY_MIN_LEN, - keydeflen: BLOWFISH_KEY_MIN_LEN, - keymaxlen: BLOWFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_BLOWFISH_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: BLOWFISH_BLOCK_SIZE, + keyminlen: BLOWFISH_KEY_MIN_LEN, + keydeflen: BLOWFISH_KEY_MIN_LEN, + keymaxlen: BLOWFISH_KEY_MAX_LEN, }; #define SERPENT_KEY_MIN_LEN 128 @@ -89,14 +93,15 @@ static struct encrypt_desc encrypt_desc_blowfish = static struct encrypt_desc encrypt_desc_serpent = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_SERPENT_CBC, - algo_next: NULL, - - enc_blocksize: SERPENT_BLOCK_SIZE, - keyminlen: SERPENT_KEY_MIN_LEN, - keydeflen: SERPENT_KEY_DEF_LEN, - keymaxlen: SERPENT_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_SERPENT_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: SERPENT_BLOCK_SIZE, + keyminlen: SERPENT_KEY_MIN_LEN, + keydeflen: SERPENT_KEY_DEF_LEN, + keymaxlen: SERPENT_KEY_MAX_LEN, }; #define TWOFISH_KEY_MIN_LEN 128 @@ -105,32 +110,35 @@ static struct encrypt_desc encrypt_desc_serpent = static struct encrypt_desc encrypt_desc_twofish = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct encrypt_desc encrypt_desc_twofish_ssh = { - algo_type: IKE_ALG_ENCRYPT, - algo_id: OAKLEY_TWOFISH_CBC_SSH, - algo_next: NULL, - - enc_blocksize: TWOFISH_BLOCK_SIZE, - keydeflen: TWOFISH_KEY_MIN_LEN, - keyminlen: TWOFISH_KEY_DEF_LEN, - keymaxlen: TWOFISH_KEY_MAX_LEN, + algo_type: IKE_ALG_ENCRYPT, + algo_id: OAKLEY_TWOFISH_CBC_SSH, + plugin_name: NULL, + algo_next: NULL, + + enc_blocksize: TWOFISH_BLOCK_SIZE, + keydeflen: TWOFISH_KEY_MIN_LEN, + keyminlen: TWOFISH_KEY_DEF_LEN, + keymaxlen: TWOFISH_KEY_MAX_LEN, }; static struct hash_desc hash_desc_md5 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_MD5, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_MD5, }; @@ -139,6 +147,7 @@ static struct hash_desc hash_desc_sha1 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA1, }; @@ -146,6 +155,7 @@ static struct hash_desc hash_desc_sha1 = static struct hash_desc hash_desc_sha2_256 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_256, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA256, }; @@ -153,6 +163,7 @@ static struct hash_desc hash_desc_sha2_256 = { static struct hash_desc hash_desc_sha2_384 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_384, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA384, }; @@ -160,120 +171,136 @@ static struct hash_desc hash_desc_sha2_384 = { static struct hash_desc hash_desc_sha2_512 = { algo_type: IKE_ALG_HASH, algo_id: OAKLEY_SHA2_512, + plugin_name: NULL, algo_next: NULL, hash_digest_size: HASH_SIZE_SHA512, }; const struct dh_desc unset_group = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_NONE, - algo_next: NULL, - ke_size: 0 + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_NONE, + plugin_name: NULL, + algo_next: NULL, + ke_size: 0 }; static struct dh_desc dh_desc_modp_1024 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_BIT, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_1536 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1536_BIT, - algo_next: NULL, - ke_size: 1536 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1536_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1536 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_BIT, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_BIT, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_3072 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_3072_BIT, - algo_next: NULL, - ke_size: 3072 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_3072_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 3072 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_4096 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_4096_BIT, - algo_next: NULL, - ke_size: 4096 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_4096_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 4096 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_6144 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_6144_BIT, - algo_next: NULL, - ke_size: 6144 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_6144_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 6144 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_8192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_8192_BIT, - algo_next: NULL, - ke_size: 8192 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_8192_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 8192 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_256_BIT, - algo_next: NULL, - ke_size: 2*256 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_256_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*256 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_384 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_384_BIT, - algo_next: NULL, - ke_size: 2*384 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_384_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*384 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_521 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_521_BIT, - algo_next: NULL, - ke_size: 2*528 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_521_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*528 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_1024_160 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_1024_160, - algo_next: NULL, - ke_size: 1024 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_1024_160, + plugin_name: NULL, + algo_next: NULL, + ke_size: 1024 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048_224 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_224, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_224, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_modp_2048_256 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: MODP_2048_256, - algo_next: NULL, - ke_size: 2048 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: MODP_2048_256, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2048 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_192 = { - algo_type: IKE_ALG_DH_GROUP, - algo_id: ECP_192_BIT, - algo_next: NULL, - ke_size: 2*192 / BITS_PER_BYTE + algo_type: IKE_ALG_DH_GROUP, + algo_id: ECP_192_BIT, + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*192 / BITS_PER_BYTE }; static struct dh_desc dh_desc_ecp_224 = { algo_type: IKE_ALG_DH_GROUP, algo_id: ECP_224_BIT, - algo_next: NULL, - ke_size: 2*224 / BITS_PER_BYTE + plugin_name: NULL, + algo_next: NULL, + ke_size: 2*224 / BITS_PER_BYTE }; bool init_crypto(void) @@ -282,11 +309,12 @@ bool init_crypto(void) encryption_algorithm_t encryption_alg; hash_algorithm_t hash_alg; diffie_hellman_group_t dh_group; + const char *plugin_name; bool no_md5 = TRUE; bool no_sha1 = TRUE; enumerator = lib->crypto->create_hasher_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &hash_alg)) + while (enumerator->enumerate(enumerator, &hash_alg, &plugin_name)) { const struct hash_desc *desc; @@ -312,7 +340,7 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); @@ -326,7 +354,7 @@ bool init_crypto(void) } enumerator = lib->crypto->create_crypter_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &encryption_alg)) + while (enumerator->enumerate(enumerator, &encryption_alg, &plugin_name)) { const struct encrypt_desc *desc; @@ -346,7 +374,8 @@ bool init_crypto(void) break; case ENCR_TWOFISH_CBC: desc = &encrypt_desc_twofish; - ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh); + ike_alg_add((struct ike_alg *)&encrypt_desc_twofish_ssh, + plugin_name); break; case ENCR_SERPENT_CBC: desc = &encrypt_desc_serpent; @@ -354,12 +383,12 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); enumerator = lib->crypto->create_dh_enumerator(lib->crypto); - while (enumerator->enumerate(enumerator, &dh_group)) + while (enumerator->enumerate(enumerator, &dh_group, &plugin_name)) { const struct dh_desc *desc; @@ -413,7 +442,7 @@ bool init_crypto(void) default: continue; } - ike_alg_add((struct ike_alg *)desc); + ike_alg_add((struct ike_alg *)desc, plugin_name); } enumerator->destroy(enumerator); return TRUE; diff --git a/src/pluto/demux.c b/src/pluto/demux.c index 0590a3585..249e645ed 100644 --- a/src/pluto/demux.c +++ b/src/pluto/demux.c @@ -1147,7 +1147,7 @@ read_packet(struct msg_digest *md) } else if (from_ugh != NULL) { - plog("recvfrom on %s returned misformed source sockaddr: %s" + plog("recvfrom on %s returned malformed source sockaddr: %s" , ifp->rname, from_ugh); return FALSE; } diff --git a/src/pluto/ike_alg.c b/src/pluto/ike_alg.c index 08353907e..a36b5ce4e 100644 --- a/src/pluto/ike_alg.c +++ b/src/pluto/ike_alg.c @@ -72,7 +72,7 @@ static struct ike_alg *ike_alg_find(u_int algo_type, u_int algo_id, /** * "raw" ike_alg list adding function */ -int ike_alg_add(struct ike_alg* a) +int ike_alg_add(struct ike_alg* a, const char *plugin_name) { if (a->algo_type > IKE_ALG_MAX) { @@ -96,6 +96,7 @@ int ike_alg_add(struct ike_alg* a) e = *ep; } *ep = a; + a->plugin_name = plugin_name; a->algo_next = e; return 0; } @@ -303,64 +304,72 @@ fail: return db_ctx; } +/** + * Print the name of an algorithm plus the name of the plugin that registered it + */ +static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type, + const char *plugin_name) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %s[%s]", enum_name(alg_names, alg_type), + plugin_name); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + whack_log(RC_COMMENT, "%s", buf); + *len = sprintf(buf, " "); + } + sprintf(buf + *len, "%s", alg_name); + *len += alg_name_len; +} + /** * Show registered IKE algorithms */ void ike_alg_list(void) { + rng_quality_t quality; + enumerator_t *enumerator; + const char *plugin_name; char buf[BUF_LEN]; - char *pos; - int n, len; + int len; struct ike_alg *a; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered IKEv1 Algorithms:"); whack_log(RC_COMMENT, " "); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " encryption:"); for (a = ike_alg_base[IKE_ALG_ENCRYPT]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_enc_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_enc_names, a->algo_id, a->plugin_name); } - whack_log(RC_COMMENT, " encryption:%s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " integrity: "); for (a = ike_alg_base[IKE_ALG_HASH]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_hash_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_hash_names, a->algo_id, a->plugin_name); } - whack_log(RC_COMMENT, " integrity: %s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " dh-group: "); for (a = ike_alg_base[IKE_ALG_DH_GROUP]; a != NULL; a = a->algo_next) { - n = snprintf(pos, len, " %s", enum_name(&oakley_group_names, a->algo_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &oakley_group_names, a->algo_id, a->plugin_name); + } + whack_log(RC_COMMENT, "%s", buf); + + len = sprintf(buf, " random-gen:"); + enumerator = lib->crypto->create_rng_enumerator(lib->crypto); + while (enumerator->enumerate(enumerator, &quality, &plugin_name)) + { + len += sprintf(buf + len, " %N[%s]", rng_quality_names, quality, + plugin_name); } - whack_log(RC_COMMENT, " dh-group: %s", buf); + enumerator->destroy(enumerator); + whack_log(RC_COMMENT, "%s", buf); } /** diff --git a/src/pluto/ike_alg.h b/src/pluto/ike_alg.h index 458d14c3a..c3ce8bb38 100644 --- a/src/pluto/ike_alg.h +++ b/src/pluto/ike_alg.h @@ -22,12 +22,14 @@ struct ike_alg { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; }; struct encrypt_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t enc_blocksize; @@ -39,6 +41,7 @@ struct encrypt_desc { struct hash_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t hash_digest_size; @@ -47,6 +50,7 @@ struct hash_desc { struct dh_desc { u_int16_t algo_type; u_int16_t algo_id; + const char *plugin_name; struct ike_alg *algo_next; size_t ke_size; @@ -57,7 +61,7 @@ struct dh_desc { #define IKE_ALG_DH_GROUP 2 #define IKE_ALG_MAX IKE_ALG_DH_GROUP -extern int ike_alg_add(struct ike_alg *a); +extern int ike_alg_add(struct ike_alg *a, const char *plugin_name); extern struct hash_desc *ike_alg_get_hasher(u_int alg); extern struct encrypt_desc *ike_alg_get_crypter(u_int alg); extern struct dh_desc *ike_alg_get_dh_group(u_int alg); diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c index e57822ffb..104b6c2d4 100644 --- a/src/pluto/kernel.c +++ b/src/pluto/kernel.c @@ -1183,7 +1183,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ipcomp_spi, said_next->proto, c->spd.reqid, - mark, <_none, ENCR_UNDEFINED, chunk_empty, + mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, AUTH_UNDEFINED, chunk_empty, mode, st->st_ipcomp.attrs.transid, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) @@ -1292,7 +1292,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, esp_spi, said_next->proto, c->spd.reqid, - mark, <_none, enc_alg, enc_key, + mark, 0, <_none, enc_alg, enc_key, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, encap, inbound, NULL, NULL) != SUCCESS) { @@ -1325,7 +1325,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound) if (hydra->kernel_interface->add_sa(hydra->kernel_interface, host_src, host_dst, ah_spi, said_next->proto, c->spd.reqid, - mark, <_none, ENCR_UNDEFINED, chunk_empty, + mark, 0, <_none, ENCR_UNDEFINED, chunk_empty, auth_alg, auth_key, mode, IPCOMP_NONE, 0 /* cpi */, FALSE, inbound, NULL, NULL) != SUCCESS) { diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c index 2a195cffc..c82c376f8 100644 --- a/src/pluto/kernel_alg.c +++ b/src/pluto/kernel_alg.c @@ -397,55 +397,55 @@ struct sadb_alg* kernel_alg_esp_sadb_alg(u_int alg_id) return sadb_alg; } +/** + * Print the name of a kernel algorithm + */ +static void print_alg(char *buf, int *len, enum_names *alg_names, int alg_type) +{ + char alg_name[BUF_LEN]; + int alg_name_len; + + alg_name_len = sprintf(alg_name, " %s", enum_name(alg_names, alg_type)); + if (*len + alg_name_len > CRYPTO_MAX_ALG_LINE) + { + whack_log(RC_COMMENT, "%s", buf); + *len = sprintf(buf, " "); + } + sprintf(buf + *len, "%s", alg_name); + *len += alg_name_len; +} + void kernel_alg_list(void) { char buf[BUF_LEN]; - char *pos; - int n, len; + int len; u_int sadb_id; whack_log(RC_COMMENT, " "); whack_log(RC_COMMENT, "List of registered ESP Algorithms:"); whack_log(RC_COMMENT, " "); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " encryption:"); for (sadb_id = 1; sadb_id <= SADB_EALG_MAX; sadb_id++) { if (ESP_EALG_PRESENT(sadb_id)) { - n = snprintf(pos, len, " %s", - enum_name(&esp_transform_names, sadb_id)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &esp_transform_names, sadb_id); } } - whack_log(RC_COMMENT, " encryption:%s", buf); + whack_log(RC_COMMENT, "%s", buf); - pos = buf; - *pos = '\0'; - len = BUF_LEN; + len = sprintf(buf, " integrity: "); for (sadb_id = 1; sadb_id <= SADB_AALG_MAX; sadb_id++) { if (ESP_AALG_PRESENT(sadb_id)) { u_int aaid = alg_info_esp_sadb2aa(sadb_id); - n = snprintf(pos, len, " %s", enum_name(&auth_alg_names, aaid)); - pos += n; - len -= n; - if (len <= 0) - { - break; - } + print_alg(buf, &len, &auth_alg_names, aaid); } } - whack_log(RC_COMMENT, " integrity: %s", buf); + whack_log(RC_COMMENT, "%s", buf); } void kernel_alg_show_connection(connection_t *c, const char *instance) diff --git a/src/pluto/keys.c b/src/pluto/keys.c index a79c2c0d2..86b46c6c1 100644 --- a/src/pluto/keys.c +++ b/src/pluto/keys.c @@ -902,6 +902,7 @@ static void process_secret(secret_t *s, int whackfd) { loglog(RC_LOG_SERIOUS, "\"%s\" line %d: %s" , flp->filename, flp->lino, ugh); + s->ids->destroy_offset(s->ids, offsetof(identification_t, destroy)); free(s); } else if (flushline("expected record boundary in key")) @@ -1010,8 +1011,11 @@ static void process_secret_records(int whackfd) if (!shift()) { /* unexpected Record Boundary or EOF */ - loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end of id list" - , flp->filename, flp->lino); + loglog(RC_LOG_SERIOUS, "\"%s\" line %d: unexpected end" + " of id list", flp->filename, flp->lino); + s->ids->destroy_offset(s->ids, + offsetof(identification_t, destroy)); + free(s); break; } } diff --git a/src/pluto/ocsp.c b/src/pluto/ocsp.c index 8a351be6d..a3694b7b5 100644 --- a/src/pluto/ocsp.c +++ b/src/pluto/ocsp.c @@ -1045,8 +1045,8 @@ static bool valid_ocsp_response(response_t *res) ) /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", diff --git a/src/pluto/plugins/xauth/Makefile.in b/src/pluto/plugins/xauth/Makefile.in index b2ffb11db..358805cc4 100644 --- a/src/pluto/plugins/xauth/Makefile.in +++ b/src/pluto/plugins/xauth/Makefile.in @@ -218,9 +218,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -259,6 +257,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/pluto/pluto.8 b/src/pluto/pluto.8 index 58cb15091..9ac537bd9 100644 --- a/src/pluto/pluto.8 +++ b/src/pluto/pluto.8 @@ -1,8 +1,8 @@ .TH IPSEC_PLUTO 8 "28 March 1999" .SH NAME -ipsec pluto \- IPsec IKE keying daemon -.br -ipsec whack \- control interface for IPSEC keying daemon +pluto \- IPsec IKE keying daemon and control interface +.PP +whack \- control interface for IKE keying daemon .SH SYNOPSIS .na .nh @@ -1009,7 +1009,7 @@ specifies the name of the operation to be performed \fBup-host\fP, \fBup-client\fP, \fBdown-host\fP, or \fBdown-client\fP). If the address family for security gateway to security gateway communications is IPv6, then -a suffix of -v6 is added to the verb. +a suffix of \-v6 is added to the verb. .TP \fBPLUTO_CONNECTION\fP is the name of the connection for which we are routing. @@ -1571,7 +1571,7 @@ rejected with ECONNREFUSED (kernel supplied no details)''. John Denker suggests that this command is useful for tracking down the source of these problems: .br - tcpdump -i eth0 icmp[0] != 8 and icmp[0] != 0 + tcpdump \-i eth0 icmp[0] != 8 and icmp[0] != 0 .br Substitute your public interface for eth0 if it is different. .LP diff --git a/src/pluto/x509.c b/src/pluto/x509.c index d717beb15..7e2aca862 100644 --- a/src/pluto/x509.c +++ b/src/pluto/x509.c @@ -255,8 +255,8 @@ bool verify_x509cert(cert_t *cert, bool strict, time_t *until) unlock_authcert_list("verify_x509cert"); /* check path length constraint */ - pathlen_constraint = x509->get_pathLenConstraint(x509); - if (pathlen_constraint != X509_NO_PATH_LEN_CONSTRAINT && + pathlen_constraint = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen_constraint != X509_NO_CONSTRAINT && pathlen > pathlen_constraint) { plog("path length of %d violates constraint of %d", @@ -450,8 +450,8 @@ void list_x509cert_chain(const char *caption, cert_t* cert, } /* list optional pathLenConstraint */ - pathlen = x509->get_pathLenConstraint(x509); - if (pathlen != X509_NO_PATH_LEN_CONSTRAINT) + pathlen = x509->get_constraint(x509, X509_PATH_LEN); + if (pathlen != X509_NO_CONSTRAINT) { whack_log(RC_COMMENT, " pathlen: %d", pathlen); } diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in index a20fa2eb9..623585f65 100644 --- a/src/scepclient/Makefile.in +++ b/src/scepclient/Makefile.in @@ -228,9 +228,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -269,6 +267,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/scepclient/scepclient.8 b/src/scepclient/scepclient.8 index 4b5234da2..72750e155 100644 --- a/src/scepclient/scepclient.8 +++ b/src/scepclient/scepclient.8 @@ -239,12 +239,12 @@ Log raw hex dumps. .PP .B \-C, \-\-debug\-control .RS 4 -Log informations about control flow. +Log information about control flow. .RE .PP .B \-M, \-\-debug\-controlmore .RS 4 -Log more detailed informations about control flow. +Log more detailed information about control flow. .RE .PP .B \-X, \-\-debug\-private diff --git a/src/starter/Makefile.am b/src/starter/Makefile.am index 75297f767..f05aeca22 100644 --- a/src/starter/Makefile.am +++ b/src/starter/Makefile.am @@ -25,7 +25,6 @@ AM_CFLAGS = \ starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR=$(top_srcdir)/src/pluto @@ -59,14 +58,14 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true diff --git a/src/starter/Makefile.in b/src/starter/Makefile.in index 446f183f1..f1c370ad9 100644 --- a/src/starter/Makefile.in +++ b/src/starter/Makefile.in @@ -39,8 +39,7 @@ ipsec_PROGRAMS = starter$(EXEEXT) @USE_CHARON_TRUE@am__append_2 = -DSTART_CHARON @USE_LOAD_WARNING_TRUE@am__append_3 = -DLOAD_WARNING subdir = src/starter -DIST_COMMON = README $(dist_man_MANS) $(srcdir)/Makefile.am \ - $(srcdir)/Makefile.in +DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/config/libtool.m4 \ $(top_srcdir)/m4/config/ltoptions.m4 \ @@ -56,7 +55,7 @@ am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)" +am__installdirs = "$(DESTDIR)$(ipsecdir)" PROGRAMS = $(ipsec_PROGRAMS) am_starter_OBJECTS = y.tab.$(OBJEXT) netkey.$(OBJEXT) \ starterwhack.$(OBJEXT) starterstroke.$(OBJEXT) \ @@ -85,30 +84,6 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ $(LDFLAGS) -o $@ SOURCES = $(starter_SOURCES) DIST_SOURCES = $(starter_SOURCES) -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man8dir = $(mandir)/man8 -NROFF = nroff -MANS = $(dist_man_MANS) ETAGS = etags CTAGS = ctags DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) @@ -231,9 +206,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -272,6 +245,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ @@ -304,7 +279,6 @@ AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" \ $(am__append_2) $(am__append_3) starter_LDADD = defs.o $(top_builddir)/src/libfreeswan/libfreeswan.a $(top_builddir)/src/libstrongswan/libstrongswan.la $(SOCKLIB) EXTRA_DIST = parser.l parser.y keywords.txt ipsec.conf -dist_man_MANS = starter.8 MAINTAINERCLEANFILES = lex.yy.c y.tab.c y.tab.h keywords.c PLUTODIR = $(top_srcdir)/src/pluto SCEPCLIENTDIR = $(top_srcdir)/src/scepclient @@ -438,44 +412,6 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list=''; test -n "$(man8dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ - done; } - -uninstall-man8: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man8dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.8[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ @@ -530,19 +466,6 @@ distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -574,9 +497,9 @@ distdir: $(DISTFILES) done check-am: all-am check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) +all-am: Makefile $(PROGRAMS) installdirs: - for dir in "$(DESTDIR)$(ipsecdir)" "$(DESTDIR)$(man8dir)"; do \ + for dir in "$(DESTDIR)$(ipsecdir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-am @@ -628,7 +551,7 @@ info: info-am info-am: -install-data-am: install-ipsecPROGRAMS install-man +install-data-am: install-ipsecPROGRAMS install-dvi: install-dvi-am @@ -644,7 +567,7 @@ install-info: install-info-am install-info-am: -install-man: install-man8 +install-man: install-pdf: install-pdf-am @@ -674,9 +597,7 @@ ps: ps-am ps-am: -uninstall-am: uninstall-ipsecPROGRAMS uninstall-man - -uninstall-man: uninstall-man8 +uninstall-am: uninstall-ipsecPROGRAMS .MAKE: install-am install-strip @@ -687,13 +608,12 @@ uninstall-man: uninstall-man8 install install-am install-data install-data-am install-dvi \ install-dvi-am install-exec install-exec-am install-exec-local \ install-html install-html-am install-info install-info-am \ - install-ipsecPROGRAMS install-man install-man8 install-pdf \ - install-pdf-am install-ps install-ps-am install-strip \ - installcheck installcheck-am installdirs maintainer-clean \ + install-ipsecPROGRAMS install-man install-pdf install-pdf-am \ + install-ps install-ps-am install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ - tags uninstall uninstall-am uninstall-ipsecPROGRAMS \ - uninstall-man uninstall-man8 + tags uninstall uninstall-am uninstall-ipsecPROGRAMS lex.yy.c: $(srcdir)/parser.l $(srcdir)/parser.y $(srcdir)/parser.h y.tab.h @@ -712,16 +632,16 @@ defs.o: $(PLUTODIR)/defs.c $(PLUTODIR)/defs.h $(COMPILE) -c -o $@ $(PLUTODIR)/defs.c install-exec-local : - test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true - test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true - test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -o ${ipsecuid} -g ${ipsecgid} -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d" || $(INSTALL) -o -d "$(DESTDIR)$(sysconfdir)/ipsec.d" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/cacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/cacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/ocspcerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/ocspcerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/certs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/certs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/acerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/acerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/aacerts" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/aacerts" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/crls" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/crls" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/reqs" || $(INSTALL) -d "$(DESTDIR)$(sysconfdir)/ipsec.d/reqs" || true + test -e "$(DESTDIR)${sysconfdir}/ipsec.d/private" || $(INSTALL) -d -m 750 "$(DESTDIR)$(sysconfdir)/ipsec.d/private" || true + test -e "$(DESTDIR)$(sysconfdir)/ipsec.conf" || $(INSTALL) -m 644 $(srcdir)/ipsec.conf $(DESTDIR)$(sysconfdir)/ipsec.conf || true # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/src/starter/args.c b/src/starter/args.c index 37d600283..87307f1aa 100644 --- a/src/starter/args.c +++ b/src/starter/args.c @@ -239,6 +239,7 @@ static const token_info_t token_info[] = { ARG_MISC, 0, NULL /* KW_MARK */ }, { ARG_MISC, 0, NULL /* KW_MARK_IN */ }, { ARG_MISC, 0, NULL /* KW_MARK_OUT */ }, + { ARG_MISC, 0, NULL /* KW_TFC */ }, /* ca section keywords */ { ARG_STR, offsetof(starter_ca_t, name), NULL }, @@ -272,6 +273,7 @@ static const token_info_t token_info[] = { ARG_STR, offsetof(starter_end_t, rsakey), NULL }, { ARG_STR, offsetof(starter_end_t, cert), NULL }, { ARG_STR, offsetof(starter_end_t, cert2), NULL }, + { ARG_STR, offsetof(starter_end_t, cert_policy), NULL }, { ARG_ENUM, offsetof(starter_end_t, sendcert), LST_sendcert }, { ARG_STR, offsetof(starter_end_t, ca), NULL }, { ARG_STR, offsetof(starter_end_t, ca2), NULL }, diff --git a/src/starter/confread.c b/src/starter/confread.c index 3367616ca..1e7daa6a9 100644 --- a/src/starter/confread.c +++ b/src/starter/confread.c @@ -705,6 +705,23 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg cfg->err++; } break; + case KW_TFC: + if (streq(kw->value, "%mtu")) + { + conn->tfc = -1; + } + else + { + char *endptr; + + conn->tfc = strtoul(kw->value, &endptr, 10); + if (*endptr != '\0') + { + plog("# bad integer value: %s=%s", kw->entry->name, kw->value); + cfg->err++; + } + } + break; case KW_KEYINGTRIES: if (streq(kw->value, "%forever")) { diff --git a/src/starter/confread.h b/src/starter/confread.h index 982d1d206..4f9c5f7d0 100644 --- a/src/starter/confread.h +++ b/src/starter/confread.h @@ -64,6 +64,7 @@ struct starter_end { char *ca; char *ca2; char *groups; + char *cert_policy; char *iface; ip_address addr; u_int ikeport; @@ -125,6 +126,7 @@ struct starter_conn { u_int32_t reqid; mark_t mark_in; mark_t mark_out; + u_int32_t tfc; sa_family_t addr_family; sa_family_t tunnel_addr_family; bool install_policy; diff --git a/src/starter/keywords.c b/src/starter/keywords.c index 0c24c7dcf..340b7131d 100644 --- a/src/starter/keywords.c +++ b/src/starter/keywords.c @@ -54,12 +54,12 @@ struct kw_entry { kw_token_t token; }; -#define TOTAL_KEYWORDS 127 +#define TOTAL_KEYWORDS 130 #define MIN_WORD_LENGTH 3 #define MAX_WORD_LENGTH 17 -#define MIN_HASH_VALUE 12 -#define MAX_HASH_VALUE 238 -/* maximum key range = 227, duplicates = 0 */ +#define MIN_HASH_VALUE 18 +#define MAX_HASH_VALUE 249 +/* maximum key range = 232, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 2, - 104, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 15, 239, 20, 14, 58, - 51, 1, 7, 1, 81, 1, 239, 132, 47, 4, - 1, 49, 10, 9, 23, 1, 20, 48, 4, 239, - 239, 35, 1, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239, 239, 239, 239, 239, - 239, 239, 239, 239, 239, 239 + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 11, + 125, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 20, 250, 18, 6, 55, + 59, 3, 9, 3, 92, 3, 250, 147, 71, 12, + 29, 83, 38, 4, 13, 3, 8, 80, 3, 250, + 250, 12, 9, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250, 250, 250, 250, 250, + 250, 250, 250, 250, 250, 250 }; register int hval = len; @@ -124,160 +124,164 @@ hash (str, len) static const struct kw_entry wordlist[] = { {"pfs", KW_PFS}, - {"uniqueids", KW_UNIQUEIDS}, - {"rightgroups", KW_RIGHTGROUPS}, - {"lifetime", KW_KEYLIFE}, - {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, - {"rightnatip", KW_RIGHTNATIP}, - {"esp", KW_ESP}, - {"rightnexthop", KW_RIGHTNEXTHOP}, - {"rightsourceip", KW_RIGHTSOURCEIP}, {"right", KW_RIGHT}, - {"leftupdown", KW_LEFTUPDOWN}, - {"leftnexthop", KW_LEFTNEXTHOP}, + {"rightgroups", KW_RIGHTGROUPS}, {"left", KW_LEFT}, - {"keep_alive", KW_KEEP_ALIVE}, + {"lifetime", KW_KEYLIFE}, {"rightsubnet", KW_RIGHTSUBNET}, {"rightikeport", KW_RIGHTIKEPORT}, {"rightsendcert", KW_RIGHTSENDCERT}, - {"leftcert", KW_LEFTCERT,}, - {"interfaces", KW_INTERFACES}, - {"lifepackets", KW_LIFEPACKETS}, - {"leftsendcert", KW_LEFTSENDCERT}, - {"leftgroups", KW_LEFTGROUPS}, - {"eap", KW_EAP}, - {"rightprotoport", KW_RIGHTPROTOPORT}, - {"leftnatip", KW_LEFTNATIP}, + {"leftcert", KW_LEFTCERT}, {"keyingtries", KW_KEYINGTRIES}, - {"type", KW_TYPE}, {"keylife", KW_KEYLIFE}, - {"mark_in", KW_MARK_IN}, + {"leftsendcert", KW_LEFTSENDCERT}, {"lifebytes", KW_LIFEBYTES}, - {"leftca", KW_LEFTCA}, - {"margintime", KW_REKEYMARGIN}, - {"marginbytes", KW_MARGINBYTES}, + {"keep_alive", KW_KEEP_ALIVE}, + {"leftgroups", KW_LEFTGROUPS}, {"leftrsasigkey", KW_LEFTRSASIGKEY}, - {"marginpackets", KW_MARGINPACKETS}, + {"leftcertpolicy", KW_LEFTCERTPOLICY}, {"certuribase", KW_CERTURIBASE}, - {"virtual_private", KW_VIRTUAL_PRIVATE}, - {"rightid", KW_RIGHTID}, - {"rightupdown", KW_RIGHTUPDOWN}, - {"compress", KW_COMPRESS}, + {"lifepackets", KW_LIFEPACKETS}, + {"rightrsasigkey", KW_RIGHTRSASIGKEY}, {"leftprotoport", KW_LEFTPROTOPORT}, - {"overridemtu", KW_OVERRIDEMTU}, + {"uniqueids", KW_UNIQUEIDS}, + {"rightallowany", KW_RIGHTALLOWANY}, + {"virtual_private", KW_VIRTUAL_PRIVATE}, + {"leftca", KW_LEFTCA}, + {"rightsubnetwithin", KW_RIGHTSUBNETWITHIN}, + {"strictcrlpolicy", KW_STRICTCRLPOLICY}, + {"type", KW_TYPE}, + {"interfaces", KW_INTERFACES}, + {"rightsourceip", KW_RIGHTSOURCEIP}, + {"leftnexthop", KW_LEFTNEXTHOP}, + {"rightprotoport", KW_RIGHTPROTOPORT}, + {"mark_in", KW_MARK_IN}, {"reqid", KW_REQID}, {"inactivity", KW_INACTIVITY}, + {"margintime", KW_REKEYMARGIN}, + {"marginbytes", KW_MARGINBYTES}, + {"rightid", KW_RIGHTID}, + {"marginpackets", KW_MARGINPACKETS}, + {"leftnatip", KW_LEFTNATIP}, + {"rightcert", KW_RIGHTCERT}, + {"ocspuri", KW_OCSPURI}, + {"esp", KW_ESP}, + {"rightnatip", KW_RIGHTNATIP}, + {"keyexchange", KW_KEYEXCHANGE}, + {"rightnexthop", KW_RIGHTNEXTHOP}, + {"rightca", KW_RIGHTCA}, + {"rightcertpolicy", KW_RIGHTCERTPOLICY}, + {"leftupdown", KW_LEFTUPDOWN}, + {"ocspuri1", KW_OCSPURI}, + {"mediated_by", KW_MEDIATED_BY}, + {"me_peerid", KW_ME_PEERID}, + {"cacert", KW_CACERT}, + {"crluri", KW_CRLURI}, + {"eap", KW_EAP}, {"leftfirewall", KW_LEFTFIREWALL}, {"rightfirewall", KW_RIGHTFIREWALL}, - {"rightallowany", KW_RIGHTALLOWANY}, + {"overridemtu", KW_OVERRIDEMTU}, {"mobike", KW_MOBIKE}, - {"lefthostaccess", KW_LEFTHOSTACCESS}, - {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, - {"rightrsasigkey", KW_RIGHTRSASIGKEY}, - {"pfsgroup", KW_PFSGROUP}, - {"me_peerid", KW_ME_PEERID}, - {"crluri", KW_CRLURI}, - {"leftsourceip", KW_LEFTSOURCEIP}, + {"packetdefault", KW_PACKETDEFAULT}, {"crluri1", KW_CRLURI}, + {"ldapbase", KW_LDAPBASE}, + {"leftallowany", KW_LEFTALLOWANY}, {"mediation", KW_MEDIATION}, - {"dumpdir", KW_DUMPDIR}, - {"forceencaps", KW_FORCEENCAPS}, + {"compress", KW_COMPRESS}, {"leftsubnet", KW_LEFTSUBNET}, - {"rightca", KW_RIGHTCA}, - {"rightcert", KW_RIGHTCERT}, - {"ocspuri", KW_OCSPURI}, - {"dpdaction", KW_DPDACTION}, - {"ocspuri1", KW_OCSPURI}, + {"lefthostaccess", KW_LEFTHOSTACCESS}, + {"forceencaps", KW_FORCEENCAPS}, + {"dumpdir", KW_DUMPDIR}, + {"righthostaccess", KW_RIGHTHOSTACCESS}, + {"authby", KW_AUTHBY}, + {"aaa_identity", KW_AAA_IDENTITY}, + {"tfc", KW_TFC}, + {"nat_traversal", KW_NAT_TRAVERSAL}, + {"rightauth", KW_RIGHTAUTH}, + {"rightupdown", KW_RIGHTUPDOWN}, {"dpdtimeout", KW_DPDTIMEOUT}, {"installpolicy", KW_INSTALLPOLICY}, - {"righthostaccess", KW_RIGHTHOSTACCESS}, - {"ldapbase", KW_LDAPBASE}, - {"also", KW_ALSO}, - {"leftallowany", KW_LEFTALLOWANY}, + {"mark_out", KW_MARK_OUT}, + {"fragicmp", KW_FRAGICMP}, {"force_keepalive", KW_FORCE_KEEPALIVE}, - {"keyexchange", KW_KEYEXCHANGE}, - {"hidetos", KW_HIDETOS}, - {"klipsdebug", KW_KLIPSDEBUG}, - {"plutostderrlog", KW_PLUTOSTDERRLOG}, - {"rightauth", KW_RIGHTAUTH}, - {"strictcrlpolicy", KW_STRICTCRLPOLICY}, - {"charondebug", KW_CHARONDEBUG}, - {"rightid2", KW_RIGHTID2}, {"leftid", KW_LEFTID}, - {"mediated_by", KW_MEDIATED_BY}, - {"fragicmp", KW_FRAGICMP}, - {"mark_out", KW_MARK_OUT}, - {"auto", KW_AUTO}, - {"leftcert2", KW_LEFTCERT2,}, - {"nat_traversal", KW_NAT_TRAVERSAL}, - {"cacert", KW_CACERT}, - {"plutostart", KW_PLUTOSTART}, + {"leftsubnetwithin", KW_LEFTSUBNETWITHIN}, {"eap_identity", KW_EAP_IDENTITY}, - {"prepluto", KW_PREPLUTO}, - {"packetdefault", KW_PACKETDEFAULT}, + {"cachecrls", KW_CACHECRLS}, + {"pfsgroup", KW_PFSGROUP}, + {"rightid2", KW_RIGHTID2}, + {"dpdaction", KW_DPDACTION}, {"xauth_identity", KW_XAUTH_IDENTITY}, + {"leftsourceip", KW_LEFTSOURCEIP}, + {"klipsdebug", KW_KLIPSDEBUG}, + {"leftcert2", KW_LEFTCERT2}, + {"charondebug", KW_CHARONDEBUG}, + {"hidetos", KW_HIDETOS}, + {"ike", KW_IKE}, {"charonstart", KW_CHARONSTART}, - {"crlcheckinterval", KW_CRLCHECKINTERVAL}, {"rightauth2", KW_RIGHTAUTH2}, - {"ike", KW_IKE}, - {"aaa_identity", KW_AAA_IDENTITY}, + {"also", KW_ALSO}, {"leftca2", KW_LEFTCA2}, - {"authby", KW_AUTHBY}, - {"leftauth", KW_LEFTAUTH}, - {"cachecrls", KW_CACHECRLS}, + {"rekey", KW_REKEY}, + {"plutostderrlog", KW_PLUTOSTDERRLOG}, + {"plutostart", KW_PLUTOSTART}, + {"ikelifetime", KW_IKELIFETIME}, + {"crlcheckinterval", KW_CRLCHECKINTERVAL}, + {"auto", KW_AUTO}, {"ldaphost", KW_LDAPHOST}, - {"rekeymargin", KW_REKEYMARGIN}, {"rekeyfuzz", KW_REKEYFUZZ}, - {"dpddelay", KW_DPDDELAY}, - {"ikelifetime", KW_IKELIFETIME}, - {"auth", KW_AUTH}, - {"xauth", KW_XAUTH}, - {"postpluto", KW_POSTPLUTO}, - {"plutodebug", KW_PLUTODEBUG}, - {"modeconfig", KW_MODECONFIG}, - {"nocrsend", KW_NOCRSEND}, - {"leftauth2", KW_LEFTAUTH2}, - {"leftid2", KW_LEFTID2}, {"leftikeport", KW_LEFTIKEPORT}, + {"mark", KW_MARK}, + {"auth", KW_AUTH}, + {"prepluto", KW_PREPLUTO}, + {"dpddelay", KW_DPDDELAY}, + {"leftauth", KW_LEFTAUTH}, {"rightca2", KW_RIGHTCA2}, - {"rekey", KW_REKEY}, + {"xauth", KW_XAUTH}, {"rightcert2", KW_RIGHTCERT2}, - {"mark", KW_MARK}, - {"crluri2", KW_CRLURI2}, - {"reauth", KW_REAUTH}, + {"rekeymargin", KW_REKEYMARGIN}, + {"leftid2", KW_LEFTID2}, {"ocspuri2", KW_OCSPURI2}, + {"nocrsend", KW_NOCRSEND}, + {"reauth", KW_REAUTH}, + {"crluri2", KW_CRLURI2}, + {"plutodebug", KW_PLUTODEBUG}, + {"leftauth2", KW_LEFTAUTH2}, {"pkcs11module", KW_PKCS11MODULE}, {"pkcs11initargs", KW_PKCS11INITARGS}, {"pkcs11keepstate", KW_PKCS11KEEPSTATE}, - {"pkcs11proxy", KW_PKCS11PROXY} + {"pkcs11proxy", KW_PKCS11PROXY}, + {"modeconfig", KW_MODECONFIG}, + {"postpluto", KW_POSTPLUTO} }; static const short lookup[] = { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, 0, 1, -1, 2, -1, -1, 3, -1, - -1, 4, -1, 5, 6, 7, 8, 9, -1, 10, - 11, -1, 12, 13, 14, 15, 16, 17, -1, 18, - 19, 20, 21, 22, -1, -1, 23, 24, -1, 25, - 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, - 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, - 46, 47, 48, 49, 50, 51, -1, 52, 53, 54, - 55, -1, 56, 57, -1, 58, 59, 60, -1, 61, - 62, 63, 64, -1, -1, 65, -1, 66, -1, 67, - 68, 69, 70, 71, -1, -1, 72, -1, -1, 73, - 74, 75, 76, 77, 78, 79, 80, -1, 81, 82, - 83, 84, 85, 86, 87, -1, 88, -1, 89, 90, - -1, 91, 92, 93, 94, -1, 95, 96, 97, 98, - -1, -1, -1, -1, 99, 100, 101, -1, 102, 103, - 104, 105, 106, 107, 108, 109, -1, 110, -1, -1, - 111, -1, -1, -1, -1, -1, -1, 112, -1, 113, - 114, 115, 116, 117, 118, -1, -1, -1, -1, 119, - -1, -1, 120, -1, -1, -1, -1, -1, -1, 121, - -1, -1, -1, -1, 122, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 123, -1, 124, 125, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, 126 + -1, -1, -1, -1, -1, -1, -1, -1, 0, 1, + -1, -1, -1, 2, 3, -1, 4, -1, 5, 6, + 7, 8, 9, -1, 10, 11, 12, 13, 14, -1, + 15, 16, -1, 17, 18, 19, 20, 21, -1, 22, + -1, -1, 23, -1, 24, 25, 26, 27, -1, 28, + 29, -1, -1, -1, 30, -1, 31, -1, -1, -1, + 32, 33, 34, 35, 36, 37, 38, 39, 40, -1, + -1, 41, 42, 43, 44, 45, 46, -1, 47, 48, + 49, -1, -1, 50, 51, 52, 53, 54, 55, 56, + 57, 58, 59, -1, -1, 60, 61, 62, 63, 64, + 65, -1, 66, 67, -1, 68, 69, -1, 70, 71, + -1, -1, 72, 73, -1, 74, 75, 76, 77, -1, + 78, -1, 79, -1, 80, -1, 81, 82, -1, 83, + 84, 85, 86, 87, 88, 89, 90, -1, -1, 91, + -1, -1, -1, 92, -1, 93, 94, -1, 95, 96, + -1, 97, 98, -1, -1, -1, -1, 99, -1, -1, + -1, 100, 101, 102, 103, 104, 105, 106, 107, -1, + -1, -1, 108, -1, 109, -1, -1, 110, 111, -1, + -1, -1, 112, -1, 113, 114, 115, -1, -1, -1, + -1, -1, 116, 117, 118, -1, -1, -1, 119, -1, + -1, 120, -1, -1, -1, -1, -1, -1, -1, 121, + -1, -1, -1, 122, -1, -1, 123, -1, 124, -1, + 125, 126, -1, -1, -1, -1, 127, -1, 128, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, 129 }; #ifdef __GNUC__ diff --git a/src/starter/keywords.h b/src/starter/keywords.h index 1dae65a99..9f46a8b4b 100644 --- a/src/starter/keywords.h +++ b/src/starter/keywords.h @@ -102,9 +102,10 @@ typedef enum { KW_MARK, KW_MARK_IN, KW_MARK_OUT, + KW_TFC, #define KW_CONN_FIRST KW_CONN_SETUP -#define KW_CONN_LAST KW_MARK_OUT +#define KW_CONN_LAST KW_TFC /* ca section keywords */ KW_CA_NAME, @@ -141,6 +142,7 @@ typedef enum { KW_RSASIGKEY, KW_CERT, KW_CERT2, + KW_CERTPOLICY, KW_SENDCERT, KW_CA, KW_CA2, @@ -170,6 +172,7 @@ typedef enum { KW_LEFTRSASIGKEY, KW_LEFTCERT, KW_LEFTCERT2, + KW_LEFTCERTPOLICY, KW_LEFTSENDCERT, KW_LEFTCA, KW_LEFTCA2, @@ -198,6 +201,7 @@ typedef enum { KW_RIGHTRSASIGKEY, KW_RIGHTCERT, KW_RIGHTCERT2, + KW_RIGHTCERTPOLICY, KW_RIGHTSENDCERT, KW_RIGHTCA, KW_RIGHTCA2, diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt index 06705635a..2c0e5de3d 100644 --- a/src/starter/keywords.txt +++ b/src/starter/keywords.txt @@ -93,6 +93,7 @@ reqid, KW_REQID mark, KW_MARK mark_in, KW_MARK_IN mark_out, KW_MARK_OUT +tfc, KW_TFC cacert, KW_CACERT ldaphost, KW_LDAPHOST ldapbase, KW_LDAPBASE @@ -120,8 +121,9 @@ leftid2, KW_LEFTID2 leftauth, KW_LEFTAUTH leftauth2, KW_LEFTAUTH2 leftrsasigkey, KW_LEFTRSASIGKEY -leftcert, KW_LEFTCERT, -leftcert2, KW_LEFTCERT2, +leftcert, KW_LEFTCERT +leftcert2, KW_LEFTCERT2 +leftcertpolicy, KW_LEFTCERTPOLICY leftsendcert, KW_LEFTSENDCERT leftca, KW_LEFTCA leftca2, KW_LEFTCA2 @@ -145,6 +147,7 @@ rightauth2, KW_RIGHTAUTH2 rightrsasigkey, KW_RIGHTRSASIGKEY rightcert, KW_RIGHTCERT rightcert2, KW_RIGHTCERT2 +rightcertpolicy, KW_RIGHTCERTPOLICY rightsendcert, KW_RIGHTSENDCERT rightca, KW_RIGHTCA rightca2, KW_RIGHTCA2 diff --git a/src/starter/starter.8 b/src/starter/starter.8 deleted file mode 100644 index e69de29bb..000000000 diff --git a/src/starter/starterstroke.c b/src/starter/starterstroke.c index 9ba569d47..f251667c7 100644 --- a/src/starter/starterstroke.c +++ b/src/starter/starterstroke.c @@ -171,6 +171,7 @@ static void starter_stroke_add_end(stroke_msg_t *msg, stroke_end_t *msg_end, sta msg_end->id2 = push_string(msg, conn_end->id2); msg_end->cert = push_string(msg, conn_end->cert); msg_end->cert2 = push_string(msg, conn_end->cert2); + msg_end->cert_policy = push_string(msg, conn_end->cert_policy); msg_end->ca = push_string(msg, conn_end->ca); msg_end->ca2 = push_string(msg, conn_end->ca2); msg_end->groups = push_string(msg, conn_end->groups); @@ -266,6 +267,7 @@ int starter_stroke_add_conn(starter_config_t *cfg, starter_conn_t *conn) msg.add_conn.mark_in.mask = conn->mark_in.mask; msg.add_conn.mark_out.value = conn->mark_out.value; msg.add_conn.mark_out.mask = conn->mark_out.mask; + msg.add_conn.tfc = conn->tfc; starter_stroke_add_end(&msg, &msg.add_conn.me, &conn->left); starter_stroke_add_end(&msg, &msg.add_conn.other, &conn->right); diff --git a/src/stroke/Makefile.in b/src/stroke/Makefile.in index c490be114..d621f21ca 100644 --- a/src/stroke/Makefile.in +++ b/src/stroke/Makefile.in @@ -197,9 +197,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -238,6 +236,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c index 103617f08..a88fa10d7 100644 --- a/src/stroke/stroke.c +++ b/src/stroke/stroke.c @@ -197,6 +197,16 @@ static int terminate_connection_srcip(char *start, char *end) return send_stroke_msg(&msg); } +static int rekey_connection(char *name) +{ + stroke_msg_t msg; + + msg.type = STR_REKEY; + msg.length = offsetof(stroke_msg_t, buffer); + msg.rekey.name = push_string(&msg, name); + return send_stroke_msg(&msg); +} + static int route_connection(char *name) { stroke_msg_t msg; @@ -276,6 +286,8 @@ static int reread(stroke_keyword_t kw) static int purge_flags[] = { PURGE_OCSP, PURGE_IKE, + PURGE_CRLS, + PURGE_CERTS, }; static int purge(stroke_keyword_t kw) @@ -373,6 +385,10 @@ static void exit_usage(char *error) printf(" stroke rereadsecrets|rereadcrls|rereadall\n"); printf(" Purge ocsp cache entries:\n"); printf(" stroke purgeocsp\n"); + printf(" Purge CRL cache entries:\n"); + printf(" stroke purgecrls\n"); + printf(" Purge X509 cache entries:\n"); + printf(" stroke purgecerts\n"); printf(" Purge IKE_SAs without a CHILD_SA:\n"); printf(" stroke purgeike\n"); printf(" Export credentials to the console:\n"); @@ -443,6 +459,13 @@ int main(int argc, char *argv[]) } res = terminate_connection_srcip(argv[2], argc > 3 ? argv[3] : NULL); break; + case STROKE_REKEY: + if (argc < 3) + { + exit_usage("\"rekey\" needs a connection name"); + } + res = rekey_connection(argv[2]); + break; case STROKE_ROUTE: if (argc < 3) { @@ -491,6 +514,8 @@ int main(int argc, char *argv[]) res = reread(token->kw); break; case STROKE_PURGE_OCSP: + case STROKE_PURGE_CRLS: + case STROKE_PURGE_CERTS: case STROKE_PURGE_IKE: res = purge(token->kw); break; diff --git a/src/stroke/stroke_keywords.c b/src/stroke/stroke_keywords.c index c2d79176e..b43f4b475 100644 --- a/src/stroke/stroke_keywords.c +++ b/src/stroke/stroke_keywords.c @@ -54,12 +54,12 @@ struct stroke_token { stroke_keyword_t kw; }; -#define TOTAL_KEYWORDS 34 +#define TOTAL_KEYWORDS 37 #define MIN_WORD_LENGTH 2 #define MAX_WORD_LENGTH 15 -#define MIN_HASH_VALUE 3 -#define MAX_HASH_VALUE 39 -/* maximum key range = 37, duplicates = 0 */ +#define MIN_HASH_VALUE 2 +#define MAX_HASH_VALUE 42 +/* maximum key range = 41, duplicates = 0 */ #ifdef __GNUC__ __inline @@ -75,32 +75,32 @@ hash (str, len) { static const unsigned char asso_values[] = { - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 18, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 0, 4, 1, - 1, 0, 40, 17, 40, 20, 40, 3, 0, 40, - 40, 12, 19, 40, 6, 3, 20, 12, 40, 40, - 10, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40, 40, 40, 40, 40, - 40, 40, 40, 40, 40, 40 + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 20, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 0, 23, 1, + 1, 15, 43, 21, 43, 23, 43, 9, 0, 43, + 43, 10, 2, 43, 6, 5, 1, 0, 43, 43, + 2, 19, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43, 43, 43, 43, 43, + 43, 43, 43, 43, 43, 43 }; register int hval = len; @@ -125,47 +125,51 @@ hash (str, len) static const struct stroke_token wordlist[] = { + {"up", STROKE_UP}, {"add", STROKE_ADD}, {"del", STROKE_DEL}, {"down", STROKE_DOWN}, - {"leases", STROKE_LEASES}, {"listall", STROKE_LIST_ALL}, - {"loglevel", STROKE_LOGLEVEL}, + {"delete", STROKE_DELETE}, {"listcrls", STROKE_LIST_CRLS}, - {"listacerts", STROKE_LIST_ACERTS}, - {"route", STROKE_ROUTE}, + {"status", STROKE_STATUS}, {"listaacerts", STROKE_LIST_AACERTS}, {"listcacerts", STROKE_LIST_CACERTS}, - {"up", STROKE_UP}, + {"statusall", STROKE_STATUSALL}, {"rereadall", STROKE_REREAD_ALL}, {"listcerts", STROKE_LIST_CERTS}, {"rereadcrls", STROKE_REREAD_CRLS}, {"rereadacerts", STROKE_REREAD_ACERTS}, {"rereadaacerts", STROKE_REREAD_AACERTS}, {"rereadcacerts", STROKE_REREAD_CACERTS}, - {"status", STROKE_STATUS}, - {"rereadsecrets", STROKE_REREAD_SECRETS}, + {"leases", STROKE_LEASES}, + {"unroute", STROKE_UNROUTE}, {"listocsp", STROKE_LIST_OCSP}, - {"statusall", STROKE_STATUSALL}, + {"rereadsecrets", STROKE_REREAD_SECRETS}, + {"listacerts", STROKE_LIST_ACERTS}, + {"route", STROKE_ROUTE}, + {"purgeocsp", STROKE_PURGE_OCSP}, + {"listocspcerts", STROKE_LIST_OCSPCERTS}, {"listalgs", STROKE_LIST_ALGS}, + {"rekey", STROKE_REKEY}, + {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, + {"purgecrls", STROKE_PURGE_CRLS}, {"exportx509", STROKE_EXPORT_X509}, - {"delete", STROKE_DELETE}, - {"listocspcerts", STROKE_LIST_OCSPCERTS}, - {"purgeocsp", STROKE_PURGE_OCSP}, {"purgeike", STROKE_PURGE_IKE}, - {"unroute", STROKE_UNROUTE}, {"listcainfos", STROKE_LIST_CAINFOS}, - {"rereadocspcerts", STROKE_REREAD_OCSPCERTS}, {"listpubkeys", STROKE_LIST_PUBKEYS}, {"down-srcip", STROKE_DOWN_SRCIP}, - {"listgroups", STROKE_LIST_GROUPS} + {"loglevel", STROKE_LOGLEVEL}, + {"listgroups", STROKE_LIST_GROUPS}, + {"purgecerts", STROKE_PURGE_CERTS} }; static const short lookup[] = { - -1, -1, -1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, - 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, - 25, 26, 27, 28, 29, 30, 31, 32, -1, -1, -1, 33 + -1, -1, 0, 1, 2, 3, -1, 4, 5, 6, -1, 7, 8, 9, + 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, + 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, -1, -1, 35, + 36 }; #ifdef __GNUC__ diff --git a/src/stroke/stroke_keywords.h b/src/stroke/stroke_keywords.h index 4a3826536..ff2ba36ef 100644 --- a/src/stroke/stroke_keywords.h +++ b/src/stroke/stroke_keywords.h @@ -25,6 +25,7 @@ typedef enum { STROKE_UP, STROKE_DOWN, STROKE_DOWN_SRCIP, + STROKE_REKEY, STROKE_LOGLEVEL, STROKE_STATUS, STROKE_STATUSALL, @@ -48,6 +49,8 @@ typedef enum { STROKE_REREAD_CRLS, STROKE_REREAD_ALL, STROKE_PURGE_OCSP, + STROKE_PURGE_CRLS, + STROKE_PURGE_CERTS, STROKE_PURGE_IKE, STROKE_EXPORT_X509, STROKE_LEASES, diff --git a/src/stroke/stroke_keywords.txt b/src/stroke/stroke_keywords.txt index 0b8092985..dafd1ab08 100644 --- a/src/stroke/stroke_keywords.txt +++ b/src/stroke/stroke_keywords.txt @@ -32,6 +32,7 @@ unroute, STROKE_UNROUTE up, STROKE_UP down, STROKE_DOWN down-srcip, STROKE_DOWN_SRCIP +rekey, STROKE_REKEY loglevel, STROKE_LOGLEVEL status, STROKE_STATUS statusall, STROKE_STATUSALL @@ -55,6 +56,8 @@ rereadacerts, STROKE_REREAD_ACERTS rereadcrls, STROKE_REREAD_CRLS rereadall, STROKE_REREAD_ALL purgeocsp, STROKE_PURGE_OCSP +purgecrls, STROKE_PURGE_CRLS +purgecerts, STROKE_PURGE_CERTS purgeike, STROKE_PURGE_IKE exportx509, STROKE_EXPORT_X509 leases, STROKE_LEASES diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h index 9466cf0b0..3af2b7042 100644 --- a/src/stroke/stroke_msg.h +++ b/src/stroke/stroke_msg.h @@ -107,6 +107,10 @@ enum purge_flag_t { PURGE_OCSP = 0x0001, /** purge IKE_SAs without a CHILD_SA */ PURGE_IKE = 0x0002, + /** purge CRL cache entries */ + PURGE_CRLS = 0x0004, + /** purge X509 cache entries */ + PURGE_CERTS = 0x0008, }; typedef enum export_flag_t export_flag_t; @@ -145,6 +149,7 @@ struct stroke_end_t { char *ca; char *ca2; char *groups; + char *cert_policy; char *updown; char *address; u_int16_t ikeport; @@ -183,6 +188,8 @@ struct stroke_msg_t { STR_TERMINATE, /* terminate connection by peers srcip/virtual ip */ STR_TERMINATE_SRCIP, + /* rekey a connection */ + STR_REKEY, /* show connection status */ STR_STATUS, /* show verbose connection status */ @@ -215,7 +222,7 @@ struct stroke_msg_t { /* data for STR_INITIATE, STR_ROUTE, STR_UP, STR_DOWN, ... */ struct { char *name; - } initiate, route, unroute, terminate, status, del_conn, del_ca; + } initiate, route, unroute, terminate, rekey, status, del_conn, del_ca; /* data for STR_TERMINATE_SRCIP */ struct { @@ -241,6 +248,7 @@ struct stroke_msg_t { int proxy_mode; int install_policy; u_int32_t reqid; + u_int32_t tfc; crl_policy_t crl_policy; int unique; diff --git a/src/whack/Makefile.in b/src/whack/Makefile.in index 270e8fe50..b51056a38 100644 --- a/src/whack/Makefile.in +++ b/src/whack/Makefile.in @@ -196,9 +196,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -237,6 +235,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/INSTALL b/testing/INSTALL index 5e42925f7..bb4272eaf 100644 --- a/testing/INSTALL +++ b/testing/INSTALL @@ -53,23 +53,22 @@ are required for the strongSwan testing environment: * A vanilla Linux kernel on which the UML kernel will be based on. We recommend the use of - http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.34.1.tar.bz2 + http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.36.tar.bz2 - * The Linux kernel 2.6.34.1 does not require any patches for the uml guest kernel - to successfully start up but the xfrm_mark patch must be applied for - XFRM MARK support. + * The Linux kernel 2.6.36 does not require any patches for the uml guest kernel + to successfully start up. * The matching .config file required to compile the UML kernel: - http://download.strongswan.org/uml/.config-2.6.34 + http://download.strongswan.org/uml/.config-2.6.36 * A gentoo-based UML file system (compressed size 130 MBytes) found at - http://download.strongswan.org/uml/gentoo-fs-20100703.tar.bz2 + http://download.strongswan.org/uml/gentoo-fs-20100830.tar.bz2 * The latest strongSwan distribution - http://download.strongswan.org/strongswan-4.4.2.tar.bz2 + http://download.strongswan.org/strongswan-4.5.1.tar.bz2 3. Creating the environment diff --git a/testing/Makefile.in b/testing/Makefile.in index 82b751fd2..cbb7555f0 100644 --- a/testing/Makefile.in +++ b/testing/Makefile.in @@ -175,9 +175,7 @@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ ipsecdir = @ipsecdir@ -ipsecgid = @ipsecgid@ ipsecgroup = @ipsecgroup@ -ipsecuid = @ipsecuid@ ipsecuser = @ipsecuser@ libcharon_plugins = @libcharon_plugins@ libdir = @libdir@ @@ -216,6 +214,8 @@ sbindir = @sbindir@ scepclient_plugins = @scepclient_plugins@ scripts_plugins = @scripts_plugins@ sharedstatedir = @sharedstatedir@ +soup_CFLAGS = @soup_CFLAGS@ +soup_LIBS = @soup_LIBS@ srcdir = @srcdir@ strongswan_conf = @strongswan_conf@ sysconfdir = @sysconfdir@ diff --git a/testing/do-tests.in b/testing/do-tests.in index 2e67e9367..27ad200fb 100755 --- a/testing/do-tests.in +++ b/testing/do-tests.in @@ -343,6 +343,7 @@ do # $DIR/scripts/load-testconfig $testname + unset RADIUSHOSTS source $TESTDIR/test.conf diff --git a/testing/hosts/default/etc/hosts b/testing/hosts/default/etc/hosts index fb07a2f6e..0931f450e 100644 --- a/testing/hosts/default/etc/hosts +++ b/testing/hosts/default/etc/hosts @@ -18,8 +18,10 @@ 10.1.0.40 dave2.strongswan.org dave2 10.1.0.50 carol3.strongswan.org carol3 10.1.0.51 dave3.strongswan.org dave3 +10.1.0.5 mars1.strongswan.org mars1 # virtual gateway 10.1.0.1 moon1.strongswan.org moon1 192.168.0.1 moon.strongswan.org moon +192.168.0.5 mars.strongswan.org mars # virtual gateway 192.168.0.50 alice1.strongswan.org alice1 192.168.0.100 carol.strongswan.org carol 10.3.0.1 carol1.strongswan.org carol1 diff --git a/testing/hosts/default/etc/ipsec.d/tables.sql b/testing/hosts/default/etc/ipsec.d/tables.sql index eb41533cb..2917fc3fc 100644 --- a/testing/hosts/default/etc/ipsec.d/tables.sql +++ b/testing/hosts/default/etc/ipsec.d/tables.sql @@ -18,9 +18,11 @@ CREATE TABLE child_configs ( updown TEXT DEFAULT NULL, hostaccess INTEGER NOT NULL DEFAULT '0', mode INTEGER NOT NULL DEFAULT '2', + start_action INTEGER NOT NULL DEFAULT '0', dpd_action INTEGER NOT NULL DEFAULT '0', close_action INTEGER NOT NULL DEFAULT '0', - ipcomp INTEGER NOT NULL DEFAULT '0' + ipcomp INTEGER NOT NULL DEFAULT '0', + reqid INTEGER NOT NULL DEFAULT '0' ); DROP INDEX IF EXISTS child_configs_name; CREATE INDEX child_configs_name ON child_configs ( @@ -38,6 +40,19 @@ CREATE INDEX child_config_traffic_selector_all ON child_config_traffic_selector child_cfg, traffic_selector ); +DROP TABLE IF EXISTS proposals; +CREATE TABLE proposals ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + proposal TEXT NOT NULL +); + +DROP TABLE IF EXISTS child_config_proposal; +CREATE TABLE child_config_proposal ( + child_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS ike_configs; CREATE TABLE ike_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -47,6 +62,13 @@ CREATE TABLE ike_configs ( remote TEXT NOT NULL ); +DROP TABLE IF EXISTS ike_config_proposal; +CREATE TABLE ike_config_proposal ( + ike_cfg INTEGER NOT NULL, + prio INTEGER NOT NULL, + prop INTEGER NOT NULL +); + DROP TABLE IF EXISTS peer_configs; CREATE TABLE peer_configs ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, @@ -139,6 +161,20 @@ CREATE TABLE shared_secret_identity ( PRIMARY KEY (shared_secret, identity) ); +DROP TABLE IF EXISTS certificate_authorities; +CREATE TABLE certificate_authorities ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + certificate INTEGER NOT NULL +); + +DROP TABLE IF EXISTS certificate_distribution_points; +CREATE TABLE certificate_distribution_points ( + id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, + ca INTEGER NOT NULL, + type INTEGER NOT NULL, + uri TEXT NOT NULL +); + DROP TABLE IF EXISTS pools; CREATE TABLE pools ( id INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT, diff --git a/testing/hosts/winnetou/etc/openssl/index.txt b/testing/hosts/winnetou/etc/openssl/index.txt index dd69a793f..246f2d5b7 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt +++ b/testing/hosts/winnetou/etc/openssl/index.txt @@ -32,3 +32,4 @@ V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/ V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org +V 151119165922Z 23 unknown /C=CH/O=Linux strongSwan/OU=Virtual VPN Gateway/CN=mars.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/index.txt.old b/testing/hosts/winnetou/etc/openssl/index.txt.old index 58a88a3cb..dd69a793f 100644 --- a/testing/hosts/winnetou/etc/openssl/index.txt.old +++ b/testing/hosts/winnetou/etc/openssl/index.txt.old @@ -31,3 +31,4 @@ V 141123125153Z 1E unknown /C=CH/O=Linux strongSwan/OU=OCSP Signing Authority/C V 150226210530Z 1F unknown /C=CH/O=Linux strongSwan/OU=Authorization Authority/CN=aa@strongswan.org V 190404095350Z 20 unknown /C=CH/O=Linux strongSwan/OU=Research/CN=Research CA V 190404095433Z 21 unknown /C=CH/O=Linux strongSwan/OU=Sales/CN=Sales CA +V 150803083841Z 22 unknown /C=CH/O=Linux strongSwan/CN=aaa.strongswan.org diff --git a/testing/hosts/winnetou/etc/openssl/newcerts/23.pem b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/hosts/winnetou/etc/openssl/newcerts/23.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/hosts/winnetou/etc/openssl/serial b/testing/hosts/winnetou/etc/openssl/serial index 409940768..a45fd52cc 100644 --- a/testing/hosts/winnetou/etc/openssl/serial +++ b/testing/hosts/winnetou/etc/openssl/serial @@ -1 +1 @@ -23 +24 diff --git a/testing/hosts/winnetou/etc/openssl/serial.old b/testing/hosts/winnetou/etc/openssl/serial.old index 2bd5a0a98..409940768 100644 --- a/testing/hosts/winnetou/etc/openssl/serial.old +++ b/testing/hosts/winnetou/etc/openssl/serial.old @@ -1 +1 @@ -22 +23 diff --git a/testing/scripts/build-umlrootfs b/testing/scripts/build-umlrootfs index e22b65cf4..023b71750 100755 --- a/testing/scripts/build-umlrootfs +++ b/testing/scripts/build-umlrootfs @@ -202,6 +202,16 @@ then echo -n " --enable-tnccs-11" >> $INSTALLSHELL fi +if [ "$USE_TNCCS_20" = "yes" ] +then + echo -n " --enable-tnccs-20" >> $INSTALLSHELL +fi + +if [ "$USE_TNCCS_DYNAMIC" = "yes" ] +then + echo -n " --enable-tnccs-dynamic" >> $INSTALLSHELL +fi + if [ "$USE_SQL" = "yes" ] then echo -n " --enable-sql --enable-sqlite" >> $INSTALLSHELL @@ -292,6 +302,16 @@ then echo -n " --enable-gcm" >> $INSTALLSHELL fi +if [ "$USE_HA" = "yes" ] +then + echo -n " --enable-ha" >> $INSTALLSHELL +fi + +if [ "$USE_CISCO_QUIRKS" = "yes" ] +then + echo -n " --enable-cisco-quirks" >> $INSTALLSHELL +fi + echo "" >> $INSTALLSHELL echo "make -j" >> $INSTALLSHELL echo "make install" >> $INSTALLSHELL diff --git a/testing/scripts/kstart-umls b/testing/scripts/kstart-umls index 486955a69..18dc64a9d 100755 --- a/testing/scripts/kstart-umls +++ b/testing/scripts/kstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/scripts/xstart-umls b/testing/scripts/xstart-umls index 717199606..ed2662b6c 100755 --- a/testing/scripts/xstart-umls +++ b/testing/scripts/xstart-umls @@ -67,10 +67,10 @@ do \$SWITCH_${host} \ mem=${MEM}M con=pty con0=fd:0,fd:1" & cgecho "done" + sleep 15 fi let "x0+=dx" let "y0+=dy" - sleep 15 done if [ -z "$BOOTING_HOSTS" ] diff --git a/testing/testing.conf b/testing/testing.conf index b9cb4bb30..b078ab2c0 100755 --- a/testing/testing.conf +++ b/testing/testing.conf @@ -19,19 +19,19 @@ UMLTESTDIR=~/strongswan-testing # Bzipped kernel sources # (file extension .tar.bz2 required) -KERNEL=$UMLTESTDIR/linux-2.6.35.2.tar.bz2 +KERNEL=$UMLTESTDIR/linux-2.6.36.2.tar.bz2 # Extract kernel version KERNELVERSION=`basename $KERNEL .tar.bz2 | sed -e 's/linux-//'` # Kernel configuration file -KERNELCONFIG=$UMLTESTDIR/.config-2.6.35 +KERNELCONFIG=$UMLTESTDIR/.config-2.6.36 # Bzipped uml patch for kernel -#UMLPATCH=$UMLTESTDIR/xfrm_mark.patch.bz2 +UMLPATCH=$UMLTESTDIR/ha-2.6.36.patch.bz2 # Bzipped source of strongSwan -STRONGSWAN=$UMLTESTDIR/strongswan-4.4.2.tar.bz2 +STRONGSWAN=$UMLTESTDIR/strongswan-4.5.1.tar.bz2 # strongSwan compile options (use "yes" or "no") USE_LIBCURL="yes" @@ -48,13 +48,15 @@ USE_EAP_TNC="yes" USE_TNC_IMC="yes" USE_TNC_IMV="yes" USE_TNCCS_11="yes" +USE_TNCCS_20="yes" +USE_TNCCS_DYNAMIC="yes" USE_SQL="yes" USE_MEDIATION="yes" USE_OPENSSL="yes" USE_BLOWFISH="yes" USE_KERNEL_PFKEY="yes" USE_INTEGRITY_TEST="yes" -USE_LEAK_DETECTIVE="yes" +USE_LEAK_DETECTIVE="no" USE_LOAD_TESTER="yes" USE_TEST_VECTORS="yes" USE_GCRYPT="yes" @@ -66,12 +68,14 @@ USE_ADDRBLOCK="yes" USE_CTR="yes" USE_CCM="yes" USE_GCM="yes" +USE_HA="yes" +USE_CISCO_QUIRKS="no" # Gentoo linux root filesystem -ROOTFS=$UMLTESTDIR/gentoo-fs-20100805.tar.bz2 +ROOTFS=$UMLTESTDIR/gentoo-fs-20101120.tar.bz2 # Size of the finished root filesystem in MB -ROOTFSSIZE=700 +ROOTFSSIZE=800 # Amount of Memory to use per UML [MB]. # If "auto" is stated 1/12 of total host ram will be used. diff --git a/testing/tests/ha/both-active/description.txt b/testing/tests/ha/both-active/description.txt new file mode 100644 index 000000000..4c64fff97 --- /dev/null +++ b/testing/tests/ha/both-active/description.txt @@ -0,0 +1,8 @@ +The roadwarriors carol and dave set up a connection each +to the virtual gateway mars implemented by the two real gateways +alice and moon in a High Availability (HA) setup +based on ClusterIP. Depending on the hash of the IP addresses of the peers +and the SPIs, the inbound and outbound CHILD_SAs are either assigned to +segment 1 managed by alice or segment 2 handled by moon. +The IKEv2 protocol is managed by moon exclusively with passive +IKE_SAs installed on the backup gateway alice. diff --git a/testing/tests/ha/both-active/evaltest.dat b/testing/tests/ha/both-active/evaltest.dat new file mode 100644 index 000000000..7256743ac --- /dev/null +++ b/testing/tests/ha/both-active/evaltest.dat @@ -0,0 +1,20 @@ +moon::ipsec statusall::rw.*ESTABLISHED.*carol@strongswan.org::YES +moon::ipsec statusall::rw.*ESTABLISHED.*dave@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*carol@strongswan.org::YES +alice::ipsec statusall::rw.*PASSIVE.*dave@strongswan.org::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +alice::cat /var/log/daemon.log::HA segment 1 activated::YES +moon::cat /var/log/daemon.log::HA segment 2 activated::YES +alice::cat /var/log/daemon.log::installed HA CHILD_SA::YES +moon::cat /var/log/daemon.log::handling HA CHILD_SA::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +carol::tcpdump::IP carol.strongswan.org > mars.strongswan.org: ESP::YES +carol::tcpdump::IP mars.strongswan.org > carol.strongswan.org: ESP::YES +dave::tcpdump::IP dave.strongswan.org > mars.strongswan.org: ESP::YES +dave::tcpdump::IP mars.strongswan.org > dave.strongswan.org: ESP::YES +venus::tcpdump::IP carol.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > carol.strongswan.org: ICMP echo reply::YES +venus::tcpdump::IP dave.strongswan.org > venus.strongswan.org: ICMP echo request::YES +venus::tcpdump::IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply::YES diff --git a/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables new file mode 100755 index 000000000..95d3b8828 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -i eth1 -m policy --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -o eth1 -m policy --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth1 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 2 + iptables -A INPUT -i eth0 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 2 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth1 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth1 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth1 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth1 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth0 -d PH_IP_ALICE -s PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth0 -s PH_IP_ALICE -d PH_IP_MOON1 -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf new file mode 100644 index 000000000..c1745ec29 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/alice/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_ALICE + remote = PH_IP_MOON1 + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..79e06d4de --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..af91a172a --- /dev/null +++ b/testing/tests/ha/both-active/hosts/carol/etc/strongswan.conf @@ -0,0 +1,5 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} diff --git a/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..f75e13d2e --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftfirewall=yes + right=192.168.0.5 + rightid=@mars.strongswan.org + rightsubnet=10.1.0.0/16 + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..60dbb5ba2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc ctr ccm gcm stroke kernel-netlink socket-default updown +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..6f7a0316b --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/init.d/iptables @@ -0,0 +1,104 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # forward ESP-tunneled traffic + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_CAROL -j ACCEPT + iptables -A FORWARD -m policy -i eth0 --dir in --pol ipsec --proto esp -s PH_IP_DAVE -j ACCEPT + iptables -A FORWARD -m policy -o eth0 --dir out --pol ipsec --proto esp -j ACCEPT + + # clusterip rules + iptables -A INPUT -i eth0 -d 192.168.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:c0:a8:00:05 --total-nodes 2 --local-node 1 + iptables -A INPUT -i eth1 -d 10.1.0.5 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:0a:01:00:05 --total-nodes 2 --local-node 1 + + # allow esp + iptables -A INPUT -p 50 -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_CAROL -j ACCEPT + iptables -A OUTPUT -p 50 -d PH_IP_DAVE -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + # allow heartbeat + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p udp --dport 4510 --sport 4510 -j ACCEPT + + # allow ICMP type 3 + iptables -A INPUT -i eth1 -d PH_IP_MOON1 -s PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + iptables -A OUTPUT -o eth1 -s PH_IP_MOON1 -d PH_IP_ALICE -p icmp --icmp-type 3 -j ACCEPT + + # allow IGMP multicasts + iptables -A INPUT -d 224.0.0.1 -p igmp -j ACCEPT + iptables -A OUTPUT -s 224.0.0.1 -p igmp -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..09a5364f4 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.conf @@ -0,0 +1,22 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + +conn rw + left=192.168.0.5 + leftcert=marsCert.pem + leftid=@mars.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=%any + keyexchange=ikev2 + auto=add diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem new file mode 100644 index 000000000..5077ab15d --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/certs/marsCert.pem @@ -0,0 +1,25 @@ +-----BEGIN CERTIFICATE----- +MIIEQDCCAyigAwIBAgIBIzANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJDSDEZ +MBcGA1UEChMQTGludXggc3Ryb25nU3dhbjEbMBkGA1UEAxMSc3Ryb25nU3dhbiBS +b290IENBMB4XDTEwMTEyMDE2NTkyMloXDTE1MTExOTE2NTkyMlowZDELMAkGA1UE +BhMCQ0gxGTAXBgNVBAoTEExpbnV4IHN0cm9uZ1N3YW4xHDAaBgNVBAsTE1ZpcnR1 +YWwgVlBOIEdhdGV3YXkxHDAaBgNVBAMTE21hcnMuc3Ryb25nc3dhbi5vcmcwggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSNOzGeYVXLzZv43dinLxAC67D +l/1pUIwZIT7pzWGTbbeYBgRQDIV46HAAJTxnYWEq2eEecTbLQhgX7QPUeOJXk9vU +j5FeCrNXkv01FPsjwRdvBCWwEHYhGczeP9/8Gg7zU36t3EySv5ZRYKqv6O42lrg+ +E79wm2BwdPik7G5mCLmXn3Bg1IKNJhBJWKkP366dpAukywP1gGMwmW3MqfVm2fXB +QVDlqCJjpvyNiJhW6UqOf+NkKZPugjlfWMQKyFxEC6krBDT4WdnoKj5S0hyyeAvG +7HlL5YSiPhd1DNaxV0OX/aBwYFW0zMZOVmYLv2cwRVf3LlP/3Nv66BtjtxwZAgMB +AAGjggEaMIIBFjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIDqDAdBgNVHQ4EFgQUuo7D +ahZ1x1JvkUAc2aAHvlfUu7EwbQYDVR0jBGYwZIAUXafdcAZRMn7ntm2zteXgYOou +Te+hSaRHMEUxCzAJBgNVBAYTAkNIMRkwFwYDVQQKExBMaW51eCBzdHJvbmdTd2Fu +MRswGQYDVQQDExJzdHJvbmdTd2FuIFJvb3QgQ0GCAQAwHgYDVR0RBBcwFYITbWFy +cy5zdHJvbmdzd2FuLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATA5BgNVHR8EMjAw +MC6gLKAqhihodHRwOi8vY3JsLnN0cm9uZ3N3YW4ub3JnL3N0cm9uZ3N3YW4uY3Js +MA0GCSqGSIb3DQEBCwUAA4IBAQCMaii+mvarQiElzu5VmIPQfrec+S5DUun9Di9/ +n23B8UdYtoITtu38vm2kHIo/oaYBFtUziBTFb48zyMJxVqc42JbwQ0CCO7TekJ2R +atGO72QG69hZkspfNijZr1576jBYyNxCfOOAXlf0zQpkVc0dcuxgQM1IrFH+cz+7 +ekupVdM2IZoouqWDU0M2nAze4du1rKAgG0Cuy3I4tCN43PR4BmggfaaKBOzU8Ju1 +b/FUFKKdPTrTfi52OywgzcDMZPyWgmHZb60koH7jXiVyP30OHVwMzU6kNXxOx2Le +i2lQE1/k8yL3k1ht48upXfuTZU4gUVCUc2CYUVHOOjNHk3BU +-----END CERTIFICATE----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem new file mode 100644 index 000000000..9196315a3 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.d/private/marsKey.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA0jTsxnmFVy82b+N3Ypy8QAuuw5f9aVCMGSE+6c1hk223mAYE +UAyFeOhwACU8Z2FhKtnhHnE2y0IYF+0D1HjiV5Pb1I+RXgqzV5L9NRT7I8EXbwQl +sBB2IRnM3j/f/BoO81N+rdxMkr+WUWCqr+juNpa4PhO/cJtgcHT4pOxuZgi5l59w +YNSCjSYQSVipD9+unaQLpMsD9YBjMJltzKn1Ztn1wUFQ5agiY6b8jYiYVulKjn/j +ZCmT7oI5X1jECshcRAupKwQ0+FnZ6Co+UtIcsngLxux5S+WEoj4XdQzWsVdDl/2g +cGBVtMzGTlZmC79nMEVX9y5T/9zb+ugbY7ccGQIDAQABAoIBAHmuW1W06KQEV33D +bctusWZdnOfqZq39C2xMm2+aDR7bh0iASyTPasAHxTXAWEv7ydSVVURbAv38H5hS +AkKPS26oz7sm9F480X4jP2Hn6EzVLKx9+RcHIGqe1cHdtdnod7kRHyajfMwCDZDD +5Wp46tQ8wSBmLA6SUuwmOfy2RF3ZKGSYUxZEA3Pj7oMuCwgUVg62MN5kbOdviW1u +DpRAWO3UE64nHYSFYeRiVRYmrZ0pOF2oBkfuALn2frcGX0v97xxNH9mpJfc1T6Km +KwfSpKtB5BlF4QRukZC3smoiO0aXI4ZuxuuRzujYIHJvp21+Lg5UybwOu/w4R1nB +UnaCZHUCgYEA7/5Q06+Mpn9UxxcP5tNGeeGEV5EVhXzLHq8IyTb+Dp8AnJ+EXuHK +QAiyxvavorZCQN9xAa3IOi1789NeaVWU7DKWI4pMfXETkFGYI2q08bf16XYAvSgt +AOeEKzILADHaqOKbLJhFxUIAGLJ4LP+IBapKrTHF5qELW6jO4YYaH1cCgYEA4DoG +3MgDnmCsikmDkP7Z/HS6XwAqKKF6CMlJW05Dq5J/wgWIXfBU9QdWbHl2H2fa/n1b +M8u3M4wA9NY7kKtan3VBDFxEARRcSX50YB1TCLnplDVO3IxYUkjfKhTjBFF9R0Iv +2nj8QXAnb+vbx+30Pbi7bkvb93nSe4yzXPFtKg8CgYEAuZso7Z5eG8JsUZEvdig9 +4DMehA6r41IRUUizddK3B53G/lqMKEldfsp7YU8VpLRqZvunzVGWgg/9RiRZZwOO +KmIxJYlnALj8FWhVTkbPbAYHBKiDh8dTjth+ql2Ijn0ADA89TW7yvsz9gBw+vyZd +D2yVVn8g++3e9+OFJHvvJf8CgYBHEn18W7Wx7Mij6JtYST+FIua0GBRE3rIUuOCU +nWEbsAroz+IijHwRUqsVJQbI+51RjyBqcYb3QshG0uT8fSPzaTIeHdy8TtzVusxe +bs0T9gHQpXkCtUWFh22dJBO1GbNQ8+zBHhovD8KgWi1G2OjS64wVcNwfPDD4UmfD +7Q6CBwKBgBOeDK7R5mGwC4nV1Y+KDBgvE/W8BloZpcD+d7sfZsrU8w7LemBKreDa +qT1vgk1ZOeHFkvwdWH7LSxRUEGRd+HmqOFKv/hfmxXHlepdnjqt4JMNo9UyddXmX +onErIOM7BXcBmqvY77ODDOk8ER3zUjKHvYUzxz4PPuEM3hGTTRbQ +-----END RSA PRIVATE KEY----- diff --git a/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..d65b96e34 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA marsKey.pem diff --git a/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..1cece26d2 --- /dev/null +++ b/testing/tests/ha/both-active/hosts/moon/etc/strongswan.conf @@ -0,0 +1,15 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac stroke kernel-netlink socket-default ha + plugins { + ha { + local = PH_IP_MOON1 + remote = PH_IP_ALICE + segment_count = 2 + fifo_interface = yes + monitor = yes + } + } +} + diff --git a/testing/tests/ha/both-active/posttest.dat b/testing/tests/ha/both-active/posttest.dat new file mode 100644 index 000000000..49bf76055 --- /dev/null +++ b/testing/tests/ha/both-active/posttest.dat @@ -0,0 +1,17 @@ +carol::ipsec stop +dave::ipsec stop +moon::ipsec stop +alice::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +alice::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::ip addr del 192.168.0.5/24 dev eth0 +moon::ip addr del 10.1.0.5/16 dev eth1 +alice::ip addr del 192.168.0.5/24 dev eth1 +alice::ip addr del 10.1.0.5/16 dev eth0 +alice::/etc/init.d/net.eth1 stop +venus::ip route del default via 10.1.0.5 dev eth0 +venus::ip route add default via 10.1.0.1 dev eth0 +moon::conntrack -F +alice::conntrack -F diff --git a/testing/tests/ha/both-active/pretest.dat b/testing/tests/ha/both-active/pretest.dat new file mode 100644 index 000000000..e2e509855 --- /dev/null +++ b/testing/tests/ha/both-active/pretest.dat @@ -0,0 +1,18 @@ +moon::ip addr add 192.168.0.5/24 dev eth0 +moon::ip addr add 10.1.0.5/16 dev eth1 +alice::/etc/init.d/net.eth1 start +alice::ip addr add 192.168.0.5/24 dev eth1 +alice::ip addr add 10.1.0.5/16 dev eth0 +venus::ip route del default via 10.1.0.1 dev eth0 +venus::ip route add default via 10.1.0.5 dev eth0 +moon::/etc/init.d/iptables start 2> /dev/null +alice::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +alice::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/ha/both-active/test.conf b/testing/tests/ha/both-active/test.conf new file mode 100644 index 000000000..0473013e1 --- /dev/null +++ b/testing/tests/ha/both-active/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="venus carol dave" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="alice moon carol dave" diff --git a/testing/tests/ikev1/dpd-restart/evaltest.dat b/testing/tests/ikev1/dpd-restart/evaltest.dat index c35a8019e..8bc2e8688 100644 --- a/testing/tests/ikev1/dpd-restart/evaltest.dat +++ b/testing/tests/ikev1/dpd-restart/evaltest.dat @@ -1,7 +1,7 @@ moon::ipsec status::STATE_MAIN_I4 (ISAKMP SA established)::YES carol::iptables -I INPUT 1 -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO -moon::sleep 35::no output expected::NO -carol::iptables -D INPUT 1::no output expected::NO +carol::sleep 35::no output expected::NO +carol::iptables -D INPUT -i eth0 -s PH_IP_MOON -j DROP::no output expected::NO moon::cat /var/log/auth.log::inserting event EVENT_DPD::YES moon::cat /var/log/auth.log::DPD: No response from peer - declaring peer dead::YES moon::cat /var/log/auth.log::DPD: Terminating all SAs using this connection::YES diff --git a/testing/tests/ikev1/dynamic-initiator/pretest.dat b/testing/tests/ikev1/dynamic-initiator/pretest.dat index acb432172..92681011f 100644 --- a/testing/tests/ikev1/dynamic-initiator/pretest.dat +++ b/testing/tests/ikev1/dynamic-initiator/pretest.dat @@ -10,4 +10,4 @@ carol::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/dynamic-responder/pretest.dat b/testing/tests/ikev1/dynamic-responder/pretest.dat index a330b1074..c0f166ff4 100644 --- a/testing/tests/ikev1/dynamic-responder/pretest.dat +++ b/testing/tests/ikev1/dynamic-responder/pretest.dat @@ -10,4 +10,4 @@ moon::sleep 1 carol::iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol::iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave::ipsec up moon -dave::sleep 1 +dave::sleep 2 diff --git a/testing/tests/ikev1/net2net-start/pretest.dat b/testing/tests/ikev1/net2net-start/pretest.dat index ed8f39316..f0c5bcec6 100644 --- a/testing/tests/ikev1/net2net-start/pretest.dat +++ b/testing/tests/ikev1/net2net-start/pretest.dat @@ -2,4 +2,4 @@ moon::/etc/init.d/iptables start 2> /dev/null sun::/etc/init.d/iptables start 2> /dev/null moon::ipsec start sun::ipsec start -alice::sleep 12 +alice::sleep 20 diff --git a/testing/tests/ikev1/xauth-rsa-fail/description.txt b/testing/tests/ikev1/xauth-rsa-fail/description.txt index 83e9d2726..98d85f30b 100644 --- a/testing/tests/ikev1/xauth-rsa-fail/description.txt +++ b/testing/tests/ikev1/xauth-rsa-fail/description.txt @@ -2,4 +2,4 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol presents a wrong -XAUTH password the IKE negotation is aborted and the ISAKMP SA is deleted. +XAUTH password the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt index ffbb47c04..a6fe82330 100644 --- a/testing/tests/ikev1/xauth-rsa-nosecret/description.txt +++ b/testing/tests/ikev1/xauth-rsa-nosecret/description.txt @@ -2,5 +2,5 @@ The roadwarrior carol sets up a connection to gateway moon. The authentication is based on RSA signatures (RSASIG) using X.509 certificates followed by extended authentication (XAUTH) based on user name and password. Because user carol cannot find her -XAUTH credentials in ipsec.secrets, the IKE negotation is aborted and the +XAUTH credentials in ipsec.secrets, the IKE negotiation is aborted and the ISAKMP SA is deleted. diff --git a/testing/tests/ikev2/critical-extension/description.txt b/testing/tests/ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/ikev2/critical-extension/evaltest.dat b/testing/tests/ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..8c2f8ec9d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::critical 'strongSwan' extension not supported::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..bfc83ab4d --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..cb17a9e07 --- /dev/null +++ b/testing/tests/ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/ikev2/critical-extension/posttest.dat b/testing/tests/ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/ikev2/critical-extension/pretest.dat b/testing/tests/ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/ikev2/critical-extension/test.conf b/testing/tests/ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf index 88f162098..47dab951f 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/carol/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random constraints x509 revocation hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf index 88f162098..8335e51f6 100644 --- a/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf +++ b/testing/tests/ikev2/multi-level-ca-pathlen/hosts/moon/etc/strongswan.conf @@ -1,5 +1,5 @@ # /etc/strongswan.conf - strongSwan configuration file charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation constraints hmac xcbc stroke kernel-netlink socket-default } diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt new file mode 100644 index 000000000..350aefc60 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements carol +is authenticated successfully and is granted access to the subnet behind moon whereas +dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat new file mode 100644 index 000000000..517ea9ab2 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/evaltest.dat @@ -0,0 +1,14 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..2d4961288 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,23 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..fc8f84638 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..4d2d3058d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat new file mode 100644 index 000000000..dc7d5934e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf new file mode 100644 index 000000000..bb6b68687 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt new file mode 100644 index 000000000..7eebd3d4d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon. +At the outset the gateway authenticates itself to the clients by sending an IKEv2 +RSA signature accompanied by a certificate. +carol and dave then set up an EAP-TTLS tunnel each via moon to +the FreeRADIUS server alice authenticated by an X.509 AAA certificate. +The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat new file mode 100644 index 000000000..d0ea22ba9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf new file mode 100644 index 000000000..f4e179aa4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/clients.conf @@ -0,0 +1,4 @@ +client PH_IP_MOON1 { + secret = gv6URkSs + shortname = moon +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary new file mode 100644 index 000000000..1a27a02fc --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary @@ -0,0 +1,2 @@ +$INCLUDE /usr/share/freeradius/dictionary +$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc new file mode 100644 index 000000000..f295467a9 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/dictionary.tnc @@ -0,0 +1,5 @@ +ATTRIBUTE TNC-Status 3001 integer + +VALUE TNC-Status Access 0 +VALUE TNC-Status Isolate 1 +VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf new file mode 100644 index 000000000..31556361e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/eap.conf @@ -0,0 +1,25 @@ +eap { + md5 { + } + default_eap_type = ttls + tls { + private_key_file = /etc/raddb/certs/aaaKey.pem + certificate_file = /etc/raddb/certs/aaaCert.pem + CA_file = /etc/raddb/certs/strongswanCert.pem + cipher_list = "DEFAULT" + dh_file = /etc/raddb/certs/dh + random_file = /etc/raddb/certs/random + } + ttls { + default_eap_type = md5 + use_tunneled_reply = yes + virtual_server = "inner-tunnel" + tnc_virtual_server = "inner-tunnel-second" + } +} + +eap eap_tnc { + default_eap_type = tnc + tnc { + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf new file mode 100644 index 000000000..23cba8d11 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/proxy.conf @@ -0,0 +1,5 @@ +realm strongswan.org { + type = radius + authhost = LOCAL + accthost = LOCAL +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf new file mode 100644 index 000000000..1143a0473 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/radiusd.conf @@ -0,0 +1,120 @@ +# radiusd.conf -- FreeRADIUS server configuration file. + +prefix = /usr +exec_prefix = ${prefix} +sysconfdir = /etc +localstatedir = /var +sbindir = ${exec_prefix}/sbin +logdir = ${localstatedir}/log/radius +raddbdir = ${sysconfdir}/raddb +radacctdir = ${logdir}/radacct + +# name of the running server. See also the "-n" command-line option. +name = radiusd + +# Location of config and logfiles. +confdir = ${raddbdir} +run_dir = ${localstatedir}/run/radiusd + +# Should likely be ${localstatedir}/lib/radiusd +db_dir = ${raddbdir} + +# libdir: Where to find the rlm_* modules. +libdir = ${exec_prefix}/lib + +# pidfile: Where to place the PID of the RADIUS server. +pidfile = ${run_dir}/${name}.pid + +# max_request_time: The maximum time (in seconds) to handle a request. +max_request_time = 30 + +# cleanup_delay: The time to wait (in seconds) before cleaning up +cleanup_delay = 5 + +# max_requests: The maximum number of requests which the server keeps +max_requests = 1024 + +# listen: Make the server listen on a particular IP address, and send +listen { + type = auth + ipaddr = PH_IP_ALICE + port = 0 +} + +# This second "listen" section is for listening on the accounting +# port, too. +# +listen { + type = acct + ipaddr = PH_IP_ALICE + port = 0 +} + +# hostname_lookups: Log the names of clients or just their IP addresses +hostname_lookups = no + +# Core dumps are a bad thing. This should only be set to 'yes' +allow_core_dumps = no + +# Regular expressions +regular_expressions = yes +extended_expressions = yes + +# Logging section. The various "log_*" configuration items +log { + destination = files + file = ${logdir}/radius.log + syslog_facility = daemon + stripped_names = no + auth = yes + auth_badpass = yes + auth_goodpass = yes +} + +# The program to execute to do concurrency checks. +checkrad = ${sbindir}/checkrad + +# Security considerations +security { + max_attributes = 200 + reject_delay = 1 + status_server = yes +} + +# PROXY CONFIGURATION +proxy_requests = yes +$INCLUDE proxy.conf + +# CLIENTS CONFIGURATION +$INCLUDE clients.conf + +# THREAD POOL CONFIGURATION +thread pool { + start_servers = 5 + max_servers = 32 + min_spare_servers = 3 + max_spare_servers = 10 + max_requests_per_server = 0 +} + +# MODULE CONFIGURATION +modules { + $INCLUDE ${confdir}/modules/ + $INCLUDE eap.conf + $INCLUDE sql.conf + $INCLUDE sql/mysql/counter.conf +} + +# Instantiation +instantiate { + exec + expr + expiration + logintime +} + +# Policies +$INCLUDE policy.conf + +# Include all enabled virtual hosts +$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default new file mode 100644 index 000000000..802fcfd8d --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/default @@ -0,0 +1,44 @@ +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +preacct { + preprocess + acct_unique + suffix + files +} + +accounting { + detail + unix + radutmp + attr_filter.accounting_response +} + +session { + radutmp +} + +post-auth { + exec + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel new file mode 100644 index 000000000..e088fae14 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel @@ -0,0 +1,32 @@ +server inner-tunnel { + +authorize { + suffix + eap { + ok = return + } + files +} + +authenticate { + eap +} + +session { + radutmp +} + +post-auth { + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +pre-proxy { +} + +post-proxy { + eap +} + +} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second new file mode 100644 index 000000000..f91bccc72 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second @@ -0,0 +1,36 @@ +server inner-tunnel-second { + +authorize { + eap_tnc { + ok = return + } +} + +authenticate { + eap_tnc +} + +session { + radutmp +} + +post-auth { + if (control:TNC-Status == "Access") { + update reply { + Tunnel-Type := ESP + Filter-Id := "allow" + } + } + elsif (control:TNC-Status == "Isolate") { + update reply { + Tunnel-Type := ESP + Filter-Id := "isolate" + } + } + + Post-Auth-Type REJECT { + attr_filter.access_reject + } +} + +} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users new file mode 100644 index 000000000..50ccf3e76 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/raddb/users @@ -0,0 +1,2 @@ +carol Cleartext-Password := "Ar3etTnp" +dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config new file mode 100644 index 000000000..a9509a716 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/alice/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for TNC@FHH-TNC-Server + +IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..9cf2b43c4 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..998e6c2e5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + rightauth=pubkey + aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables new file mode 100755 index 000000000..56587b2e8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/init.d/iptables @@ -0,0 +1,84 @@ +#!/sbin/runscript +# Copyright 1999-2004 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +opts="start stop reload" + +depend() { + before net + need logger +} + +start() { + ebegin "Starting firewall" + + # enable IP forwarding + echo 1 > /proc/sys/net/ipv4/ip_forward + + # default policy is DROP + /sbin/iptables -P INPUT DROP + /sbin/iptables -P OUTPUT DROP + /sbin/iptables -P FORWARD DROP + + # allow esp + iptables -A INPUT -i eth0 -p 50 -j ACCEPT + iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT + + # allow IKE + iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT + + # allow MobIKE + iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT + iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT + + # allow crl fetch from winnetou + iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT + iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT + + # allow RADIUS protocol with alice + iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT + iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT + + # allow ssh + iptables -A INPUT -p tcp --dport 22 -j ACCEPT + iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT + + eend $? +} + +stop() { + ebegin "Stopping firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + + if [ $a == nat ]; then + /sbin/iptables -t nat -P PREROUTING ACCEPT + /sbin/iptables -t nat -P POSTROUTING ACCEPT + /sbin/iptables -t nat -P OUTPUT ACCEPT + elif [ $a == mangle ]; then + /sbin/iptables -t mangle -P PREROUTING ACCEPT + /sbin/iptables -t mangle -P INPUT ACCEPT + /sbin/iptables -t mangle -P FORWARD ACCEPT + /sbin/iptables -t mangle -P OUTPUT ACCEPT + /sbin/iptables -t mangle -P POSTROUTING ACCEPT + elif [ $a == filter ]; then + /sbin/iptables -t filter -P INPUT ACCEPT + /sbin/iptables -t filter -P FORWARD ACCEPT + /sbin/iptables -t filter -P OUTPUT ACCEPT + fi + done + eend $? +} + +reload() { + ebegin "Flushing firewall" + for a in `cat /proc/net/ip_tables_names`; do + /sbin/iptables -F -t $a + /sbin/iptables -X -t $a + done; + eend $? + start +} + diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..33dcdcfb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.conf @@ -0,0 +1,35 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=pubkey + leftfirewall=yes + rightauth=eap-radius + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..e86d6aa5c --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4e456bbe --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown + multiple_authentication=no + plugins { + eap-radius { + secret = gv6URkSs + server = PH_IP_ALICE + filter_id = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat new file mode 100644 index 000000000..132752119 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/posttest.dat @@ -0,0 +1,8 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +alice::/etc/init.d/radiusd stop +alice::rm /etc/raddb/sites-enabled/inner-tunnel-second +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat new file mode 100644 index 000000000..8dd865819 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/pretest.dat @@ -0,0 +1,18 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second +alice::cat /etc/raddb/sites-enabled/inner-tunnel-second +alice::/etc/init.d/radiusd start +alice::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf new file mode 100644 index 000000000..2a52df203 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11-radius/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS="alice" + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/description.txt b/testing/tests/ikev2/rw-eap-tnc-11/description.txt new file mode 100644 index 000000000..4b4808c94 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/description.txt @@ -0,0 +1,9 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 1.1 client-server interface. +carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat new file mode 100644 index 000000000..a02755148 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..c12143cb1 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f8700d3c5 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/strongswan.conf @@ -0,0 +1,13 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-11/test.conf b/testing/tests/ikev2/rw-eap-tnc-11/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-11/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt new file mode 100644 index 000000000..c7422aa46 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements +carol is authenticated successfully and is granted access to the subnet behind +moon whereas dave fails the layered EAP authentication and is rejected. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat new file mode 100644 index 000000000..f1753c208 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/evaltest.dat @@ -0,0 +1,12 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Denied'::YES +dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..1a39b8c57 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = de, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..eb7007726 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/strongswan.conf @@ -0,0 +1,14 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imc { + preferred_language = ru, fr, en + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..621e94f0e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +none diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..6747b4a4a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.conf @@ -0,0 +1,26 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-eap + left=PH_IP_MOON + leftsubnet=10.1.0.0/16 + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..20caf8e84 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/strongswan.conf @@ -0,0 +1,19 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + tnc-imv { + recommendation_policy = all + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-block/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt new file mode 100644 index 000000000..54590a951 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/description.txt @@ -0,0 +1,10 @@ +The roadwarriors carol and dave set up a connection each to gateway moon, +both ends doing certificate-based EAP-TLS authentication only. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the IF-TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat new file mode 100644 index 000000000..bbc0603b6 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..1b6274215 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftcert=carolCert.pem + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/carol/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..54c06b12e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/ipsec.conf @@ -0,0 +1,24 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftcert=daveCert.pem + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..a5a9a68f3 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/dave/etc/tnc_config @@ -0,0 +1,3 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..04a243cad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + request_peer_auth = yes + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..ac436a344 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/hosts/moon/etc/tnc_config @@ -0,0 +1,3 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20-tls/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/description.txt b/testing/tests/ikev2/rw-eap-tnc-20/description.txt new file mode 100644 index 000000000..6a9c5dde8 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/description.txt @@ -0,0 +1,11 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of carol and dave via the TNCCS 2.0 client-server interface +compliant with RFC 5793 PB-TNC. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat new file mode 100644 index 000000000..737c9b9ef --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/evaltest.dat @@ -0,0 +1,19 @@ +carol::cat /var/log/daemon.log::PB-TNC access recommendation is 'Access Allowed'::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..c20b5e57f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..b76c1cd55 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-20 tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-20/test.conf b/testing/tests/ikev2/rw-eap-tnc-20/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-20/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-block/description.txt deleted file mode 100644 index 51423177a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/description.txt +++ /dev/null @@ -1,8 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements -carol is authenticated successfully and is granted access to the subnet behind -moon whereas dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat deleted file mode 100644 index 2304df23e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/evaltest.dat +++ /dev/null @@ -1,12 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 6747b4a4a..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,26 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-block/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt new file mode 100644 index 000000000..21e9bc675 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/description.txt @@ -0,0 +1,12 @@ +The roadwarriors carol and dave set up a connection each to gateway moon +using EAP-TTLS authentication only with the gateway presenting a server certificate and +the clients doing EAP-MD5 password-based authentication. +In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the +health of TNC client carol via the TNCCS 1.1 client-server interface and of +TNC client dave via the TNCCS 2.0 client-server interface. TNC server +moon dynamically detects which version of the IF-TNCCS protocol is used. +

+carol passes the health test and dave fails. Based on these measurements the +clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, +respectively. +

diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat new file mode 100644 index 000000000..2c7a2dbd7 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/evaltest.dat @@ -0,0 +1,27 @@ +carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES +carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES +dave::cat /var/log/daemon.log::PB-TNC access recommendation is 'Quarantined'::YES +dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES +dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES +dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES +moon::cat /var/log/daemon.log::TNCCS 1.1 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::Final recommendation is 'allow' and evaluation is 'compliant'::YES +moon::cat /var/log/daemon.log::added group membership 'allow'::YES +moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 1::YES +moon::cat /var/log/daemon.log::TNCCS 2.0 protocol detected dynamically::YES +moon::cat /var/log/daemon.log::assigned TNCCS Connection ID 2::YES +moon::cat /var/log/daemon.log::Final recommendation is 'isolate' and evaluation is 'non-compliant minor'::YES +moon::cat /var/log/daemon.log::added group membership 'isolate'::YES +moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES +moon::cat /var/log/daemon.log::removed TNCCS Connection ID 2::YES +moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES +moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO +dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO + diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..c19192dae --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_CAROL + leftid=carol@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..74942afda --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..6a12318db --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-1.1 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file new file mode 100644 index 000000000..f5da834c0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +allow diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/carol/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..7d5ea8b83 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.conf @@ -0,0 +1,23 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn home + left=PH_IP_DAVE + leftid=dave@strongswan.org + leftauth=eap + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsendcert=never + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..5496df7ad --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..b2aa2806a --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/strongswan.conf @@ -0,0 +1,11 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-20 updown + multiple_authentication=no + plugins { + eap-tnc { + protocol = tnccs-2.0 + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file new file mode 100644 index 000000000..33945dc1e --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc/dummyimc.file @@ -0,0 +1 @@ +isolate diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config new file mode 100644 index 000000000..3797993fa --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/dave/etc/tnc_config @@ -0,0 +1,4 @@ +#IMC configuration file for strongSwan client + +IMC "Dummy" /usr/local/lib/libdummyimc.so +IMC "HostScanner" /usr/local/lib/libhostscannerimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..50514c99f --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.conf @@ -0,0 +1,36 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=no + plutostart=no + charondebug="tls 2, tnc 3" + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + +conn rw-allow + rightgroups=allow + leftsubnet=10.1.0.0/28 + also=rw-eap + auto=add + +conn rw-isolate + rightgroups=isolate + leftsubnet=10.1.0.16/28 + also=rw-eap + auto=add + +conn rw-eap + left=PH_IP_MOON + leftcert=moonCert.pem + leftid=@moon.strongswan.org + leftauth=eap-ttls + leftfirewall=yes + rightauth=eap-ttls + rightid=*@strongswan.org + rightsendcert=never + right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..2e277ccb0 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,6 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +: RSA moonKey.pem + +carol@strongswan.org : EAP "Ar3etTnp" +dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..a1a4a4747 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/strongswan.conf @@ -0,0 +1,16 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnccs-20 tnccs-dynamic tnc-imv updown + multiple_authentication=no + plugins { + eap-ttls { + phase2_method = md5 + phase2_piggyback = yes + phase2_tnc = yes + } + eap-tnc { + protocol = tnccs-dynamic + } + } +} diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config new file mode 100644 index 000000000..67896d543 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/hosts/moon/etc/tnc_config @@ -0,0 +1,4 @@ +#IMV configuration file for strongSwan server + +IMV "Dummy" /usr/local/lib/libdummyimv.so +IMV "HostScanner" /usr/local/lib/libhostscannerimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat new file mode 100644 index 000000000..7cebd7f25 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat new file mode 100644 index 000000000..ce897d181 --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/pretest.dat @@ -0,0 +1,15 @@ +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::cat /etc/tnc_config +carol::cat /etc/tnc_config +dave::cat /etc/tnc_config +carol::cat /etc/tnc/dummyimc.file +dave::cat /etc/tnc/dummyimc.file +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home +dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf new file mode 100644 index 000000000..e28b8259b --- /dev/null +++ b/testing/tests/ikev2/rw-eap-tnc-dynamic/test.conf @@ -0,0 +1,26 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" + +# UML instances on which FreeRadius is started +# +RADIUSHOSTS= + diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt deleted file mode 100644 index 350aefc60..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/description.txt +++ /dev/null @@ -1,11 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements carol -is authenticated successfully and is granted access to the subnet behind moon whereas -dave fails the layered EAP authentication and is rejected. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat deleted file mode 100644 index 517ea9ab2..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/evaltest.dat +++ /dev/null @@ -1,14 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/16::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*none::YES -dave::cat /var/log/daemon.log::received EAP_FAILURE, EAP authentication failed::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.0/16::NO -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::RADIUS authentication of 'dave@strongswan.org' failed::YES -moon::cat /var/log/daemon.log::EAP method EAP_TTLS failed for peer dave@strongswan.org::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index 2d4961288..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,23 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index 621e94f0e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -none diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf deleted file mode 100755 index fc8f84638..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,25 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-eap - left=PH_IP_MOON - leftsubnet=10.1.0.0/16 - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 4d2d3058d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,12 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat deleted file mode 100644 index dc7d5934e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf deleted file mode 100644 index bb6b68687..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius-block/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt b/testing/tests/ikev2/rw-eap-tnc-radius/description.txt deleted file mode 100644 index 7eebd3d4d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/description.txt +++ /dev/null @@ -1,10 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon. -At the outset the gateway authenticates itself to the clients by sending an IKEv2 -RSA signature accompanied by a certificate. -carol and dave then set up an EAP-TTLS tunnel each via moon to -the FreeRADIUS server alice authenticated by an X.509 AAA certificate. -The strong EAP-TTLS tunnel protects the ensuing weak client authentication based on EAP-MD5. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat deleted file mode 100644 index d0ea22ba9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with RSA signature successful::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::received RADIUS attribute Filter-Id: 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf deleted file mode 100644 index f4e179aa4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/clients.conf +++ /dev/null @@ -1,4 +0,0 @@ -client PH_IP_MOON1 { - secret = gv6URkSs - shortname = moon -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary deleted file mode 100644 index 1a27a02fc..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary +++ /dev/null @@ -1,2 +0,0 @@ -$INCLUDE /usr/share/freeradius/dictionary -$INCLUDE /etc/raddb/dictionary.tnc diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc deleted file mode 100644 index f295467a9..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/dictionary.tnc +++ /dev/null @@ -1,5 +0,0 @@ -ATTRIBUTE TNC-Status 3001 integer - -VALUE TNC-Status Access 0 -VALUE TNC-Status Isolate 1 -VALUE TNC-Status None 2 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf deleted file mode 100644 index 31556361e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/eap.conf +++ /dev/null @@ -1,25 +0,0 @@ -eap { - md5 { - } - default_eap_type = ttls - tls { - private_key_file = /etc/raddb/certs/aaaKey.pem - certificate_file = /etc/raddb/certs/aaaCert.pem - CA_file = /etc/raddb/certs/strongswanCert.pem - cipher_list = "DEFAULT" - dh_file = /etc/raddb/certs/dh - random_file = /etc/raddb/certs/random - } - ttls { - default_eap_type = md5 - use_tunneled_reply = yes - virtual_server = "inner-tunnel" - tnc_virtual_server = "inner-tunnel-second" - } -} - -eap eap_tnc { - default_eap_type = tnc - tnc { - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf deleted file mode 100644 index 23cba8d11..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/proxy.conf +++ /dev/null @@ -1,5 +0,0 @@ -realm strongswan.org { - type = radius - authhost = LOCAL - accthost = LOCAL -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf deleted file mode 100644 index 1143a0473..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/radiusd.conf +++ /dev/null @@ -1,120 +0,0 @@ -# radiusd.conf -- FreeRADIUS server configuration file. - -prefix = /usr -exec_prefix = ${prefix} -sysconfdir = /etc -localstatedir = /var -sbindir = ${exec_prefix}/sbin -logdir = ${localstatedir}/log/radius -raddbdir = ${sysconfdir}/raddb -radacctdir = ${logdir}/radacct - -# name of the running server. See also the "-n" command-line option. -name = radiusd - -# Location of config and logfiles. -confdir = ${raddbdir} -run_dir = ${localstatedir}/run/radiusd - -# Should likely be ${localstatedir}/lib/radiusd -db_dir = ${raddbdir} - -# libdir: Where to find the rlm_* modules. -libdir = ${exec_prefix}/lib - -# pidfile: Where to place the PID of the RADIUS server. -pidfile = ${run_dir}/${name}.pid - -# max_request_time: The maximum time (in seconds) to handle a request. -max_request_time = 30 - -# cleanup_delay: The time to wait (in seconds) before cleaning up -cleanup_delay = 5 - -# max_requests: The maximum number of requests which the server keeps -max_requests = 1024 - -# listen: Make the server listen on a particular IP address, and send -listen { - type = auth - ipaddr = PH_IP_ALICE - port = 0 -} - -# This second "listen" section is for listening on the accounting -# port, too. -# -listen { - type = acct - ipaddr = PH_IP_ALICE - port = 0 -} - -# hostname_lookups: Log the names of clients or just their IP addresses -hostname_lookups = no - -# Core dumps are a bad thing. This should only be set to 'yes' -allow_core_dumps = no - -# Regular expressions -regular_expressions = yes -extended_expressions = yes - -# Logging section. The various "log_*" configuration items -log { - destination = files - file = ${logdir}/radius.log - syslog_facility = daemon - stripped_names = no - auth = yes - auth_badpass = yes - auth_goodpass = yes -} - -# The program to execute to do concurrency checks. -checkrad = ${sbindir}/checkrad - -# Security considerations -security { - max_attributes = 200 - reject_delay = 1 - status_server = yes -} - -# PROXY CONFIGURATION -proxy_requests = yes -$INCLUDE proxy.conf - -# CLIENTS CONFIGURATION -$INCLUDE clients.conf - -# THREAD POOL CONFIGURATION -thread pool { - start_servers = 5 - max_servers = 32 - min_spare_servers = 3 - max_spare_servers = 10 - max_requests_per_server = 0 -} - -# MODULE CONFIGURATION -modules { - $INCLUDE ${confdir}/modules/ - $INCLUDE eap.conf - $INCLUDE sql.conf - $INCLUDE sql/mysql/counter.conf -} - -# Instantiation -instantiate { - exec - expr - expiration - logintime -} - -# Policies -$INCLUDE policy.conf - -# Include all enabled virtual hosts -$INCLUDE sites-enabled/ diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default deleted file mode 100644 index 802fcfd8d..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/default +++ /dev/null @@ -1,44 +0,0 @@ -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -preacct { - preprocess - acct_unique - suffix - files -} - -accounting { - detail - unix - radutmp - attr_filter.accounting_response -} - -session { - radutmp -} - -post-auth { - exec - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel deleted file mode 100644 index e088fae14..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel +++ /dev/null @@ -1,32 +0,0 @@ -server inner-tunnel { - -authorize { - suffix - eap { - ok = return - } - files -} - -authenticate { - eap -} - -session { - radutmp -} - -post-auth { - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -pre-proxy { -} - -post-proxy { - eap -} - -} # inner-tunnel server block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second deleted file mode 100644 index f91bccc72..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/sites-available/inner-tunnel-second +++ /dev/null @@ -1,36 +0,0 @@ -server inner-tunnel-second { - -authorize { - eap_tnc { - ok = return - } -} - -authenticate { - eap_tnc -} - -session { - radutmp -} - -post-auth { - if (control:TNC-Status == "Access") { - update reply { - Tunnel-Type := ESP - Filter-Id := "allow" - } - } - elsif (control:TNC-Status == "Isolate") { - update reply { - Tunnel-Type := ESP - Filter-Id := "isolate" - } - } - - Post-Auth-Type REJECT { - attr_filter.access_reject - } -} - -} # inner-tunnel-second block diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users deleted file mode 100644 index 50ccf3e76..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/raddb/users +++ /dev/null @@ -1,2 +0,0 @@ -carol Cleartext-Password := "Ar3etTnp" -dave Cleartext-Password := "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config deleted file mode 100644 index a9509a716..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/alice/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for TNC@FHH-TNC-Server - -IMV "Dummy" /usr/local/lib/libdummyimv.so.0.7.0 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 9cf2b43c4..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 998e6c2e5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsubnet=10.1.0.0/16 - rightauth=pubkey - aaa_identity="C=CH, O=Linux strongSwan, CN=aaa.strongswan.org" - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables deleted file mode 100755 index 56587b2e8..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/init.d/iptables +++ /dev/null @@ -1,84 +0,0 @@ -#!/sbin/runscript -# Copyright 1999-2004 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -opts="start stop reload" - -depend() { - before net - need logger -} - -start() { - ebegin "Starting firewall" - - # enable IP forwarding - echo 1 > /proc/sys/net/ipv4/ip_forward - - # default policy is DROP - /sbin/iptables -P INPUT DROP - /sbin/iptables -P OUTPUT DROP - /sbin/iptables -P FORWARD DROP - - # allow esp - iptables -A INPUT -i eth0 -p 50 -j ACCEPT - iptables -A OUTPUT -o eth0 -p 50 -j ACCEPT - - # allow IKE - iptables -A INPUT -i eth0 -p udp --sport 500 --dport 500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT - - # allow MobIKE - iptables -A INPUT -i eth0 -p udp --sport 4500 --dport 4500 -j ACCEPT - iptables -A OUTPUT -o eth0 -p udp --dport 4500 --sport 4500 -j ACCEPT - - # allow crl fetch from winnetou - iptables -A INPUT -i eth0 -p tcp --sport 80 -s PH_IP_WINNETOU -j ACCEPT - iptables -A OUTPUT -o eth0 -p tcp --dport 80 -d PH_IP_WINNETOU -j ACCEPT - - # allow RADIUS protocol with alice - iptables -A INPUT -i eth1 -p udp --sport 1812 -s PH_IP_ALICE -j ACCEPT - iptables -A OUTPUT -o eth1 -p udp --dport 1812 -d PH_IP_ALICE -j ACCEPT - - # allow ssh - iptables -A INPUT -p tcp --dport 22 -j ACCEPT - iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT - - eend $? -} - -stop() { - ebegin "Stopping firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - - if [ $a == nat ]; then - /sbin/iptables -t nat -P PREROUTING ACCEPT - /sbin/iptables -t nat -P POSTROUTING ACCEPT - /sbin/iptables -t nat -P OUTPUT ACCEPT - elif [ $a == mangle ]; then - /sbin/iptables -t mangle -P PREROUTING ACCEPT - /sbin/iptables -t mangle -P INPUT ACCEPT - /sbin/iptables -t mangle -P FORWARD ACCEPT - /sbin/iptables -t mangle -P OUTPUT ACCEPT - /sbin/iptables -t mangle -P POSTROUTING ACCEPT - elif [ $a == filter ]; then - /sbin/iptables -t filter -P INPUT ACCEPT - /sbin/iptables -t filter -P FORWARD ACCEPT - /sbin/iptables -t filter -P OUTPUT ACCEPT - fi - done - eend $? -} - -reload() { - ebegin "Flushing firewall" - for a in `cat /proc/net/ip_tables_names`; do - /sbin/iptables -F -t $a - /sbin/iptables -X -t $a - done; - eend $? - start -} - diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 33dcdcfb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,35 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=pubkey - leftfirewall=yes - rightauth=eap-radius - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index e86d6aa5c..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f4e456bbe..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-radius updown - multiple_authentication=no - plugins { - eap-radius { - secret = gv6URkSs - server = PH_IP_ALICE - filter_id = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat deleted file mode 100644 index 132752119..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/posttest.dat +++ /dev/null @@ -1,8 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -alice::/etc/init.d/radiusd stop -alice::rm /etc/raddb/sites-enabled/inner-tunnel-second -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat deleted file mode 100644 index 8dd865819..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/pretest.dat +++ /dev/null @@ -1,18 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -alice::ln -s /etc/raddb/sites-available/inner-tunnel-second /etc/raddb/sites-enabled/inner-tunnel-second -alice::cat /etc/raddb/sites-enabled/inner-tunnel-second -alice::/etc/init.d/radiusd start -alice::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf b/testing/tests/ikev2/rw-eap-tnc-radius/test.conf deleted file mode 100644 index 2a52df203..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-radius/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS="alice" - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt b/testing/tests/ikev2/rw-eap-tnc-tls/description.txt deleted file mode 100644 index 762b839ee..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/description.txt +++ /dev/null @@ -1,7 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon, -bothe ends doing certificate-based EAP-TLS authentication only. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat deleted file mode 100644 index cebfff25f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf deleted file mode 100755 index 1b6274215..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftcert=carolCert.pem - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 54c06b12e..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,24 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftcert=daveCert.pem - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf deleted file mode 100644 index 8898a63ba..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - request_peer_auth = yes - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat b/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf b/testing/tests/ikev2/rw-eap-tnc-tls/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc-tls/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/rw-eap-tnc/description.txt b/testing/tests/ikev2/rw-eap-tnc/description.txt deleted file mode 100644 index 4b4808c94..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/description.txt +++ /dev/null @@ -1,9 +0,0 @@ -The roadwarriors carol and dave set up a connection each to gateway moon -using EAP-TTLS authentication only with the gateway presenting a server certificate and -the clients doing EAP-MD5 password-based authentication. -In a next step the EAP-TNC protocol is used within the EAP-TTLS tunnel to determine the -health of carol and dave via the IF-TNCCS 1.1 client-server interface. -carol passes the health test and dave fails. Based on these measurements the -clients are connected by gateway moon to the "rw-allow" and "rw-isolate" subnets, -respectively. - diff --git a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat b/testing/tests/ikev2/rw-eap-tnc/evaltest.dat deleted file mode 100644 index a02755148..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/evaltest.dat +++ /dev/null @@ -1,19 +0,0 @@ -carol::cat /var/log/daemon.log::TNCCS-Recommendation.*allow::YES -carol::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -carol::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -carol::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.100/32 === 10.1.0.0/28::YES -dave::cat /var/log/daemon.log::TNCCS-Recommendation.*isolate::YES -dave::cat /var/log/daemon.log::EAP method EAP_TTLS succeeded, MSK established ::YES -dave::cat /var/log/daemon.log::authentication of 'moon.strongswan.org' with EAP successful::YES -dave::cat /var/log/daemon.log::CHILD_SA home{1} established.*TS 192.168.0.200/32 === 10.1.0.16/28::YES -moon::cat /var/log/daemon.log::added group membership 'allow'::YES -moon::cat /var/log/daemon.log::authentication of 'carol@strongswan.org' with EAP successful::YES -moon::cat /var/log/daemon.log::added group membership 'isolate'::YES -moon::cat /var/log/daemon.log::authentication of 'dave@strongswan.org' with EAP successful::YES -moon::ipsec statusall::rw-allow.*10.1.0.0/28 === 192.168.0.100/32::YES -moon::ipsec statusall::rw-isolate.*10.1.0.16/28 === 192.168.0.200/32::YES -carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES -carol::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_ALICE: icmp_seq=1::NO -dave::ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES -dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_VENUS: icmp_seq=1::NO - diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf deleted file mode 100755 index c19192dae..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_CAROL - leftid=carol@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets deleted file mode 100644 index 74942afda..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -carol@strongswan.org : EAP "Ar3etTnp" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file deleted file mode 100644 index f5da834c0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -allow diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/carol/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf deleted file mode 100755 index 7d5ea8b83..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.conf +++ /dev/null @@ -1,23 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn home - left=PH_IP_DAVE - leftid=dave@strongswan.org - leftauth=eap - leftfirewall=yes - right=PH_IP_MOON - rightid=@moon.strongswan.org - rightsendcert=never - rightsubnet=10.1.0.0/16 - auto=add diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets deleted file mode 100644 index 5496df7ad..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/ipsec.secrets +++ /dev/null @@ -1,3 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf deleted file mode 100644 index c12143cb1..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/strongswan.conf +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-md5 eap-ttls eap-tnc tnc-imc tnccs-11 updown - multiple_authentication=no -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file deleted file mode 100644 index c20b5e57f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc/dummyimc.file +++ /dev/null @@ -1 +0,0 @@ -isolate \ No newline at end of file diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config deleted file mode 100644 index a5a9a68f3..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/dave/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMC configuration file for strongSwan client - -IMC "Dummy" /usr/local/lib/libdummyimc.so diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf deleted file mode 100755 index 50514c99f..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.conf +++ /dev/null @@ -1,36 +0,0 @@ -# /etc/ipsec.conf - strongSwan IPsec configuration file - -config setup - strictcrlpolicy=no - plutostart=no - charondebug="tls 2, tnc 3" - -conn %default - ikelifetime=60m - keylife=20m - rekeymargin=3m - keyingtries=1 - keyexchange=ikev2 - -conn rw-allow - rightgroups=allow - leftsubnet=10.1.0.0/28 - also=rw-eap - auto=add - -conn rw-isolate - rightgroups=isolate - leftsubnet=10.1.0.16/28 - also=rw-eap - auto=add - -conn rw-eap - left=PH_IP_MOON - leftcert=moonCert.pem - leftid=@moon.strongswan.org - leftauth=eap-ttls - leftfirewall=yes - rightauth=eap-ttls - rightid=*@strongswan.org - rightsendcert=never - right=%any diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets deleted file mode 100644 index 2e277ccb0..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/ipsec.secrets +++ /dev/null @@ -1,6 +0,0 @@ -# /etc/ipsec.secrets - strongSwan IPsec secrets file - -: RSA moonKey.pem - -carol@strongswan.org : EAP "Ar3etTnp" -dave@strongswan.org : EAP "W7R0g3do" diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf deleted file mode 100644 index f8700d3c5..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/strongswan.conf +++ /dev/null @@ -1,13 +0,0 @@ -# /etc/strongswan.conf - strongSwan configuration file - -charon { - load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default eap-identity eap-ttls eap-md5 eap-tnc tnccs-11 tnc-imv updown - multiple_authentication=no - plugins { - eap-ttls { - phase2_method = md5 - phase2_piggyback = yes - phase2_tnc = yes - } - } -} diff --git a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config b/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config deleted file mode 100644 index ac436a344..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/hosts/moon/etc/tnc_config +++ /dev/null @@ -1,3 +0,0 @@ -#IMV configuration file for strongSwan server - -IMV "Dummy" /usr/local/lib/libdummyimv.so diff --git a/testing/tests/ikev2/rw-eap-tnc/posttest.dat b/testing/tests/ikev2/rw-eap-tnc/posttest.dat deleted file mode 100644 index 7cebd7f25..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/posttest.dat +++ /dev/null @@ -1,6 +0,0 @@ -moon::ipsec stop -carol::ipsec stop -dave::ipsec stop -moon::/etc/init.d/iptables stop 2> /dev/null -carol::/etc/init.d/iptables stop 2> /dev/null -dave::/etc/init.d/iptables stop 2> /dev/null diff --git a/testing/tests/ikev2/rw-eap-tnc/pretest.dat b/testing/tests/ikev2/rw-eap-tnc/pretest.dat deleted file mode 100644 index ce897d181..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/pretest.dat +++ /dev/null @@ -1,15 +0,0 @@ -moon::/etc/init.d/iptables start 2> /dev/null -carol::/etc/init.d/iptables start 2> /dev/null -dave::/etc/init.d/iptables start 2> /dev/null -moon::cat /etc/tnc_config -carol::cat /etc/tnc_config -dave::cat /etc/tnc_config -carol::cat /etc/tnc/dummyimc.file -dave::cat /etc/tnc/dummyimc.file -moon::ipsec start -carol::ipsec start -dave::ipsec start -carol::sleep 1 -carol::ipsec up home -dave::ipsec up home -dave::sleep 1 diff --git a/testing/tests/ikev2/rw-eap-tnc/test.conf b/testing/tests/ikev2/rw-eap-tnc/test.conf deleted file mode 100644 index e28b8259b..000000000 --- a/testing/tests/ikev2/rw-eap-tnc/test.conf +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash -# -# This configuration file provides information on the -# UML instances used for this test - -# All UML instances that are required for this test -# -UMLHOSTS="alice venus moon carol winnetou dave" - -# Corresponding block diagram -# -DIAGRAM="a-v-m-c-w-d.png" - -# UML instances on which tcpdump is to be started -# -TCPDUMPHOSTS="moon" - -# UML instances on which IPsec is started -# Used for IPsec logging purposes -# -IPSECHOSTS="moon carol dave" - -# UML instances on which FreeRadius is started -# -RADIUSHOSTS= - diff --git a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf index 9129f160b..08b95659f 100755 --- a/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf +++ b/testing/tests/ikev2/two-certs/hosts/carol/etc/ipsec.conf @@ -2,6 +2,7 @@ config setup crlcheckinterval=180 + uniqueids=no strictcrlpolicy=yes plutostart=no diff --git a/testing/tests/openssl-ikev2/critical-extension/description.txt b/testing/tests/openssl-ikev2/critical-extension/description.txt new file mode 100644 index 000000000..8c0d37c88 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/description.txt @@ -0,0 +1,5 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates which contain a critical but +unsupported 'strongSwan' extension. Whereas moon ignores unsupported critical +extensions by setting libstrongswan.x509.enforce_critical = no in strongswan.conf, +sun discards such certificates and aborts the connection setup. diff --git a/testing/tests/openssl-ikev2/critical-extension/evaltest.dat b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat new file mode 100644 index 000000000..1c23dcad6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/evaltest.dat @@ -0,0 +1,6 @@ +moon::cat /var/log/daemon.log::sending end entity cert::YES +moon::cat /var/log/daemon.log::received AUTHENTICATION_FAILED notify error::YES +sun::cat /var/log/daemon.log::found unsupported critical X.509 extension::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - ANY failed::YES +sun::cat /var/log/daemon.log::loading certificate from 'sunCert.der' failed::YES +sun::cat /var/log/daemon.log::building CRED_CERTIFICATE - X509 failed::YES diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf new file mode 100755 index 000000000..2e3c9dde4 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_MOON + leftcert=moonCert.der + leftid=@moon.strongswan.org + leftsubnet=10.1.0.0/16 + leftfirewall=yes + right=PH_IP_SUN + rightid=@sun.strongswan.org + rightsubnet=10.2.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der new file mode 100644 index 000000000..7f78d5820 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/ipsec.d/certs/moonCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f4ab41f2c --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/moon/etc/strongswan.conf @@ -0,0 +1,12 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} + +libstrongswan { + x509 { + enforce_critical = no + } +} diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..19e197131 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.conf @@ -0,0 +1,25 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +conn %default + ikelifetime=60m + keylife=20m + rekeymargin=3m + keyingtries=1 + keyexchange=ikev2 + mobike=no + +conn net-net + left=PH_IP_SUN + leftcert=sunCert.der + leftid=@sun.strongswan.org + leftsubnet=10.2.0.0/16 + leftfirewall=yes + right=PH_IP_MOON + rightid=@moon.strongswan.org + rightsubnet=10.1.0.0/16 + auto=add diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der new file mode 100644 index 000000000..c1efb6719 Binary files /dev/null and b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/ipsec.d/certs/sunCert.der differ diff --git a/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..c45805ca6 --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/hosts/sun/etc/strongswan.conf @@ -0,0 +1,6 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + load = curl pem pkcs1 random openssl revocation hmac stroke kernel-netlink socket-default updown + multiple_authentication = no +} diff --git a/testing/tests/openssl-ikev2/critical-extension/posttest.dat b/testing/tests/openssl-ikev2/critical-extension/posttest.dat new file mode 100644 index 000000000..a4c96e10f --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/posttest.dat @@ -0,0 +1,5 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null + diff --git a/testing/tests/openssl-ikev2/critical-extension/pretest.dat b/testing/tests/openssl-ikev2/critical-extension/pretest.dat new file mode 100644 index 000000000..2d7a78acb --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/pretest.dat @@ -0,0 +1,6 @@ +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +sun::ipsec start +moon::sleep 1 +moon::ipsec up net-net diff --git a/testing/tests/openssl-ikev2/critical-extension/test.conf b/testing/tests/openssl-ikev2/critical-extension/test.conf new file mode 100644 index 000000000..41ee3037e --- /dev/null +++ b/testing/tests/openssl-ikev2/critical-extension/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/p2pnat/behind-same-nat/pretest.dat b/testing/tests/p2pnat/behind-same-nat/pretest.dat index 912222eef..f1e33dc39 100644 --- a/testing/tests/p2pnat/behind-same-nat/pretest.dat +++ b/testing/tests/p2pnat/behind-same-nat/pretest.dat @@ -11,4 +11,4 @@ carol::sleep 1 alice::ipsec start alice::sleep 1 venus::ipsec start -venus::sleep 2 +venus::sleep 4 diff --git a/testing/tests/p2pnat/medsrv-psk/pretest.dat b/testing/tests/p2pnat/medsrv-psk/pretest.dat index a5c9a2fbb..fba7be01d 100644 --- a/testing/tests/p2pnat/medsrv-psk/pretest.dat +++ b/testing/tests/p2pnat/medsrv-psk/pretest.dat @@ -16,4 +16,4 @@ carol::sleep 1 bob::ipsec start bob::sleep 1 alice::ipsec start -alice::sleep 2 +alice::sleep 4 diff --git a/testing/tests/sql/multi-level-ca/description.txt b/testing/tests/sql/multi-level-ca/description.txt new file mode 100644 index 000000000..123ab06b3 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/description.txt @@ -0,0 +1,6 @@ +The VPN gateway moon grants access to the subnet behind it to anyone presenting +a certificate belonging to a trust chain anchored in the strongSwan Root CA. +The hosts carol and dave have certificates from the intermediate +Research CA and Sales CA, respectively. Responder moon does not possess +copies of the Research and Sales CA certificates and must therefore request them from +the initiators carol and dave, respectively. diff --git a/testing/tests/sql/multi-level-ca/evaltest.dat b/testing/tests/sql/multi-level-ca/evaltest.dat new file mode 100644 index 000000000..91113ce11 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/evaltest.dat @@ -0,0 +1,18 @@ +carol::cat /var/log/daemon.log::sending issuer cert.*CN=Research CA::YES +dave::cat /var/log/daemon.log::sending issuer cert.*CN=Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*research.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Research CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*sales.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*Sales CA::YES +moon::cat /var/log/daemon.log::fetching crl from.*http.*strongswan.crl::YES +moon::cat /var/log/daemon.log::crl correctly signed by.*strongSwan Root CA::YES +moon::ipsec statusall::rw.*ESTABLISHED::YES +carol::ipsec statusall::home.*ESTABLISHED::YES +dave::ipsec statusall::home.*ESTABLISHED::YES +carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +dave::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_seq=1::YES +moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES +moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES +moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql new file mode 100644 index 000000000..66b1473f1 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.d/data.sql @@ -0,0 +1,192 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 9, X'3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420'); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Research, CN=Research CA' */ + 11, X'c71449851517718914a496532a1ee801b21c6aa5'); + +INSERT INTO identities ( + type, data +) VALUES ( /* carol@strongswan.org */ + 3, X'6361726f6c407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 11, X'c400ef96d95d5ebb4b2309071f7a6cf3f65491bd' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=Research CA */ + 1, 1, X'308203c1308202a9a003020102020120300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353335305a170d3139303430343039353335305a3051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b526573656172636820434130820122300d06092a864886f70d01010105000382010f003082010a0282010100b639b23aa6e0075b58a73f4fb25a856a72f71b5d3db1e780137a95b9e961a1dfaf19c6b2f9831421591c277b7a046a43f02e2471dc12fdc351d7c9596032a559d4bdd95ca79f21063a717d33d73fd203071cd0690c94cec13120658e5546367bbc49e412819d7564a24de1b58e07af519da8d87edcb1266de809067813452471e0f289e7814efdbefc2d4cc1fab331af3c70fe59c8f2312602d2a5ba043b73d6ae31e142cfe3669527e74a85a11cde6a9bed2234acb40bedb922e13c36afa2de3b41888f01c01a87637bb622e7e5521f4d73d77f47abc6b113cc1ecdf45f51dafe6d14838f78fb0c2ac1f1016518f3c4c98c17fd521b82351374c3389decae390203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e04160414e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b050003820101008d6da16d1b2dcc815c0a3215e2ca1b2e1289b70d059b3fae80a173051abf47e8c8b74260c60528478738bbc8b1322389fa58e0c3f2dd20604395e972ce6f385c16f7b8cce987c1caa8f1e3eeea4c1a8e68b31705b789dcb230432262ae9a8767396c3ac71c8710a370c00c3ce0469968e974ea942e82e5c17f44161040dab11907589a9a06d4279339791344b9b9bcc51e816b0ff4391cffb6dfadc42f63c5c8c7a099ce155d2cb3b5ecddddf63ea86f286801c6354b672ab7cc3feb306db15d5c8a3d4e3acde94c08fd5476c33adad2f5730022e2ca246b4d8642b3ffaf00611eddb66c930de2036ce4d4af8537638e0c156332eeeb7205601bd6f2c1668992' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org */ + 1, 1, X'3082042c30820314a003020102020106300d06092a864886f70d01010b05003051310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311430120603550403130b5265736561726368204341301e170d3130303430373039323035375a170d3135303430363039323035375a305a310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e3111300f060355040b13085265736561726368311d301b060355040314146361726f6c407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001a38201043082010030090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414c400ef96d95d5ebb4b2309071f7a6cf3f65491bd306d0603551d23046630648014e775f0a0f2ad20cdcd6023ccc7c80f29f3dd5420a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820120301f0603551d110418301681146361726f6c407374726f6e677377616e2e6f726730370603551d1f0430302e302ca02aa0288626687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f72657365617263682e63726c300d06092a864886f70d01010b050003820101006a380523c2b3eb5d62d0886ef3e3350b65b59056cbe04a18ca89f7b6b8d167722acfa92c7fd2922824ba162ca5ab80c68a5d26b4cb653fe1ca717cd181263de8ce023bbdf0dba962c2666c14135a64a23fe6f2913cf2f253dada1ac85fa417820b2c19e2f71bf8456220fb2dcce6222b9cbfd6d486b0c11d9e55f6259b0900a85b2d14e60b4d8edcc6c6181410ab57949f5c6447ca67753593266159eb57d9954312c0b80b17dfd572101aedc21d100d38e0e0ad4dd69b898a322c59aa0eeb6af0662f58eccb7f6a8e29c471907c4f7de243ad638b78f1189da324481914280508908f8b6896d61770124c6807aa1dbfa70535d80dc1a2f24a51a47407b532d8' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Research, CN=carol@strongswan.org' */ + 1, X'308204a50201000282010100e8a8f6d28e9044a366e993843bedd5a17274f0cf34084dac8a27f1a0af64cc454015ec6a6b352ce2f8ed429011e389703510d6cf743f4e6f0305fe4f0380da70438605417bc73e46c0517c4466c5cb332bb7608f9cab8f06c916b5093de9b4e0a10f9eb47b2e94f9b3bfb3d67fa9658afd1f2253bd825dddcf7af1fae8c105bdf26804246f71b362df6aa4d5dd1112d41f6f21e4065a1eb80d2ac5e97cbf1d8fa7dcc792306677509a174ba619231bc635dee1781ff6c71bf756fd133721a29263fc67989b80de639fb990914f5233d43341bd996359b70e7f7771b279c37017782961261a337ba52f855b387bf012b896fa6fd34b30be1e07404c0990fae98f0203010001028201010086869c20e739d7d63b7d3744b07a369a215a289b4654bec4d325817b0daf54c57de6af4a612ee00365379ad33ee4b7e55f699b2b5ce5f5ee0e6b7abe29226a2b9b7f74ae86699042cc94d12ba3d91e433a35cfe97a0760ade5bbf175a48ceb7f2ee19f3c7035610278c291b3a721458b760c7886beff10535ed291f4287ce359f4b860c5176456044775be950ebc8f753f885742b0c74006b2d50672a8cc050e5931de65cfbc09ad0c1560a1ae3f5bd830acd8cd004a0031e6cf42368d5d21bab02666fb38b9709b71be5f1d09ccdede38e65d88548f73236847013aacabebb361ad43d2ea59d92f544b858f222497dedc9e83a44488f96c0bcd0df8df8e678102818100ff6b7443e3a6b55b11e012f9a70b73fea85a51aaa36de73b7d48b945874f5d32c5fd04e45229c1a2c9721a93fa30f9b587a17d9d7e395b5889658a0492179d52be6b8adcfc6211597fc144732d59e7a7bfbc11ef6a6dd46471a7bc9366d8f501e261b977121e99ed028d241ba8070bff85bdbacd832b92627f6c8886be0b946102818100e930460397ee15d8cce4804db29972734574f10261a0438d757f45c83deba360e147315a5def25161fdc0e797a199cd89766092aade82aec47f4712ab963b027bb803fc618492d57b7e49e75c2e417f1de1517438ac04cbc7cc7095a7bec1cf8034c79a6351c1d0a3861861f6913e25e141428609dfa5937ebe97a5fdc1643ef0281810093ea65955f43cee8e38c3150f4a5145298aa5d7b055403421746c34c7994c37340e74b2af24e0e3e388ce4c9676d6f5eea21e27e0f7825e73b025b90540e6ae45d342861dba2eb4b3a49f15b061b77a554cb1453e2fda1af5d867715a1cce8ee636c969c5718f3a926fe17b81071ac4818ea8c40b1c2ccee4fbec9bdc6572c6102818100c2ba953d1afaaf33c4a66c9e75aebe6c946bfb77499f53ca257c8b0194f3da13650cd6a1e81f7490ed3a0ebc52c260c05e6dcee9dd202bf7f47ea4a250fe76743797f9a9ab4e309737f1aa821ca5ed790544079157a50e6fb8a35da43a280a68f21842de112bd0f45ff0d0d81a1f88c19772dde51107a6c9942ffd095ff917f102818004145ff4373203f45d993b33a9e6df3cf366c7b88768d6eb6775dbbf2bf73f92e4cd79452d3bc0843cff52a9d533b0707b53867896245df9a28d18e927e53c76d79bd98cd9ded9e5ccac227f3fb4e75fcb7236af5fd5f6e4fb8407663ae55d0e58898815594b9e9dcc4721386c89af7819625ab4d141456cc50b765880e04e1c' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_CAROL', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/carol/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf new file mode 100755 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql new file mode 100644 index 000000000..b8780e56e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.d/data.sql @@ -0,0 +1,194 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA */ + 9, X'304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'5f9b1346f92072c800d588b5a74c2e97ea0b9328' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, OU=Sales, CN=Sales CA' */ + 11, X'c9ca6b980be96d5f210d7fed1529eb6c567ec26c' +); + +INSERT INTO identities ( + type, data +) VALUES ( /* dave@strongswan.org */ + 3, X'64617665407374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 11, X'671081ec8703e10c31abdf12d53275046eba1522' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales CN=Sales CA */ + 1, 1, X'308203bb308202a3a003020102020121300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3130303430363039353433335a170d3139303430343039353433335a304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c657320434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c24e4d26998c37b9511fa125ba1d704e34581c569beaf41620fe14b736734847fd07169b55dfaa773da9a3cf1a8c4ed817f05e01441df39d4331c6bad861b2f74c3e49963f5677b83af0b1caab98bcaae0923cedec527a7d608260951226f9e53e1f371ad320625aa1ee899fdbfd6701b607e52bde7140ff075c91276a27173a5cbf4329c464dd3c59b6ff52b837ed13d1bbf3b3ba3c94b27f2518865773d4465ee4f4ec52801b049d030d7271df9eb6903b5f41dc1ecdab742c0c8eb1569b62aff41bf7c16702cb7abe2a185dbedc2b2f3fb8cd5e785161e4afdbee22da602381b0512350378aaa14dcdab5bcf02aceb7a4388fd157d1eb7bd2f5afc5f574810203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145f9b1346f92072c800d588b5a74c2e97ea0b9328306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d01010b0500038201010024654ea5cc8c7cbbafbad69eaff4f721674dde9dfb2e8a9078fd92f612039abbc587663f7238f983f6aa93e762349ec9f302978648c8c5e77d46f3e4ebee5e9e12092d2021427a98aebee5fd5add449d07809ed0e7789a45084262f32850914aa7615a8573349ae5f814f56b977df9a2d600be52da9a94a103e01bae0c3e0872dd2c946f8a817a9964dc9751ffa3a00392d078db4b888ed8fdd6cc33646f9f6f38448231a764ea3761eea7a04d2c7bfa7cb8b1749a4cfa71bb6631987feedd9ee63a64386f22dd7ccebff69f510b0503e13394a3621190219566373343aca19500ab5ae4b1bc0700468b4b9773d7c15d645c7df237375fc8663fe86f9b775828' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org */ + 1, 1, X'3082041c30820304a003020102020105300d06092a864886f70d01010b0500304b310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c65733111300f0603550403130853616c6573204341301e170d3130303430373039343234315a170d3135303430363039343234315a3056310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e310e300c060355040b130553616c6573311c301a0603550403141364617665407374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce70203010001a381ff3081fc30090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e04160414671081ec8703e10c31abdf12d53275046eba1522306d0603551d230466306480145f9b1346f92072c800d588b5a74c2e97ea0b9328a149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820121301e0603551d1104173015811364617665407374726f6e677377616e2e6f726730340603551d1f042d302b3029a027a0258623687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f73616c65732e63726c300d06092a864886f70d01010b05000382010100791f98e3a7d2ef103c89a7fdf1ec26aa3a12014a5e67de0ece8b58174f91872c187dfe5e62e92c24d5e7b2da8333a4782c743a202f2b65bf344a5eea49019b79c5669be48ec17e27214425786cebad37f17c0e2342846d129d81018b3462e4ad3a2c069db434f434bbfb884fc8e3d35b13c39daa7113d731eaf3699bb556421339917be726941ec47840840fe1b14ce9d82d159e2a0f80588138fdf2cdeecd1eabde25494b729bbd4b67d92630c007908c846db96f5486bb9398f84fa8f45f03cf71854c4a3a20a9ecdefaa6dfdc443e26446519dccbff5ed3a0b5989d5c242ea4039fa07e45fc273e4d845e776eb4facdcfa0b75b2ef334d9e272202d5c0abe' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 7 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 3, 8 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, OU=Sales, CN=dave@strongswan.org' */ + 1, X'308204a50201000282010100ceda8649bdc7f5787a238c620e49ac3795918ca9c441f49166c4a2d2e991edad63cac56f3202ca9e69368403099034e30579dd11e9a72e25de9b136ae16a77c74660a4d582eb2d6495963a27b4fbebfe18869208b3c1c0d7e66220012160291eab2fd42cf934a9aeb22ba31ad8528b102e30cfa3816e385cb6a2f356cc7128390b6a2be7275e9b5fc08236c0aaf3a05aeb89ba2b5329b1ebf944a9cecf4132d56c018602e68a96518003072bac8f4d168e71cbc556b3a98b56dfa6b29792b098b7ab10a038db7e1799fed2b25b6889f966c7d25b00e0d6cf8b5b3fe7face207fb5e8219f6a75e266f67b35bc4bc9bf1f7cf2171710d3aa24bcc05ade45947ce702030100010282010100994a9a0fd5c37466f6e49729277b7353b1d4ae10352fc785654a3d7bddb9d610138ef62744418b543f9635d86662e6be82955fbde190920360673dc98c0931808ce81bdf5a68dc37d91efe33e4cc7883d23b0fc7c126c9b975b2ac130a5fcfb9399575406ae19b09aa61ea3a7fab140146a9c7865ce9887d349fa78360784f1c3a051defaf19b9e35b324ab2fb3a119897a5f27f58a7757906a1b0617b83ef6a579c6ac2c84204a7f6e4b6765e376f643b7bf074b886c49a4ad9de99eb4af4d549189aa62f37a1435ea645702bf186e4f60eff312161a7018f1a372a9b6fecccbe02b3d20cb584b18aba18dd02fe0d9c9d1bdf8af60e4d17b95795b117f475d102818100e76e0922daa0426c8196ad867cbd912b01b4399302e89566e92a45d3230cdd88d243ac46c2300841750c8bc5b17ee77c790abdef3e5f24dcd39cbb2d35e65f50048cc83315e97bbb2e478d2ec0b096604e2a690bc83f9768c6abeb39f73013359d9e97d43d75b78ada505dad5cbe8ea3484dd4207bd0628057e159b90018544f02818100e4d089fdbe62b874cc33cee7723a91285e85a66f36d3e64319a686f1f81c6318f04c916a314e48ca55d70dd5603b93038eefca897ef74056318f19b25ad7abe066c31da87127367dec9461c2683a844bfdbf9bd65636567a20dc7b390502ec50bcc7770904b8af308e3c3583892cb8831b5ff5fd9c4bc9b34c5e9b387b26efe902818008d236e2ef366091c636ba12803ab187d41ecc7b0007617a74b4b9c89c73671649fd6e599c193c975220d24b0cc2eb8be10939c81eb67daf3519aa40c4e72d06ddc587f3fa87d5c182b813778ebcac5eab5c0e78f67f0604665e332f186eeaac867f7f0605f9b0af4836fbfb19a7e1c3f38393ec510bd655520432e94c49a11d02818100c9b9988e5e34c68e222162bde59500b8686cc7c8b0bbabfb6837ca2cb522c1b310d7503420f7f5707cb135fef1f253b0056a1e538dde099873e4c730d8a9df5bdcfd13be96d38d550327e5eff0d7f61ed0bd0674b658fd707a5c273ea3ce69ecdc21b62dfb3d9f25dd9ff345ddbfd183b4b4ab38457d037bd14e6ee6229cb75102818100991ff421b606875609ed9f629b8e0c4d2cfa1fb6d39e62038ccdfff8857275256015bcdca151bae2c4397c856230bb73f4f1c345129bb3c4c1ce9cbb0bfc02d6a46aa6af48d7b20d490cef9b70e96763e547449e3767407cef57b6413bddc11f7ff808ec958ea2ecbfbdcce2cdf45e9a75a534ae548b6f457b4425182f53c97d' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 7 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 8 +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_DAVE', 'PH_IP_MOON' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'home', 1, 7, 9 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'home', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 2 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/dave/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..96eb832ae --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.conf @@ -0,0 +1,7 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + strictcrlpolicy=yes + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..71141db03 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,164 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* %any */ + 0, '%any' +); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'308203b53082029da003020102020100300d06092a864886f70d01010405003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3034303931303131303134355a170d3134303930383131303134355a3045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100bff25f62ea3d566e58b3c87a49caf3ac61cfa96377734d842db3f8fd6ea023f7b0132e66265012317386729c6d7c427a8d9f167be138e8ebae2b12b95933baef36a315c3ddf224cee4bb9bd578135d0467382629621ff96b8d45f6e002e5083662dce181805c140b3f2ce93f83aee3c861cff610a39f0189cb3a3c7cb9bf7e2a09544e2170efaa18fdd4ff20fa94be176d7fecff821f68d17152041d9b46f0cfcfc1e4cf43de5d3f3a587763afe9267f53b11699b3264fc55c5189f5682871166cb98307950569641fa30ffb50de134fed2f973cef1a392827862bc4ddaa97bbb01442e293c41070d07224d4be47ae2753eb2bed4bc1da91c68ec780c4620f0f0203010001a381af3081ac300f0603551d130101ff040530030101ff300b0603551d0f040403020106301d0603551d0e041604145da7dd700651327ee7b66db3b5e5e060ea2e4def306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100300d06092a864886f70d010104050003820101009ad74e3e60592dfb9b21c78628bd76b63090c1720c74bf94753cad6fddadc9c776eb39d3bfaa52136bf528840078386308fcf79503bd3d1ad6c15ac38e10c846bff7888a03cfe7fa0e644b522b2af5aedf0bbc508dc48330a180757772771095059b2be148f58dc0c753b59e9d6bfb02e9b685a928a284531b187313fd2b835bc9ea27d0020739a8d485e88bdede9a45cde6d28ed553b0e8e92dabf877bed59abf9d151f15e4f2d00b5e6e49fcb665293d2296697926c2954dae367542ef6e98053e76d2728732f6ce69f284f0b856aa6c2823a9ee29b280a66f50828f9b5cf27f84feca3c31c24897db156c7a833768ab306f51286457a51f09dd53bbb4190f' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'308204223082030aa003020102020117300d06092a864886f70d01010b05003045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341301e170d3039303832373130303333325a170d3134303832363130303333325a3046310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311c301a060355040313136d6f6f6e2e7374726f6e677377616e2e6f726730820122300d06092a864886f70d01010105000382010f003082010a0282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c2870203010001a382011a3082011630090603551d1304023000300b0603551d0f0404030203a8301d0603551d0e041604146a9c74d1f8897989f65a94e989f1fac3649d292e306d0603551d230466306480145da7dd700651327ee7b66db3b5e5e060ea2e4defa149a4473045310b300906035504061302434831193017060355040a13104c696e7578207374726f6e675377616e311b3019060355040313127374726f6e675377616e20526f6f74204341820100301e0603551d110417301582136d6f6f6e2e7374726f6e677377616e2e6f726730130603551d25040c300a06082b0601050507030130390603551d1f04323030302ea02ca02a8628687474703a2f2f63726c2e7374726f6e677377616e2e6f72672f7374726f6e677377616e2e63726c300d06092a864886f70d01010b050003820101009cb57836c5e328cda4d58e204bd4ff0c63db841f926d53411c790d516c8e7fdaf191767102343f68003639bda99a684d8c76ad9087fbe55e730ba378a2e442e3b1095875361939c30e75c5145d8bdb6c55f5730a64061c819751f6e4aa6d1dc810fc79dc78aa7790ebaac183988e0c1e3d7ba5729597c7413642d40215041914fc8459e349c47d28825839dd03d77c763d236fc6ba48f95746f3a7b304d06b3c29d9d87666db0eacd080fb2d6bdebf9be1e8265b2b545fb81aa8a18fa056301436c9b8cf599746de81fddb9704f2feb4472f7c0f467fb7281b014167879a0ebda7fae36a5a5607376a803bec8f14f94663102c484a8887ba5b58ed04ee7cec0f' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'308204a30201000282010100ca2f633dd4bbba0586215b15a0312f73f533124f0b339b9ae13bb648b02b4c468e0f01e630fbef92197b7708f5dbffea7e496286966d75acf13bd5e4377a1821d82de102eadf9963b489041a0b0f9f76b79e2150aa39020e3fa52a677dbb879c986291e4f1542fe2f0494e9c5c954d4faa75a17aa7b56652f1b16efbdcb46697f7d0b7f520bc990205365938d2cd31f2beed30e761a56c02d9dc82f0cdefc9d43447b6a98f7628aed2ac127a4a9504838f66e7517e5e0b0672c8165474bce689f73a6fc6e3c72b2c45498ddbbc0b17b04915606fe94f256cc777c42c534560ffbbe5aacdd944cc8db4d2abaf8a294af55b03a6a01a54d78430ab78389753c287020301000102820100204507f5ea6a3bfa7db9fd2baa71af3d36b97c0699a71702d5480e83f37a35a65d2e10038975ec7ac90e67a54a785e9432abcbc9e7607913ad3cfb9a7d304381c35b2f3aa3fa242541bf4ca44b77a6dfefd69142aaa886a777890907938dc6cb3b971fea068a854a1747dc0020d6c38c1f8cbec530d747099e01cfd0eb1ceff2b077bd07aaef4989b75594614b16a778891a2e490369d2a9571ddf5cd165331638a8a3c96184a8259eb588caab3bbfab9c0f77b66c830ecf0f294dc1b67a5f36b75e3e095e247864f19ab212fdbf34e0925316ca13c342b4ba464ecf93d2a8e39eee24dd63dddd938101a9f4b8f0de90765e1c1fda5c62e161cc712794aeaea102818100f85d60a6990447926da1ab9db7f094a5d435b11f70c5fef9541a89e05898001190cfdc651b8a23ccbfe8e7bdacd225776f01699d06be5ae5abc4690fe99b81fd9f369e973437fbcba2efdbe1dc6f8389fb2be78e3847f4f05323b2c7b6b6a4c85ca0aa72642747434f4358f0baf10ab173f9c3f24e9674570179dde23c6c248d02818100d06693eb5c92b6d516f630b79b1b98ea3910cbc4c442a4779ce16f5b09825c858ea4dfcc4d33eeb3e4de971a7fa5d2a153e9a83e65f7527ca77b93efc257960eadd8ce5b57e590d9189e542652ae3677c623343a39c1d16dbef3069406eaa4913eeba06e0a3af3c8539dbd4be7d9caf3ccd654ae397ae7faa72ba823e4b0206302818100ef2bc4f249f28415ef7b3bafd33d5b7861e61e9e7f543c18d0340a4840288810625ab90ba8bc9b8305dffca27c75965cf049f4f1a157d862c9c987bf2a2075cacdf2a44049aa0bd16b23fea3ff4a67ea8d351774aea024b0f5ef2fb00134db749336a94d254369edd8bbab3f8f56a60c82f9a807844480de746e6e0cfa50cdd50281807b32d8e93fadc00612eff176e96c14270b1b41cb0dd6f3d17e5dcaedbf9e6041d844e1c4ae33303f0ae307e2f3693d2e8023d68124d863dc2b4aa3f70e25a7210066f5ff0be43b900bbcb5b47e165d3ecb544e70c96a29fbbdf17f870cdbb3f3e585782ef53f4a94b7d1bd715d1be49de20f26ba6462a3370b928470cba5cf4f028180324ffacf705e6746f741d24ff6aa0bb14aad55cba41eb7758e6cc0d51f40feac6b4a459ce374af424287f602b0614520079b436b8e90cde0ddff679304e9efdd74a2ffbfe6e4e1bd1236c360413f2d2656e00b3e3cb217567671bf73a722a222e5e85d109fe2c77caf5951f5b9f4171c744afa717fe7e9306488e6ab87341298' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO certificate_authorities ( + certificate +) VALUES ( + 1 +); + +INSERT INTO certificate_distribution_points ( + ca, type, uri +) VALUES ( + 1, 1, 'http://crl.strongswan.org/strongswan.crl' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', '0.0.0.0' +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id +) VALUES ( + 'rw', 1, 4, 6 +); + +INSERT INTO child_configs ( + name, updown +) VALUES ( + 'rw', 'ipsec _updown iptables' +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( /* 10.1.0.0/16 */ + 7, X'0a010000', X'0a01ffff' +); + +INSERT INTO traffic_selectors ( + type +) VALUES ( /* dynamic/32 */ + 7 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 2, 3 +); + diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/multi-level-ca/posttest.dat b/testing/tests/sql/multi-level-ca/posttest.dat new file mode 100644 index 000000000..d4d57ad83 --- /dev/null +++ b/testing/tests/sql/multi-level-ca/posttest.dat @@ -0,0 +1,10 @@ +moon::ipsec stop +carol::ipsec stop +dave::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +carol::/etc/init.d/iptables stop 2> /dev/null +dave::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +carol::rm /etc/ipsec.d/ipsec.* +dave::rm /etc/ipsec.d/ipsec.* +~ diff --git a/testing/tests/sql/multi-level-ca/pretest.dat b/testing/tests/sql/multi-level-ca/pretest.dat new file mode 100644 index 000000000..76316f33d --- /dev/null +++ b/testing/tests/sql/multi-level-ca/pretest.dat @@ -0,0 +1,18 @@ +moon::rm /etc/ipsec.d/cacerts/* +carol::rm /etc/ipsec.d/cacerts/* +dave::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +carol::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +dave::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +carol::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +dave::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +carol::/etc/init.d/iptables start 2> /dev/null +dave::/etc/init.d/iptables start 2> /dev/null +moon::ipsec start +carol::ipsec start +dave::ipsec start +carol::sleep 1 +carol::ipsec up home +dave::ipsec up home diff --git a/testing/tests/sql/multi-level-ca/test.conf b/testing/tests/sql/multi-level-ca/test.conf new file mode 100644 index 000000000..70416826e --- /dev/null +++ b/testing/tests/sql/multi-level-ca/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice moon carol winnetou dave" + +# Corresponding block diagram +# +DIAGRAM="a-m-c-w-d.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="moon" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon carol dave" diff --git a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql index 54086643f..ef6849c11 100644 --- a/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/moon/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 4, 5, 0 + 'net-net', 1, 4, 5, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql index 2bc8b34c8..79a35ef68 100644 --- a/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql +++ b/testing/tests/sql/net2net-cert/hosts/sun/etc/ipsec.d/data.sql @@ -109,9 +109,9 @@ INSERT INTO ike_configs ( ); INSERT INTO peer_configs ( - name, ike_cfg, local_id, remote_id, mobike + name, ike_cfg, local_id, remote_id, mobike, dpd_delay ) VALUES ( - 'net-net', 1, 5, 4, 0 + 'net-net', 1, 5, 4, 0, 0 ); INSERT INTO child_configs ( diff --git a/testing/tests/sql/net2net-route-pem/description.txt b/testing/tests/sql/net2net-route-pem/description.txt new file mode 100644 index 000000000..5a6681f6e --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and the first two of +them are marked to be automatically routed by gateway moon via the start_action +field in the child_configs table. +

+In order to trigger the IKE connection setup and subsequently test both tunnel and firewall, client +alice behind gateway moon pings client bob located behind gateway sun +and bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-route-pem/evaltest.dat b/testing/tests/sql/net2net-route-pem/evaltest.dat new file mode 100644 index 000000000..eaca715d5 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/evaltest.dat @@ -0,0 +1,16 @@ +moon::ipsec statusall::net-1.*ROUTED::YES +sun::ipsec statusall::net-1.*ROUTED::YES +moon::ipsec statusall::net-2.*ROUTED::YES +sun::ipsec statusall::net-2.*ROUTED::YES +moon::cat /var/log/daemon.log::creating acquire job for policy 10.1.0.10/32\[icmp/8\] === 10.2.0.10/32\[icmp\] with reqid {1}::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +sun::cat /var/log/daemon.log::creating acquire job for policy 10.2.0.10/32\[icmp/8\] === 10.1.0.20/32\[icmp\] with reqid {2}::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..a35643454 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-aes192-aes256-sha256-sha384-sha512-modp3072-modp4096-modp8192' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..97c482e05 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,249 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp3072' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 1, 1 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 1 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 1 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-route-pem/posttest.dat b/testing/tests/sql/net2net-route-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-route-pem/pretest.dat b/testing/tests/sql/net2net-route-pem/pretest.dat new file mode 100644 index 000000000..5a537e15b --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/pretest.dat @@ -0,0 +1,13 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 1 +alice::ping -c 1 PH_IP_BOB +bob::ping -c 1 PH_IP_VENUS diff --git a/testing/tests/sql/net2net-route-pem/test.conf b/testing/tests/sql/net2net-route-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-route-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" diff --git a/testing/tests/sql/net2net-start-pem/description.txt b/testing/tests/sql/net2net-start-pem/description.txt new file mode 100644 index 000000000..ff83304e8 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/description.txt @@ -0,0 +1,10 @@ +A connection between the subnets behind the gateways moon and sun is set up. +The authentication is based on X.509 certificates and RSA private keys stored +in PEM format in an SQLite database. The IKE_SA configuration details and the +traffic selectors of three CHILD_SAs are also stored in the database and are marked to be +automatically started by gateway moon via the start_action field in the +child_configs table. +

+In order to test both tunnel and firewall, client alice +behind gateway moon pings client bob located behind gateway sun and +bob in turn ping client venus behind gateway moon. diff --git a/testing/tests/sql/net2net-start-pem/evaltest.dat b/testing/tests/sql/net2net-start-pem/evaltest.dat new file mode 100644 index 000000000..eaacd0133 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/evaltest.dat @@ -0,0 +1,12 @@ +moon::ipsec statusall::net-net.*ESTABLISHED::YES +sun::ipsec statusall::net-net.*ESTABLISHED::YES +moon::ipsec statusall::net-1.*INSTALLED::YES +sun::ipsec statusall::net-1.*INSTALLED::YES +moon::ipsec statusall::net-2.*INSTALLED::YES +sun::ipsec statusall::net-2.*INSTALLED::YES +moon::ipsec statusall::net-3.*INSTALLED::YES +sun::ipsec statusall::net-3.*INSTALLED::YES +alice::ping -c 1 PH_IP_BOB::64 bytes from PH_IP_BOB: icmp_seq=1::YES +bob:: ping -c 1 PH_IP_VENUS::64 bytes from PH_IP_VENUS: icmp_seq=1::YES +sun::tcpdump::IP moon.strongswan.org > sun.strongswan.org: ESP::YES +sun::tcpdump::IP sun.strongswan.org > moon.strongswan.org: ESP::YES diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf new file mode 100644 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql new file mode 100644 index 000000000..e828f8902 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.d/data.sql @@ -0,0 +1,279 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 11, X'6a9c74d1f8897989f65a94e989f1fac3649d292e' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=moon.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494945496a4343417771674177494241674942467a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a45774d444d7a4d6c6f58445445304d4467794e6a45774d444d7a4d6c6f77526a454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e33595734784844416142674e5642414d5445323176623234750a633352796232356e6333646862693576636d6377676745694d4130474353714753496233445145424151554141344942447741776767454b416f49424151444b0a4c324d39314c753642595968577857674d53397a39544d535477737a6d3572684f375a497343744d526f3450416559772b2b2b5347587433435058622f2b702b0a53574b476c6d313172504537316551336568676832433368417572666d574f306951516143772b6664726565495643714f51494f503655715a333237683579590a5970486b385651763476424a547078636c553150716e5768657165315a6c4c7873573737334c526d6c2f6651742f5567764a6b4342545a5a4f4e4c4e4d664b2b0a3754446e5961567341746e636776444e37386e554e456532715939324b4b375372424a36537055456734396d3531462b586773476373675756485338356f6e330a4f6d2f47343863724c45564a6a6475384378657753525667622b6c504a577a4864385173553056672f37766c7173335a524d794e744e4b7272346f70537656620a41366167476c5458684443726544695855384b4841674d424141476a676745614d494942466a414a42674e5648524d45416a41414d41734741315564447751450a417749447144416442674e564851344546675155617078303066694a65596e325770547069664836773253644b533477625159445652306a424759775a4941550a5861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b77467759445651514b0a4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a7662335167513047430a4151417748675944565230524242637746594954625739766269357a64484a76626d647a643246754c6d39795a7a415442674e56485355454444414b426767720a42674546425163444154413542674e56485238454d6a41774d4336674c4b41716869686f644852774f69387659334a734c6e4e30636d39755a334e33595734750a62334a6e4c334e30636d39755a334e335957347559334a734d4130474353714753496233445145424377554141344942415143637458673278654d6f7a6154560a6a69424c3150384d5939754548354a7455304563655131526249352f32764752646e45434e44396f4144593576616d616145324d64713251682f766c586e4d4c0a6f33696935454c6a73516c596454595a4f634d4f6463555558597662624658316377706b426879426c314832354b7074486367512f486e63654b70336b4f75710a77594f596a6777655058756c6370575878304532517451434651515a4650794557654e4a7848306f676c6735335150586648593949322f47756b6a355630627a0a70374d45304773384b646e59646d626244717a51675073746139362f6d2b486f4a6c737256462b34477169686a3642574d42513279626a50575a6447336f48390a32356345387636305279393844305a2f747967624155466e68356f4f766166363432706156676333616f4137374938552b555a6a45437849536f6948756c74590a37515475664f77500a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 4 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=moon.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949456f77494241414b43415145417969396a5064533775675747495673566f444576632f557a456b384c4d35756134547532534c41725445614f4477486d0a4d5076766b686c3764776a31322f2f71666b6c6968705a7464617a784f39586b4e336f594964677434514c7133356c6a74496b45476773506e3361336e6946510a716a6b43446a2b6c4b6d6439753465636d474b52355046554c2b4c7753553663584a564e543670316f58716e74575a53386246752b3979305a706633304c66310a494c795a4167553257546a537a544879767530773532476c62414c5a33494c777a652f4a3144524874716d506469697530717753656b715642494f505a7564520a666c344c426e4c49466c5230764f614a397a7076787550484b797846535933627641735873456b5659472f7054795673783366454c464e4659502b373561724e0a3255544d6a62545371362b4b4b55723157774f6d6f42705531345177713367346c3150436877494441514142416f494241434246422f5871616a763666626e390a4b367078727a3032755877476d61635841745649446f507a656a576d5853345141346c313748724a446d656c536e68656c444b7279386e6e59486b5472547a370a6d6e307751344844577938366f2f6f6b4a55472f544b524c64366266373961525171716f6871643369516b486b343347797a7558482b6f47696f564b463066630a41434457773477666a4c37464d4e6448435a34427a394472484f2f79734865394236727653596d33565a52685378616e65496b614c6b6b4461644b70567833660a584e466c4d785934714b504a5959536f4a5a3631694d71724f372b726e413933746d7944447338504b553342746e70664e72646550676c654a48686b385a71790a4576322f4e4f43535578624b45384e43744c704754732b5430716a6a6e75346b33575064335a4f4241616e30755044656b485a6548422f6158474c68596378780a4a35537572714543675945412b46316770706b4552354a746f617564742f43557064513173523977786637355642714a34466959414247517a39786c47346f6a0a7a4c2f6f3537327330695633627746706e51612b5775577278476b50365a75422f5a38326e7063304e2f764c6f752f623464787667346e374b2b654f4f4566300a38464d6a7373653274715449584b4371636d516e52304e5051316a777576454b73585035772f4a4f6c6e525841586e64346a78734a49304367594541304761540a3631795374745557396a43336d787559366a6b5179385445517152336e4f467657776d435849574f704e2f4d54545075732b54656c78702f70644b68552b6d6f0a506d5833556e796e65355076776c6557447133597a6c7458355a445a474a35554a6c4b754e6e6647497a51364f6348526262377a4270514736715352507575670a62676f36383868546e62314c35396e4b38387a57564b3435657566367079756f492b537749474d436759454137797645386b6e7968425876657a7576307a31620a6547486d4870352f564477593044514b5345416f6942426957726b4c714c7962677758662f4b4a38645a5a6338456e303861465832474c4a7959652f4b6942310a797333797045424a716776526179502b6f2f394b5a2b714e4e5264307271416b735058764c3741424e4e74306b7a617054535644616533597536732f6a31616d0a44494c35714165455249446564473575445070517a645543675942374d746a705036334142684c76385862706242516e43787442797733573839462b586372740a7635356751646845346353754d7a412f43754d4834764e7050533641493961424a4e686a3343744b6f2f634f4a616368414762312f77766b4f35414c764c57300a66685a6450737455546e444a61696e377666462f68777a62732f506c685867753954394b6c4c665276584664472b53643467386d756d52696f7a634c6b6f52770a7936585054774b4267444a502b733977586d644739304853542f61714337464b7256584c7042363364593573774e556651503673613070466e4f4e3072304a430a682f594373474646494165625132754f6b4d33673366396e6b775470373931306f762b2f3575546876524932773242425079306d5675414c506a797946315a320a6362397a70794b694975586f585243663473643872316c5239626e304678783053767078662b66704d475349357175484e424b590a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 4 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_MOON', 'PH_IP_SUN' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 4, 5, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 2, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 2, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 1 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/moon/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf new file mode 100755 index 000000000..3bc29625f --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.conf @@ -0,0 +1,8 @@ +# /etc/ipsec.conf - strongSwan IPsec configuration file + +config setup + crlcheckinterval=180 + strictcrlpolicy=no + plutostart=no + +# configuration is read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql new file mode 100644 index 000000000..c5676b749 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.d/data.sql @@ -0,0 +1,273 @@ +/* Identities */ + +INSERT INTO identities ( + type, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 9, X'3045310B300906035504061302434831193017060355040A13104C696E7578207374726F6E675377616E311B3019060355040313127374726F6E675377616E20526F6F74204341' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'5da7dd700651327ee7b66db3b5e5e060ea2e4def' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* keyid of 'C=CH, O=Linux strongSwan, CN=strongSwan Root CA' */ + 11, X'ae096b87b44886d3b820978623dabd0eae22ebbc' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* moon.strongswan.org */ + 2, X'6d6f6f6e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* sun.strongswan.org */ + 2, X'73756e2e7374726f6e677377616e2e6f7267' + ); + +INSERT INTO identities ( + type, data +) VALUES ( /* subjkey of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 11, X'56d69e2fdaa8a1cd195c2353e7c5b67096e30bfb' + ); + +/* Certificates */ + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=strongSwan Root CA */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d494944754443434171436741774942416749424144414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441304d446b784d4445774d4445784f466f58445445354d446b774e7a45774d4445784f466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39750a5a314e3359573467556d39766443424451544343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414c2f790a58324c7150565a75574c5049656b6e4b383678687a366c6a64334e4e6843327a2b5031756f43503373424d755a695a51456a467a686e4b6362587843656f32660a466e76684f4f6a727269735375566b7a757538326f7858443366496b7a7553376d395634453130455a7a676d4b5749662b57754e52666267417555494e6d4c630a345947415842514c50797a7050344f75343868687a2f59516f3538426963733650487935763334714356524f4958447671686a39315038672b70532b4632312f0a37502b4348326a5263564945485a7447384d2f507765545051393564507a705964324f7636535a2f553745576d624d6d5438566355596e3161436878466d79350a6777655642576c6b48364d502b31446545302f744c35633837786f354b4365474b3854647170653773425243347050454548445163695455766b65754a3150720a4b2b314c77647152786f3748674d5269447738434177454141614f42736a4342727a415342674e5648524d4241663845434441474151482f416745424d4173470a413155644477514541774942426a416442674e5648513445466751555861666463415a524d6e376e746d327a74655867594f6f7554653877625159445652306a0a424759775a4941555861666463415a524d6e376e746d327a74655867594f6f7554652b68536152484d455578437a414a42674e5642415954416b4e494d526b770a467759445651514b4578424d615735316543427a64484a76626d6454643246754d527377475159445651514445784a7a64484a76626d64546432467549464a760a6233516751304743415141774451594a4b6f5a496876634e4151454c425141446767454241434f536d71454274424c52396156335579434938676d7a5235696e0a4c74653961555858532b716973364632683253746634734e2b4e6c36476a37524543365370664548347757647769554c354a30434a68796f4f6a5175446c336e0a314477336445342f7a714d5a6479444b455954553735546d7675734e4a426447734c6b726637454154416a6f692f6e72544f5950506853555a7650702f442b590a764f524a39456a353147586c4b316e774542356941382b7444596e694e516e364244314d456749656a7a4b2b66626979376272615a42316b71686f45723253690a376c7542536e55393132737734393445383861324557626d4d766732545648504e7a4370566b704e6b376b69664369776d7739566c646b71597939792f6c43610a45707970376c54664b77376362443034566b38514a573738324c36437375786b6c333436623137776d4f716e38415a6970733374467375415933773d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificates ( + type, keytype, data +) VALUES ( /* C=CH, O=Linux strongSwan, CN=sun.strongswan.org */ + 1, 1, X'2d2d2d2d2d424547494e2043455254494649434154452d2d2d2d2d0a4d49494549444343417769674177494241674942466a414e42676b71686b69473977304241517346414442464d517377435159445651514745774a445344455a0a4d4263474131554543684d5154476c7564586767633352796232356e55336468626a45624d426b474131554541784d53633352796232356e55336468626942530a6232393049454e424d423458445441354d4467794e7a41354e546b774e466f58445445304d4467794e6a41354e546b774e466f775254454c4d416b47413155450a42684d43513067784754415842674e5642416f5445457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e316269357a0a64484a76626d647a643246754c6d39795a7a4343415349774451594a4b6f5a496876634e4151454242514144676745504144434341516f4367674542414e2b560a5649706e3651356a61552f2f454e3670364135635366556668424b306d4661326c6146465a682f593068363641587171725133583931376837594e73536b36380a6f6f77593968394933674f7837684e5642734a7232566a6459432b623071354e54686130392f41356d696d762f7072596a366f30796177786f506a6f447339590a683744374b662b4638666b676b3073746c484a5a5836364a37644e72465862673178426c642b4570354f72324662455a3951575570525154756864704e742f340a3959757851353944656d59394952627773724b434848306d47724a7344647165623061702b3851765358486a4374316672394d4e4b5761414641514c4b5149340a65306461316e74504345514c65453833332b4e4e5242674775666b304b714754336541587172786139414549554a6e5663506578516471554d6a6355705846620a38574e7a525742384567683342444b36467345434177454141614f4341526b77676745564d416b4741315564457751434d4141774377594456523050424151440a41674f6f4d42304741315564446751574242525731703476327169687a526c634931506e78625a776c754d4c2b7a427442674e5648534d455a6a426b674252640a70393177426c45796675653262624f31356542673669354e3736464a704563775254454c4d416b474131554542684d43513067784754415842674e5642416f540a45457870626e563449484e30636d39755a314e3359573478477a415a42674e5642414d54456e4e30636d39755a314e3359573467556d397664434244515949420a4144416442674e5648524545466a415567684a7a64573475633352796232356e6333646862693576636d6377457759445652306c42417777436759494b7759420a42515548417745774f51594456523066424449774d4441756f4379674b6f596f6148523063446f764c324e796243357a64484a76626d647a643246754c6d39790a5a79397a64484a76626d647a643246754c6d4e796244414e42676b71686b6947397730424151734641414f43415145416f33374c595439417778304d4b2f6e410a465a70504a7155723045792b4f35556b63736478376e643030536c6d7069515259384b6d7552584342516e444567644c73746433736c516a5430704a456757460a30707a7879626e4936654f7a5941684c66686172742b5831685552694e4762586a67676d32733449352b4b33326256496b4e45716c73596e642f3646396f6f350a5a4e4f302f65545472754c5a666b4e652f7a636842474b652f5a374d616356776c59575743624d744256344b316435644763525267705139576976446c6d61740a4e6839776c736344536753476b33484a6b62786e71363935564e377a5562445741557657576856356249446a6c41522f7879543941707149786979565652756c0a665972453755303548627436476741726f414b4c7036714a7570392b547851414b536a4b49774a306866374f7559795138545a7456485337414f686d2b542f350a472f6a4747413d3d0a2d2d2d2d2d454e442043455254494649434154452d2d2d2d2d0a' +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 1 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 2 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 1, 3 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 5 +); + +INSERT INTO certificate_identity ( + certificate, identity +) VALUES ( + 2, 6 +); + +/* Private Keys */ + +INSERT INTO private_keys ( + type, data +) VALUES ( /* key of 'C=CH, O=Linux strongSwan, CN=sun.strongswan.org' */ + 1, X'2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d4949457041494241414b434151454133355655696d6670446d4e70542f385133716e6f446c784a39522b4545725359567261566f55566d48396a5348726f420a6571717444646633587548746732784b547279696a426a3248306a654137487545315547776d765a574e31674c357653726b314f4672543338446d614b612f2b0a6d746950716a544a724447672b4f674f7a316948735073702f3458782b53435453793255636c6c66726f6e7430327356647544584547563334536e6b367659560a73526e31425a536c46424f3646326b32332f6a31693746446e304e365a6a306846764379736f496366535961736d774e3270357652716e377843394a63654d4b0a33562b76307730705a6f415542417370416a6837523172576530384952417434547a666634303145474161352b5451716f5a50643442657176467230415168510a6d64567739374642327051794e78536c6356767859334e4659487753434863454d726f577751494441514142416f49424144483531686a4e327a6b394856676c0a516d635441577a6355696535634c4d6872502b4d396d7443384f336a634377774659364f77666e624d553844487930474d714867356c423862393955555650770a484c417a6a44772f45536b633670675a73344545684a5473784a4c7376546e655067487373456779586e58663767525645714a6b506f6866792b5a79305543480a6549555158694d6c4f513778673769444d68774e612b5564575374353339447a74534b696c516e327864505a6a466e4d54302f7072766c344e412f385a6e35340a2f5364574471357952644c576236454b315637794a33363837475852316a7a47746779375458756e63554a56545967583752645031546e36675744385941512f0a52665430446457596d34574853675362392f4e57386c425a483279793368672b6c4e676f665845765466426b4f3551795733314c497230744356367a684a49630a59394d78614b55436759454139736b7461586668504c653045436a646551454f7135454b754472437669534b434f754156344244534f736477362b354c5766590a56622f6f6b65384e37306c4c335243626c636a31704f4b575569324f2f5370454a6444526475697732674d39635874332f624368535448433454734978784e2f0a4462394f476737326b5a347352593541752b7a794141515942775868465775783139344a6b35714b304a626c4e47394a35514d715a44634367594541352b35680a426748554d454f2b70644d45356c416953633550634e54656a7041366a2b4f696b4368342f4846587933432f644c782b4373312b6567773634633869566149760a4e456f376e374539493065335871616e505258684d6e425272502b33394f567357506d5a31384c6932486938344b774a7969385931316c33584a4f71615970460a774d5655755a70785230646647356b2f354777542f74456b6d5142676c4f6747336d327a554d634367594541346d335664396168563564703541584b707a4b630a4a6a69504d466668784a6f372b46457a305a554370303371596c6a42752f4a79344d4b532f677272717969434c645147484e6c6b34534e784c766455496437380a356747426e757544454a5532644141494b554539797132596c42555a5361634f7853744932736e7432382f583650334c5557486d374c4c55354f5331443356660a6d4b50462f364d6c534a75617335434571565a4e4e2b4d436759424839516837496151676d565155424b565867334d76374f647576557954644b4947744878690a4e33785a376878734450344a6a4e57614b6d6c63476d4647583870715152686549383364334e4a34474b38476d6250335773743070363566657a4d71737564720a723330516d5046696367732f745943514477366f2b61507a77416932462b564f5371726672744149616c64537137684c2b56413231644b422b63443955674f580a6a50642b54774b42675143624b656732514e53327168504947396561714a44524f75786d78622f303764374f426374674d677856764b687157396857343253790a674a353966797a35516a4642615366634f646634676b4b79456177566f34352f7136796d495155333752347646344357395a334366614962774a70374c6348560a7a483037736f2f484e735a75613647574353434c4a55354d654352695a7a6b3252466953394b49614c5034675a6e6476346c584f69513d3d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a' +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 5 +); + +INSERT INTO private_key_identity ( + private_key, identity +) VALUES ( + 1, 6 +); + +/* Proposals */ + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128-sha256-modp2048' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192-sha384-modp3072' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes128gcm128' +); + +INSERT INTO proposals ( + proposal +) VALUES ( + 'aes192gcm128' +); + +/* Configurations */ + +INSERT INTO ike_configs ( + local, remote +) VALUES ( + 'PH_IP_SUN', 'PH_IP_MOON' +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 1, 1 +); + +INSERT INTO ike_config_proposal ( + ike_cfg, prio, prop +) VALUES ( + 1, 2, 2 +); + +INSERT INTO peer_configs ( + name, ike_cfg, local_id, remote_id, mobike, dpd_delay +) VALUES ( + 'net-net', 1, 5, 4, 0, 30 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-1', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-2', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO child_configs ( + name, updown, start_action, dpd_action +) VALUES ( + 'net-3', 'ipsec _updown iptables', 0, 0 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 1 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 2 +); + +INSERT INTO peer_config_child_config ( + peer_cfg, child_cfg +) VALUES ( + 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 1, 1, 3 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 2, 1, 4 +); + +INSERT INTO child_config_proposal ( + child_cfg, prio, prop +) VALUES ( + 3, 1, 4 +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010000', X'0a01000f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010010', X'0a01001f' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a010200', X'0a0103ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020000', X'0a0201ff' +); + +INSERT INTO traffic_selectors ( + type, start_addr, end_addr +) VALUES ( + 7, X'0a020200', X'0a0203ff' +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 1, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 1, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 2, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 2, 4, 0 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 3, 1 +); + +INSERT INTO child_config_traffic_selector ( + child_cfg, traffic_selector, kind +) VALUES ( + 3, 5, 0 +); diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets new file mode 100644 index 000000000..76bb21bea --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/ipsec.secrets @@ -0,0 +1,3 @@ +# /etc/ipsec.secrets - strongSwan IPsec secrets file + +# secrets are read from SQLite database diff --git a/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf new file mode 100644 index 000000000..f375db9c9 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/hosts/sun/etc/strongswan.conf @@ -0,0 +1,10 @@ +# /etc/strongswan.conf - strongSwan configuration file + +charon { + plugins { + sql { + database = sqlite:///etc/ipsec.d/ipsec.db + } + } + load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random x509 revocation hmac xcbc stroke kernel-netlink socket-default updown sqlite sql +} diff --git a/testing/tests/sql/net2net-start-pem/posttest.dat b/testing/tests/sql/net2net-start-pem/posttest.dat new file mode 100644 index 000000000..13f7ede0a --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/posttest.dat @@ -0,0 +1,6 @@ +moon::ipsec stop +sun::ipsec stop +moon::/etc/init.d/iptables stop 2> /dev/null +sun::/etc/init.d/iptables stop 2> /dev/null +moon::rm /etc/ipsec.d/ipsec.* +sun::rm /etc/ipsec.d/ipsec.* diff --git a/testing/tests/sql/net2net-start-pem/pretest.dat b/testing/tests/sql/net2net-start-pem/pretest.dat new file mode 100644 index 000000000..3e168960d --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/pretest.dat @@ -0,0 +1,11 @@ +moon::rm /etc/ipsec.d/cacerts/* +sun::rm /etc/ipsec.d/cacerts/* +moon::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +sun::cat /etc/ipsec.d/tables.sql /etc/ipsec.d/data.sql > /etc/ipsec.d/ipsec.sql +moon::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +sun::cat /etc/ipsec.d/ipsec.sql | sqlite3 /etc/ipsec.d/ipsec.db +moon::/etc/init.d/iptables start 2> /dev/null +sun::/etc/init.d/iptables start 2> /dev/null +sun::ipsec start +moon::ipsec start +moon::sleep 2 diff --git a/testing/tests/sql/net2net-start-pem/test.conf b/testing/tests/sql/net2net-start-pem/test.conf new file mode 100644 index 000000000..13a8a2a48 --- /dev/null +++ b/testing/tests/sql/net2net-start-pem/test.conf @@ -0,0 +1,21 @@ +#!/bin/bash +# +# This configuration file provides information on the +# UML instances used for this test + +# All UML instances that are required for this test +# +UMLHOSTS="alice venus moon winnetou sun bob" + +# Corresponding block diagram +# +DIAGRAM="a-v-m-w-s-b.png" + +# UML instances on which tcpdump is to be started +# +TCPDUMPHOSTS="sun" + +# UML instances on which IPsec is started +# Used for IPsec logging purposes +# +IPSECHOSTS="moon sun" -- cgit v1.2.3